Accenture’s 2018 State of Cyber Resilience survey findings are in and, for utilities, the findings are a mixed bag. On the bright side: utilities are getting better at cybersecurity, with a 42 percent increase in cyber capabilities. Less upbeat: there is still a lot of room for improvement, especially when it comes to risk management (cited as a gap by 45 percent), cyber threat analytics (44 percent), incident response (41 percent) and threat intelligence (38 percent).
And the really bad news? The traditional role of cybersecurity—protecting IT network and applications—is only part of the security challenge. After all, IT isn’t the only technology at risk. The real “crown jewels” can be found within utilities’ operational technology, the geospatial information and industrial control systems that power your core business, your grid.
With a growing number of actors seeking to disrupt this critical infrastructure, security is no longer a matter of implementing a firewall or completing a compliance checklist. Every point of entry—from the supply chain to HR and the distributed infrastructure that supports operations—is a potential vulnerability.
Illustrating the threats
Imagine a global utility executive—let’s call him Jorg—who’s a consummate technologist and leading thinker in the cyber world. Jorg works in a very regulatory-focused company that has developed a strong cybersecurity program and is actively evolving its insider threat initiative. Quite naturally, the organization has developed a cultural bias that cyber is a technology problem and therefore should be handled by technologists alone. Which puts Jorg and his utility in very good company across all industries.
Trouble is, Jorg and his company are failing to achieve enterprise awareness of the human aspects of this “technology” problem. What’s more, this company hasn’t understood which side they are on in the global conflict over financial, critical infrastructure and national security. Consequently, the firm inadvertently made two crucial, and all too common, errors:
Outsourcing part of its IT to a provider based in a country that has an adversarial relationship with the country it serves. This outsourcing arrangement enabled this other nation direct, “trusted” access to servers powering utility operations.
Electing a senior executive from a competitive, economic power. When this executive fell under the influence of his home country’s security service, he began providing them with access to restricted company systems.
Two foreign powers were given trusted, insider access behind the firewall. In other words, the company twice admitted the modern version of the Trojan Horse—despite having some of the best technology defenses.
Sound like a farfetched movie plot? It’s not. These are very timely examples of the threats utilities could now face. You might have the best technological threat intelligence on a nation’s cyber capabilities. But if you’re hiring people from that nation into your technology or operational team—or sourcing sensitive technology through that country—you may be securing the front door but leaving the back door wide open.
Shifting from cyber to intelligent grid security
Given these realities, it’s critical to change how utilities view and manage security. These five areas highlight what it takes to shift from cybersecurity to intelligent security:
Rethink security, risk and funding. Share accountability across functions and departments, and break down silos through integrated risk, asset and investment processes. Elevate cyber risk so that it’s prioritized alongside safety, reliability, reputational and financial risk.
Choose sides. Start “seeing” things the way nations’ intelligence agencies do. When you understand geopolitics in utilities, you can accurately identify who wants access to your systems and their capabilities. Only then can you design an effective defense.
Understand supply chain risk. Manufacturers can embed vulnerabilities into the chips or components of complex systems. You must be able to trust your supply chain—and not just outsource the risk—for critical assets.
Build threat intelligence. With humans causing most cyber attacks globally, they represent your biggest risk. That’s true whether they work (or worked) within your utility or for a vendor in your supply chain. Mitigate the risks by building better threat intelligence along with insider threat and vendor verification programs.
Focus on human performance. Culture is at the heart of improving security, resilience and response. Train your entire workforce to recognize security issues and to follow a process-focused response capability that you can execute if your technology has been disabled or compromised.
From generator to meter, utilities serve our communities and our nations with a critical service. Accenture’s research shows that utilities are making progress in cybersecurity. But if companies don’t begin to educate and engage their boards of directors, executives, HR, engineering, operations and supply chain teams on threats to critical infrastructure, any increasing investments in technology are unlikely to deliver what’s really needed: intelligent grid security.