Based on the interconnectedness of information networks, electricity systems and associated infrastructure remain vulnerable to cyberattacks, with a significant potential for widespread system outages, despite best efforts. Further, the technologies driving modernisation, coupled with continuously evolving regulations, make it difficult and expensive to stay ahead of those not playing by the rules.
Security steps, such as educating workers on best practices for securing laptops, thumb drives, substations and control centres, will not be enough to guarantee the safety of the electricity grid. A comprehensive security strategy is needed comprised of clear steps for protecting the grid.
The industrial and personal reliance on national power grids makes the impact of a successful attack troubling. The risk in not addressing the need for fundamentally and strategically changing cybersecurity strategies is compelling, yet activity remains tactical.
Governing bodies issuing rules and regulations are trying to address these cyber risks, but their current actions cannot keep pace with broadening threat vectors. Companies have limited security resources available, and even these find themselves in continual tactical response mode rather than strategising ways to head off potential hackers.
Given the serious nature of this challenge, there are strategies and actions which utility organizations can take in order to reduce risks. But this is not a one-time fix. In the same way that “safety” is an ongoing and primary concern, “security” must also be managed with such seriousness. Security should be a system of flexible strategies and routine tasks that include every employee, supplier, process and technology. Security needs to be a truly holistic process where compliance is a result, not the driver. A culture of siloed compliance operations is untenable as a strategy for defending the power grid.
Utilities must take the following actions:
Integrate – Assimilate compliance concepts into your security program as strategic elements of your business.
Prioritize – Manage both security and associated compliance activities using a risk perspective. Have the ability to flex, repurpose, reorganize and refocus based on changing priorities.
Drive – Continuously employ tasks that provide a holistic status of interconnected activities required to meet compliance requirements and audits.
Verify – Routinely simulate penetration attempts, and a successful attack, to assess the company’s response, this is then followed immediately with targeted improvements.
Utilities cannot rely solely on current compliance standards and assume they have therefore properly safeguarded the grid from attackers. Rather, flexible, adaptive cybersecurity strategies, combined with strict compliance adherence, are needed to shield the grid from attacks that can come in all formats, not just malware. Cybersecurity and compliance cannot be seen as just “IT issues.” Instead, there must be ownership by multiple company stakeholders and execution by ALL company employees and suppliers. The best methods for getting all these stakeholders engaged? Simplify programs, reduce the burdens on overworked staff through increasing connectivity, prioritize actions based on risk, and underscore the need for continued vigilance and action. In doing so, a utility’s security challenges can be properly managed to the point where risks are sufficiently mitigated.