ARCOS LLC

ARCOS LLC provides resource management solutions to help utilities respond, restore and report to daily planned and unplanned events. Our solutions focus on people and automating processes that help utilities get resources to the field faster.

Post

Two keys for cybersecurity: collaboration and focus

Posted for ARCOS LLC

Connect with ARCOS LLC

Fill out this form to receive more information from ARCOS LLC.

This summer the U.S. government created the National Risk Management Center to coordinate the defense of U.S. infrastructure – including energy companies – from cyberattacks. The NRMC isn’t the only group focused on security. EEI’s Electricity Subsector Coordinating Council (ESCC) also partners with the government to protect the grid. And the American Public Power Association offers online tools to help its members with security concerns. Cybersecurity is a hot topic; the stakes are high.

It’s encouraging to see the government bring public and private players together. This reminds me of how lawmakers kick-started patient security via electronic health records more than a decade ago.

What makes someone secure are the practices they engage in around the clock and the type of platform they invest in. And, frankly, we’re better than most of our utility company partners in this regard only because generating power is a utility’s core competency; writing code and designing secure, cloud solutions is our expertise.

When I’m called by our salesforce to speak with a potential customer (whether in the U.S. or Canada), my conversations are nearly 100-percent about security. In spite of the fact that our solutions have an uptime of 99.98 percent (and in some months 99.997 percent), the security discussions seem to zero in on what happens the other .02 percent of the time. Securing our customers’ applications is paramount. But an inordinate amount of time is spent talking about those .02-percent what-ifs. Consider this: a .02-percent chance exactly mirrors the odds – according to the National Association for Sport and Physical Education – of the WNBA drafting a high-school girl to play basketball.

Utility industry vendors have to ensure their systems are at least as good if not better than anything behind their customers’ firewall. The typical SaaS, or cloud, platform gets threats every second of the day. When utility company IT pros compare cloud platforms to that of an on-premises system – which is the kind of system that’s a bit neglected and dusted off when there’s a crisis – they see the distance traveled to keep customers secure. Unlike an on-premises system, SaaS solutions don’t go offline because a worker failed to apply a patch to the platform’s server.

For instance, if a large portion of the grid goes down, our company has redundancies across tiers, regions and time zones. We have servers in far-flung locations to maintain uptime and reliability, and those data centers housing our servers have backup power, too. In fact, today’s state-of-the-art data centers have phenomenal physical and electronic security. Vigilant vendors also run penetration testing (i.e., pen tests) internally and externally for protecting their infrastructure by enlisting the support of “ethical hackers.”

While it isn’t fruitful to spend a lot of time on the less than .02 percent, considering what-if scenarios matter very much. A savvy vendor will think through what happens if a hacker impersonates an employee and consequently develop a protocol before it’s needed. As a vendor or a utility, you have to continuously invest time and talent for security. For instance, meeting certifications like SOC 2 Type II are good; exceeding the certification is better. And even when you’re exceeding expectations, be careful. Just because you have insurance doesn’t mean you should drive like a madman.

A key to security is catching the bad guys quickly and then stopping them. Strategically, that means building fences around fences around more fences. A fence can be a webcam, motion sensor, biometrics or any other combination of pitfalls and gates. Taking security as granularly as you can lays an ever increasingly complex number of traps for intruders to trip over.

In spite of the headlines about some remarkable hacks and breaches, the utility industry and its partners are making defensive strides. Here’s why I write that:  By way of background, I worked in industrial automation and later the healthcare industry for the better part of my thirty-year career. Getting systems right was job one in industrial automation because if you didn’t get things right, it could kill someone. That experience has helped me vet and mitigate risks the utility industry faces today.

What I learned from healthcare is that once the government goes full bore with an initiative, things lift off. Take electronic healthcare records (EHR). In the 1960s Lockheed developed one of the first electronic clinical systems, a forerunner of today’s EHR. The Department of Veterans Affairs then began dabbling with EHR in the 1970s. Things inched along in the 1980s and 1990s. Around 2004, the U.S. government created a national coordinator for health information technology. The president then signed a bill into law that incented healthcare providers to adopt EHR. Soon afterward the EHR became ubiquitous.

Healthcare was a laggard in terms of administrative IT and security. But doctors and hospitals caught up quickly when the government pressed the issue. Cybersecurity is now arguably one of our nation’s top concerns. If, as an industry, utilities and their partners focus on the right cybersecurity what-ifs and put in place smart protocols, we’ll increase the likelihood of early detection and shut down the bad guys.

Ted Schneider's picture

Thank Ted for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

ARCOS LLC
ARCOS LLC provides resource management solutions to help utilities respond, restore and report to daily planned and unplanned events. Our solutions focus on people and automating processes that help utilities get resources to the field faster.

Discussions

Bob Meinetz's picture
Bob Meinetz on September 19, 2018

Ted, though security is critical to the reliability of utility and grid operations, threats are minimized by limiting control circuitry to private networks - maintaining a brick wall between operations and the World Wide Web. It's expensive and cumbersome, but fortunately smart engineers envisioned the destructive potential of cyberthreats long ago, and have made physical separation of networks the first line of defense.

For business communications connecting to the web is essential, and any company other than the internet giants is vulnerable to DDoS (Distributed Denial of Service) attacks by a determined entity. Phishing (the culprit in the widely-publicized John Podesta email hack), password-guessing bots, and Trojan horse viruses in emails remain dangers, but only due to a lack of awareness and vigilance. Thus it's critical for energy IT staff, like those in any other industry, to develop and maintain strict company policies to minimize the possibility of an intrusion.

Separation of Concerns (SoC) and encapsulation break down programming tasks into discrete modules, and are two of the best ways to limit the depth and severity of intrusions. But one of the most overlooked of cybersecurity precautions is backup - after an attack, prompt response and restoration of data. Too many companies invest $millions in firewalls and mutliple layers of defense but overlook data redundancy. After a security breach, they are then faced with the monumental work and expense of rebuilding systems from scratch. Though it's a mistake companies only make once, it can be devastating - and it's one of the few cyberthreats which is completely avoidable.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »