By Andy Bochman, Energy Security Lead
Read the headlines and you will see that Cybersecurity threats to critical infrastructures continue to evolve. While it’s important for utility companies to stay abreast of the latest attack types, they must also look beyond external factors and turn their efforts to re-establishing and strengthening their organizational structure. The first step must start from within if they are to succeed in maintaining the stability, safety and security of the Smart Grid. It starts with re-defining the term “leadership.”
Recently IBM met with Michael Assante, President and CEO of the National Board of Information Security Examiners to get his perspective on the evolving security landscape within the Energy & Utilities industry. In his current role and also once serving as the Chief Security Officer for North Electric Reliability Corporation (NERC) and American Electric Power (AEP), Michael shares his thoughts on why significant change is necessary if we are to create an intelligent Smart Grid infrastructure.
Q1. How has the energy and utilities industry changed in terms of security measures? Did the Stuxnet virus and its successors drive this?
M.A.: Interestingly enough, I don’t believe the Stuxnet worm or any other notorious threat spurred the need for change. Instead, I see the shift being associated with the acceleration of connected digital technology. Computer and communication technology, smart meters, for example, is becoming an integral part of generating, transmitting, and delivering power, and as a result, we’re seeing a significant need not just for improved cybersecurity measures, but a new, more sophisticated approach to business management. Our current defense and protection models are not sufficient against highly structured and resourced cyber adversaries, so utilities should act quickly to develop and apply their greatest resource in this contest: the professionals who work to defend, operate, and protect our critical systems and infrastructure.
Q2: We’ve seen Cybersecurity come to dominate the headlines over the last few years and many industries such as banking and telecommunications have made significant changes to their security governance and business operations. What can the energy & utilities industry learn and leverage from these other critical infrastructure industries?
M.A.: It is more the norm than the exception to find executive-level cybersecurity leadership in banking and telecommunications today. Years ago, both industries realized that protecting their networks, systems and data from attackers was a strategic imperative. And some industries have even gone so far as to police themselves with their own security standards. Now it’s time for electric utilities and other energy companies to elevate cyber resilience in their business planning and investment decisions. Today there are very few cybersecurity leaders at an executive management team level at energy companies. When we see more CSOs and VPs of Security working closely with frontline business units to responsibly manage the risks, we will know that the industry continues to move in the right direction.
Q3: Are you aware of any energy companies or other industries that have successfully appointed Chief Cybersecurity Officers?
M.A.: As an industry, E&U is still a long way from the financial services industry where cybersecurity is fully integrated with its core business processes. That said there are a few progressive leaders in the electricity sector including Tennessee Valley Authority (TVA) and Pacific Gas & Electric (PG&E) in California. With the right leadership in place, one of the most important changes these organizations made was introducing security metrics that allowed them to measure and report on the effectiveness of their efforts. Recognizing the power of metrics, the Department of Energy, alongside utility and industry experts, just released its new Cybersecurity Self-Evaluation Survey Tool for utilities. This is another step towards helping senior utility leaders better understand their organizations’ current cybersecurity preparedness and prioritize improvements over time.
Q4: What message do you have to the CEOs and Boards of Directors of utility companies?
M.A.: There is an opportunity to learn from senior cybersecurity leaders from certain utilities as well as in other industries such as the telecommunications sector– in particular, how they elevate their leaders, and/or bring in new leadership from outside, how they work to improve the culture, or the ways in which they improve visibility into cybersecurity issues and operations from a business perspective. Cybersecurity is not simply an exercise in demonstrating compliance; if done right, it is an inherent property of a well-managed business.
A recent survey reveals that, in many enterprises, the status, authority and visibility of the cybersecurity function is in the rise.
Michael Assante is a founder of NBISE, whose mission is to increase the security of information networks, computing systems, and industrial and military technology by improving the potential and performance of the cyber security workforce.