Securing critical infrastructure

The power system is often deemed ‘critical infrastructure’ or ‘critical national infrastructure’ by governments to underscore its essential nature for the functioning of societies and economies. The mission-critical nature of electricity as the foundation for all other infrastructure is precisely why the role of cybersecurity is gaining ground within the electric utility industry.

It is common knowledge that the power sector landscape is rapidly evolving with more frequent attacks made by a variety of bad actors in sophisticated ways. Power companies are increasingly becoming targets of nation-state actors aiming to disrupt the utility’s mission of delivering reliable, affordable and safe electricity – often using its industrial control systems (ICSs) as a gateway. The cyber-physical nature of modern power systems can be an opportunity for potential attackers to cause serious physical and financial damage from a remote location.

Understanding which physical assets must be protected, and what the consequences will be if protection fails, is something utilities have been investing in for decades. Taking the same ‘protection’ approach to identify and harden high-value digital assets requires acknowledging the bigger picture.

Cybersecurity is not just an IT problem, it’s a business problem

The success of cybersecurity is measured by the identification of threats, reduction of risk, and remediation after an incident. For utilities to deliver on their mission of reliable power, the entire system must be secure. Beyond adapting business models to build on opportunities presented by the modern grid and its expanding value chain, keeping the entire power system secure requires due diligence across the enterprise. This due diligence is represented in good governance – the foundation of any successful cybersecurity strategy.

Prioritizing cybersecurity governance

Keeping IT and OT systems current and secure requires governance that most utilities already have in place. Because technology and cyber threats are constantly evolving, maturing cybersecurity governance processes is a first step in the right direction to level up.

The ISO/IEC 27001 standard, from the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), defines IT governance as, “The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.”

Cybersecurity effectiveness can be correlated to the rigor applied to governance. Is there a clear, agreed-upon definition of your risk management policies, strategies and goals? Are your processes standardized, repeatable, and consistent? Are you mandating thorough vendor assessments? Do you have a strong understanding of your regulatory landscape and requirements for incident reporting? Is your governance measurable and enforceable with accountability assigned across the organization? Does your senior leadership support your cybersecurity governance, and have they backed it up by ensuring adequate resources to meet cybersecurity goals?

Asking these questions and understanding their risks requires a thoughtful security governance model that builds resilience from the inside out, and an industry-specific strategy that protects the entire electricity value chain.

There are many other areas involved in a solid, comprehensive cybersecurity program. But governance lays the foundation for effective cybersecurity management and a unified approach to mitigating a utility’s cyber threat landscape.

Contact PSC to help define or check-up your cybersecurity governance today.