Principles for a Cybersecurity Program
One would be hard-pressed to find someone in the electric utility industry who doesn’t know the risks of cyber-attack. A discussion of actual and possible events is in the news almost daily. In fact, there have been real-world incursions into industrial control systems and even electric utility operations by bad actors using cyber-attack methods and tools. How do we protect ourselves from the attack and as an executive what should you emphasize in a program? There are many ways that Information Technology, Operational Technology, and cybersecurity programs in the electric sector are put together. There are some key considerations that should transcend differences in approach.
Dedicate an individual as the Cyber Security Director
Cybersecurity is a specialized area and if you’re serious about addressing risks, you need a single person who has the responsibility to oversee that function and be accountable to the board for that role. One encounters across media platforms, discussions and debate about what background and skills a cyber-security director should have. It’s worth keeping in mind that a cybersecurity manager in any business has a role that can only be described as one with inherent dichotomies. She’s responsible for detecting and reporting attacks and breaches and responsible for preventing them too. A program that cannot detect cyber incursions might seem good at preventing them. As well, good detection and reporting of incursions could be poor prevention. Further, a cyber-security director must be able to communicate effectively at all levels from the board room to the substation and wiring closet. They must simultaneously extol the positive aspects of a cyber-security program through positive assertions and candidly report out to the board and executives on the gaps and weaknesses without appearing obtuse. Most importantly that person needs to have a solid understanding of the business and what matters. Regardless of what else you see as a requirement for the role, that person must handle these situations.
Cybersecurity directors must simultaneously extol the positive aspects of a cyber-security program through positive assertions and candidly report out to the board and executives on the gaps and weaknesses without appearing obtuse
It’s Not about Compliance
Every electric utility that is part of the bulk electric system is familiar with North American Reliability Corporation Critical Infrastructure Protection (NERC CIP) standards and the compliance regime associated with it. It is a set of standards overseen by NERC and audited by regional entities across the NERC membership. NERC CIP provides a solid baseline of mandatory cyber security requirements. Non-compliance can result in fines. A culture of compliance is good, and no one should suggest risking non-compliance and facing fines (up to $1,000,000 a day). However, don’t emphasize compliance as the end, or even as a program in and of itself. Compliance for compliance’s sake can lead to significant gaps in a cyber security program. As a C-suite executive, you may not, probably should not, have in-depth knowledge of cyber security controls and weaknesses at the component level. You do influence the culture. Emphasize that reducing risk and not compliance alone is the goal. Encourage a program that implements risk-based cyber security tied to the impacts of an attack accounting for compliance as a natural but not final step. Hold your cyber security director accountable to that and ask for a regular cadence of cyber-attack risk reporting.
Keep Your Operations, Operations.
If possible, you don’t want to have cyber security systems (application firewalls, intrusion detection systems, etc.) operated by cyber security personnel. Why? Generally, people focus on the mission of their group. Operations keeps the systems working to achieve the mission. Yes, they care about security, and your cyber team should be backing them up and ensuring they do. But security isn’t in place for its own sake. It serves the needs of the mission and the enterprise. Outages or disruptions created by implementing security can cause the exact kinds of disruptions we, who place reliability at the top of our priority list, put cyber security in place to prevent.
Bring in aRed-Team and Adjust
A “red-team” is an individual or group that is truly independent and therefore can see a thing objectively. Often in cyber security this function is coupled with penetration testing. True red teams act as the “bad guys” and attempt to breach systems with no warning or knowledge given to all but an executive or two. Red teams in cyber should include a programmatic review. Encourage your red team to tie weaknesses in the program to the technical vulnerabilities they find (they will find some, we all have them). Doing that is difficult but it can be truly useful in helping motivate staff.
Train Your Staff
Budgets are always tight but cyber security skills are perishable and cyber security staff is hard to come by. Keep your team trained up and tell the board it’s essential. Show the return on investment through reporting. Ensure that your employees have a disciplined goal for their training that aligns with your program as it supports the strategy of your business.
Brief the Executives and Tailor Metrics
Successful managers generally are individual contributors who didn’t wait for their boss to tell them how they were doing but took responsibility asking with regularity, “this is how I think I’m doing, what do you see?” This is the same idea. Brief the executive team, or the CEO on a regular cadence. Tell them where the risks are and what needs to happen. Make sure they are comfortable with the risk. In this ongoing conversation, develop metrics that matter to your executives and tailor them for what your organization does and what works for you.
There are nearly as many different implementations of Information Technology, Operational Technology and cybersecurity programs as there are electric utilities. However, some key principles can help as architectural guidelines to your program. Although these aren’t the only things one should consider for a program, they should be applicable to any organization.