Despite the uncertainty about utility cyber security regulations, there are steps that electric utilities, owners and operators of generation and transmission facilities, and industrials with on-site generation can take now to promote greater security for their facilities. Here are 10 strategies that compliance officers and regulatory affairs personnel can implement today to combat cyber threats that may compromise physical electrical infrastructure. (This is by no means a comprehensive list.) Beyond the minimum required by law, a security culture helps establish an environment in which compliance with any new requirements that are ultimately adopted can be successfully implemented, ensuring a secure and resilient infrastructure.
Strategy 1: Get Upper Management on Board
Any compliance strategy must start at the top. A fully informed, supportive, and actively engaged upper management is critical to a successful cyber security compliance program. The key personnel involved in cyber security should explain to upper management the need for internal, proactive efforts to mitigate the risk of cyber attack and its potential impact on physical infrastructure, including actions not strictly required by law but nonetheless useful in protecting against cyber attack. Upper management sets the tone for the organization, and by visibly making cyber security a priority can help ensure that all employees are vigilant and perform the roles that support a secure infrastructure.
Strategy 2: Designate a Chief Security Officer
In any effective compliance program, a strong and capable leader must take the reins. A chief security officer position should be created and the duties, responsibilities, and objectives of the position should be clearly specified. Whether a company creates a new, stand-alone position or integrates the chief security officer role within an existing position will depend on the business structure and unique characteristics of the company (for example, a smaller organization may not be able to devote resources to a stand-alone position). Importantly, the chief security officer must be someone who possesses the necessary clout to get things done. The absence of such an individual risks implementing a cyber security compliance program that lacks teeth and fails to effectively combat cyber threats.
Strategy 3: Conduct a Self-Assessment
Periodic self-assessments provide a means to determine the current state of your organizational cyber security, identify and make plans to mitigate weaknesses, and establish a baseline for measuring improvement. Self-assessment should aim to understand the interaction of all components of your cyber security systems and processes, evaluate how they meet your particular security needs, and identify areas for improvement.
In conducting self-assessments, remember that cyber security is not monolithic; there are no one-size-fits-all solutions. Every company has zones of security with different user bases, levels of interactivity, and security requirements, particularly at the entry and exit points to the zones and the interfaces between them, the perimeters and boundaries. For example, a "customer interface" zone with thousands of user accounts that communicates with computer systems over which the company has little or no control will have security requirements that vary from those of the zone responsible for electronic control of generation and transmission equipment. A self-assessment needs to examine the security for each zone in light of the unique security requirements and challenges that zone and its perimeters present.
When conducting self-assessments, companies should be realistic about their capabilities and vulnerabilities. It is easy to slip into complacency. If you are tempted to say, "After all, we have never had a serious cybersecurity breach," ask: "How do I know we have never suffered a breach?"
Are the mechanisms and personnel in place to allow you to detect a breach? What is being monitored? What are the signs of an attempted or successful break-in that would be detected? A strong culture of security requires you to assess what you know and don’t know.
Strategy 4: Evaluate Compliance Status
Self-assessment should include evaluating the company’s compliance with regulatory and industry cyber security requirements. For electric utilities, generators, and transmission companies, these include the North American Electric Reliability Corp.’s (NERC’s) Critical Infrastructure Protection (CIP) Reliability Standards. Other cyber security regulatory requirements include those issued by the U.S. Nuclear Regulatory Commission (NRC), as well as requirements applicable to government contractors. Understand which standards and requirements apply to your business and use the self-assessment as an opportunity to check your compliance.
Strategy 5: Make a Plan for Improving Security
A self-assessment should result in a plan for improving cyber security. The chief security officer should take the lead in identifying gaps in security and taking steps to address those gaps. Rarely will a self-assessment identify no gaps or areas for improvement. In fact, a self-assessment that reflects a "perfect" program should raise concerns about whether you have properly identified all risks and vulnerabilities. But avoid finding fault simply for the sake of finding fault. Understand that a strong detection and response measure may mitigate a weak preventative measure.
In developing a corrective plan, start with the low-hanging fruit. Gaps in security often are the result of oversight or the accumulation of "exceptions" to security policies that build up to become a significant vulnerability. These are often easy to fix. Develop both short-term, quick-fix plans and longer-term evaluation and improvement plans.
Strategy 6: Train All Personnel
Cyber security is not solely the domain of the information technology (IT) department. Everyone who touches the hardware and software that provide potential access points for cyber attacks must be involved in preventing such attacks. Given the ubiquity of personal computers, mobile devices, and the like, nearly everyone in the organization plays a part. Thus, everyone must be trained to identify and respond to cyber threats and attacks.
Not all employees must receive the same degree of training; those involved in "front line" cyber protection must receive the greatest amount of training. A robust training program will identify the subject matter areas for training, the levels of training required, and the corresponding training techniques and programs. A culture of security also requires that the training program be enforced; the company should be prepared to discipline violations of training requirements and procedures.
Strategy 7: Develop an Incident Response Plan
Many organizations already have a business continuity plan, but these frequently focus on commonly recognized physical incidents such as floods and fires. However, "virtual" attacks can have real-world consequences as significant as floods or fires. Cyber security incidents are not just problems for the IT team; with computer systems communicating with and controlling physical systems, cyber security incidents impact engineers and technicians, the public, government and shareholder relations, and upper management.
A cyber security incident response plan should be part of every company’s broader business continuity plans. It involves many of the same elements: monitoring, detection, and escalation to decision-makers; assembling predesignated response teams; action to mitigate and stop the incident; activation of alternatives to continue operations during the incident; notification of and communication with partners, authorities, and the public; recovery of normal operations; and evaluation of the incident for lessons learned and opportunities for improvement. Regulatory requirements, such as those enforced by NERC and the NRC, are not always sufficient for each organization. Make sure your plan fits your needs.
Strategy 8: Test Your Incident Response Plan
Periodic testing of a cyber security incident response plan is the best way to ensure it will work when needed to respond to a real incident. Conduct "table-top" exercises regularly, simulating a variety of cyber security incidents, involving the entire incident response team. In some cases, such exercises are required by regulation, such as with NERC’s CIP Reliability Standards. It can also be worthwhile to occasionally conduct unscheduled exercises, so that complacency does not set in, resulting in the response team able to handle only incidents that they know are coming, leaving them ill-prepared for the way real-world incidents usually unfold.
Strategy 9: Identify Lessons Learned and Implement Changes Accordingly
Every test of the incident response plan should result in lessons learned and an action plan to adapt the response plan to address those lessons. The chief security officer should take responsibility for following up on the lessons learned. Changes should be incorporated into the response plan and tested at the next opportunity (which in some cases is required by regulation, such as with the NERC CIP Reliability Standards).
Strategy 10: Get Involved, Stay Involved
The current regulatory environment is enmeshed in uncertainty and perpetual red tape that impedes development of a comprehensive framework within which to address cyber threats. Industry faces a critical and daunting task: how best to tackle current threats and prepare to combat and mitigate future threats to the physical power grid. In light of today’s minimal mandatory regulatory requirements, it falls to industry to proactively seek solutions to the growing number and sophistication of cyber threats. As part of its culture of security, a company should be actively seeking opportunities to improve, including participating in industry working groups and other activities that provide access to lessons learned and best practices that the company can import into its own cybersecurity compliance program.
The future of cyber security is uncertain, both in terms of the types of threats and attacks that can compromise the physical power grid and the legislative and regulatory response intended to protect against such attacks. But even in the absence of more definitive legislation and regulations, there are steps that can be taken today to address cyber threats and attacks. The strategies identified here will help companies develop and implement a culture of security and be better prepared for whatever compliance requirements are thrown their way.
—Daniel E. Frank and Jennifer J. Kubicek are attorneys in Sutherland’s Energy and Environmental Practice Group in Washington, D.C. Mark Thibodeaux is an attorney in Sutherland’s Energy and Environmental Practice Group in Houston, Texas.