One of the best things about my job is that I regularly get to talk with leading thinkers on security, both inside and outside of the utility industry. And the more I speak to them, the more convinced I become that cybersecurity can’t be fixed with tools and technology solutions alone.
What these great thinkers recognize is that cyber is just one vector for an attack, albeit an easy one, to achieve their goals. Other vectors include insider threat, supply chain or kinetic attacks—and that’s just from one actor (e.g., a Nation State). These thinkers are looking toward a future where transmission and distribution utilities have an “Intelligent Security” strategy—one that is driven by an understanding of an adversary's capabilities, harnesses innovation in security thinking, and includes resilience in the design of all systems.
How can T&D utilities accomplish this? In my view, first base for an Intelligent Security strategy is a holistic view of the threats an organization faces. This was brought home to me recently, when an executive from a major utility shared the thought that insider threat will be the next “cyber.” Most T&D utilities hardly think about insider threat at the moment. This executive said they should.
She added that insider threat isn’t a cyber or technology problem, but a human problem to which technology can be applied. While some technologists talk about user entity behavior analytics (UEBA) or identity and access management (IAM) tools as the bedrock of any insider program, she thought insider threat was broader than just tools.
And she’s right. Addressing insider threat is about many things: privacy, fraud detection, investigation, behavioral change and more. UBEA tools are just a means to identify and protect against the insider once they’re active, rather than a way to spot them before they start.
Applying the same holistic perspective, it’s clear that cybersecurity isn’t just about tools either. It’s about designing a more resilient IT and OT environment: one that makes sure your technology, people, assets and processes are secure, and can continue to deliver service despite a loss of data or technology.
So, given all this, how can T&D utilities make their systems more secure and resilient? Well, for one thing, technologists should continue to look at how to design technology systems more securely. This means considering:
Moving to the cloud, where the cyber expert-per-dollar ratio is most favorable, and your data will be more secure.
Utilizing blockchain technology and immutable logs to track who is accessing what data.
Mapping where data is going and understanding where data is leaking.
Understanding how your systems and processes will perform during major disruptions such as catastrophic power outages from major weather events and cyber or physical attacks or loss of technology—and planning around those outcomes.
Designing resilience into all your systems.
As well as taking steps like these, forward-thinking utilities are starting to look beyond compliance and thinking about capability. This means understanding who may want to get into their systems and why, and then crafting cost-effective strategies to improve security and resilience. The most advanced organizations are then focusing and integrating these insights into an Intelligent Security capability—enabling them to understand what game is being played, create capabilities to identify an attack, design security and resilience into their systems while adding value, and improve their ability to respond to all threats.
The message is clear: any rethink of security in utilities can’t afford to focus on just one or two threats, but must look at all of them. That’s why leaders in the security domain are adapting their philosophy beyond guns, walls and cameras to advanced, multi-spectral detection. And they’re thinking not just about security solutions that add no other value (and in many cases no real security)—but are finding solutions that support asset management, work process improvements and, at the same time, improve security.
One final thought. As I mentioned in my previous blog, the key to better security, resilience and service is breaking down the silos between business units. Today, technology moves seamlessly across the entire enterprise; addressing insider threats requires a team of people – and maintaining security and resilience requires security professionals, engineers, operators, technologists and others to work together. Together, these factors mean the solution isn’t a tool or technology. Neither is it a better-designed piece of switch gear. Rather, what’s needed is a team-based approach that focuses on four outcomes: reliability, resilience, safety and security.
So, when it comes to security, don’t think tools. Think holistically and collectively.