Around the world, it’s hard to miss the constant media and analyst drumbeat of warnings about new threats to critical energy infrastructures. Yet recent reports by Carnegie Mellon University and IBM reveal that most utility executives are more focused on other priorities, and it’s easy to understand why. The electric power industry is going through a period of rapid and unprecedented change: increasing expectations for reliability and workforce productivity, aging assets that must deliver high performance, new market entrants, integrating grid-scale and distributed renewables, and consumers taking a more active role in energy management. These are just some of the areas that demand executives’ attention.
The industry has always followed best practices for physical security, but cyber security, primarily for the protection of IT systems, has often received less attention. Still, in most of the world, the lights have stayed on, workers have remained safe, and electricity has been delivered at reasonable costs to customers.
It’s becoming increasingly apparent that cyber attackers now have the potential to disrupt two of the core mission principles of energy companies: safety and reliability. Senior leaders in other sectors have noted the potential for damage to their operations and have already begun to take significant action. Look at a typical telecommunications, financial services, or healthcare organization, and you will often find a security executive with a VP or higher-level title regularly reporting on security status and initiatives to top executives and the Board of Directors.
Leadership teams in these other industries often take a more active role in ensuring cyber security, and have transformed their reporting structures and cultures to attain heightened visibility of security matters. And while their actions provide no guarantee of invulnerability from cyber attack, these more active leaders and their peers are ahead of the game when oversight agencies inquire about the adequacy of their security measures. There is a lot to be learned from this approach, particularly for organizations in the energy and utilities industry.
In a just-released white paper for industry executives, IBM is calling for a new approach to how electric utilities staff and manage their cyber security missions. Along with a set of best practices for organizational and technological security, we recommend the appointment—and empowerment—of a “C-level” or other senior security executive who reports directly to the Chief Operating Officer, Chief Financial Officer, or Chief Risk Officer. We believe that appointing this kind of a Chief Security Officer will send a strong, positive signal of seriousness and resolve to stakeholders, both inside and outside the organization. It also will provide a foundation for security to be managed like most other the critical enterprise functions.
In today’s connected world, the industry and its stakeholders can no longer accept the old approach. We believe that following these recommendations and best practices is the best way energy and utilities organizations can proactively address the challenges of cyber security. Taking such steps now, rather than waiting until cyber security has been compromised, not only is good security practice, but is also likely to give the industry more flexibility and choice in determining the methods and measures pursued.
—Andy Bochman (firstname.lastname@example.org) is IBM Energy Security Lead and a member of IBM’s Industry Security Team