What is your cybersecurity plan?
As the number of cyber attacks on the electricity sector rise, grid providers involved in the generation, transmission, distribution, and marketing of electricity should do more to increase cybersecurity, regardless of regulatory requirements. Aside from typical cyber hack repercussions such as steep financial clean-up costs, tarnished reputations, and loss of IP, electricity grid participants must concern itself with even graver vulnerabilities around reliability that could have devastating economic and safety impact to nations. Here I'd like to offer suggestions on just how to do that.
1. Baseline your cybersecurity posture
Unfortunately, for many organizations including grid providers, CISOs often don't have a good sense of the level of their cybersecurity maturity. Baselining one's cybersecurity posture is essential to determining the gap between where you are and where you need to be. Fortunately, the Department of Energy Office of Electricity Delivery and Energy Reliability has made available the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) to help organizations evaluate, prioritize and improve cybersecurity capabilities. ES-C2M2 can serve as an excellent self-evaluation tool for any electrical grid provider looking to measure their current cybersecurity capabilities.
2. Set realistic cybersecurity goals
Electrical grid providers must face the reality that every aspect of their operation cannot be safe-guarded against cyber threats at the same assurance level or time. Therefore using a risk-based model that examines the impact of a cyber breach, organizations can quickly identify their biggest gaps. NISTs Cybersecurity Framework is a compilation of existing standards and guidelines for critical infrastructure to reduce their cyber risks. Using the concept of target profiles, priority decisions are made based on business needs, risk tolerance levels, and resource availability. Assuring your limited IT resources are plugging the most vulnerable holes will increase security and resiliency in a much more effective manner.
3. SMEs - Get outside help and consider cloud options
Small and medium grid participants must face the common reality that little to no cybersecurity expertise resides among your internal rank. It's most likely that cybersecurity is not one of your core competencies therefore budget allocated to outside security providers is money well spent. Given the need for strong authentication methods based on second factors such as digital certificates, using Cloud Certificate Authorities is a great way to increase security while not imposing heavy maintenance requirements on already stressed out IT departments that don't necessarily know or keep up with best practices around PKI. Additionally, cloud PKI services can lead to quicker implementations by affording the SME to forego the procurement of technologies associated with certificate authority servers, HSMs, and secure rooms.
4. Focus on security, compliance will follow
Yes, the price of non-compliance can be steep, however organizations caught up in compliance driven programs that focus on pleasing auditors can end up investing heavily while still operating with a lower than desired cybersecurity posture. Investing in cybersecurity programs that prevent breaches will be sure to stop many attacks in their tracks. The cost of a security breach clean-up can be devastating in terms of financial loss, damaged reputation and safety. Grid owners and operators should constantly review their cybersecurity program for new and increasingly sophisticated threats.
5. Expect a breach and prepare how to respond
Although preventative measures are important, equally critical is how your organization will respond to a breach. In this day and age, one must expect a breach either from internal (malicious or operator error) or external (state sponsored, hackers, or terrorists) sources. And the name of the game is how fast you will respond and how quickly you can contain the damage. The best documented business resumption plan won't provide much value if it hasn't been dry-run and updated on a regular basis. Don't invest heavily in a BRP just to have it go stale.
6. Modernize your IAM technology for new use cases
Managing who has access to what and when isn't as simple as managing ACL and Active Directory group membership. IT managers must incorporate more sophisticated methods of detecting unauthorized access attempts. Ever increasing use cases that involve external users such as contractors, regulators, market participants, and even customers should be addressed by identity and access management (IAM) technology in a way that is secure, agile, and automated. Additionally, with mobile and IoT devices, IAM products must be able to handle multiple authentication methods at scale.
7. Factor in user experience in your IAM programs
User experience is no longer limited consumer oriented use cases. Enterprises are now catching on to how good user experience can translate to better security, lower costs, and increased productivity. Start with replacing cumbersome and easily forgotten password authentication schemes that often result in costly password resets, or worse yet Òyellow sticker syndromeÓ with authentications methods such as PKI, biometrics, mobile device, and other approaches that don't require large, complex, and frequently changed passwords.
8. Don't go it alone
Leverage government-industry partnerships such as NIST's National Cybersecurity Center of Excellence (NCCoE) to help jump start your IAM and situational awareness implementations. NCCoE has a plethora of cybersecurity implementation examples that can help all size energy organizations leverage proven third-party products to address cybersecurity framework, NERC CIP, and other standards and best practices.
9. Build PKI-based security into your IoT projects at the ground-level
With billions of interconnected devices expected to come on-line supporting both smart grid and smart cities, look at PKI as a viable technology that provides strong authentication, data integrity, and encryption at scale.
10. Create user buy-in
Finally, never underestimate how end users can support or sabotage your network security. Get end user buy-in to why security matters. Create IT-user partnerships so users can feel a part of the security culture. Overly restrictive and burdensome IT security without explanation or stakeholder feedback, will most likely back-fire in end users Òbeating the system.Ó
Lila Kee is Chief Product Officer at GlobalSign, a provider of identity and security solution for the Internet of Everything (IoE).
No discussions yet. Start a discussion below.