At the end of January, I attended the DistribuTECH conference in San Antonio, Texas. As always, it was a great event—and a fantastic opportunity to spend two days talking to utilities executives about their front-of-mind issues around resiliency and cybersecurity.
These conversations often turned to how companies can enhance their security in all forms—both physical and cyber. This year, there seemed to be a recurrent theme: the pressing need for transmission and distribution (T&D) companies to break down the silos that separate their IT, T&D, operational technology (OT) and security organizations—all in the name of more effective security and resilience.
Why is this so vital? To explain, let me start with the recent history of security in utilities. It was around 2010 that the industry first focused on cyber attacks on industrial control and SCADA systems. This initial focus, following revelations about the StuxNet in Iran’s nuclear program, was validated by the successful cyber attack that brought down the Ukrainian power grid. In our recent Digitally Enabled Grid research, we see that more than a half of utilities executives globally believe their country is likely to face interruption of power supply from cyber attacks within five years. What was an abstract threat in 2010 became a kinetic threat in Ukraine.
The result: Cybersecurity was big news, and T&D utilities worldwide knew they were in the line of fire. What looked like a technology issue clearly needed a technology solution. So, logically enough, many utilities assigned responsibility to a technologist—usually their chief information security officer (CISO)—to build a cyber “wall” to protect their information systems and assets against potential attackers.
Problem solved? Sadly not. As increasingly more T&D companies are now coming to realize, cyber attacks are just one weapon in a much larger geopolitical game. If adversaries can’t get through your cyber wall, they will simply get around it by other means, including physical attacks, insider threats, or via vulnerabilities elsewhere in your business or supply chain.
The implication is clear: Any T&D company that thinks “cyber” just means “technology” is playing the wrong game. So, what do utilities need to do?
Given the diversity, scale and rapid evolution of threats, they need “intelligent security,” meaning bringing together technological and physical security across the organization and developing the agility to switch defense tactics. To do this, utilities need to understand that they aren’t facing a cyber threat, they are facing an adversary that uses cyber as a weapon. They need to know more about their adversaries’ capabilities in order to better defend against their weapon(s).
This brings me back to my DistribuTECH conversations about breaking down silos. If T&D companies are still basing their security strategies on wall building by their CISO, they instead need to look to remove the barriers that separate business units, and unite and integrate physical and cyber security across the entire business. For many T&D businesses and for utilities more broadly, this need is exemplified by OT: Despite adherence to standards, real OT security requires coordination between IT, OT, T&D, physical and cybersecurity and supply chain to prevent a cyber attack. It also requires resilient techniques, not just walls, to prevent and protect an intelligent adversary.
Breaking down silos in this way is the first step toward a more intelligent security strategy to protect the grid—one that is adaptable, agile, proactive, and takes account of each adversary’s interests, capabilities and intent.