By Nick Sanna
EnergyBiz Magazine Spring 2015
View original article: http://www.energybiz.com/magazine/article/404585/digital-risk
THE ENERGY INDUSTRY has done a lot – more than most other industries – to mitigate its digital risk profiles and improve its response and recovery mechanisms. According to Gartner, in 2013 only the insurance industry surpassed energy in cybersecurity spending by employee, and energy was even ahead of banking. Despite those investments, challenges remain – most of them driven by the increased integration of IT with industrial control systems and operational grid technology.
Although smarter grid technology offers many benefits to utilities and consumers, it also creates a new set of vulnerabilities and exposes the industry to a new class of digital threats. The number of digital access points to the networks of electric power companies, for example, has grown significantly, which increases the potential for unauthorized access.
Additionally, the integrations among IT, the industrial control systems and operational technologies are not well understood and sufficiently protected, which complicates the assessment of the system’s weaknesses.
So, what is the current overall state of affairs when it comes to managing digital risk? Here are 10 takeaways from the Digital Risk Management Institute – five things that we believe the industry is doing well and five where improvements are still needed.
Five digital risk management (DRM) areas where the energy industry is doing well:
1. Engaging the board of directors and executives in tackling digital risks: The management of digital risk is seen as a business issue, not just as a technology issue. Directors and executives in the electric power industry appear to take their risk governance roles quite seriously, to the point where risk management has become an integral part of the business culture. They are directly involved in understanding the evolving threats to their businesses, in setting objectives for risk management programs and in assigning dedicated resources to the oversight and operational management of those programs. The number of dedicated digital risk officer positions is growing.
2. Collaborating among industry players and with government: The industry long ago realized that creating a more reliable and resilient power grid is a shared responsibility and requires the collaboration. In fact, the National Infrastructure Advisory Council stated that the electric power industry chief executives’ engagement with top government officials is the model for all other critical infrastructure sectors. In the digital realm, we have witnessed the formation of the Cyber Risk Information Sharing Program (CRISP), a partnership among the U.S. Department of Energy, the Electricity Sector Information Sharing and Analysis Center (ES-ISAC), national laboratories and many of the largest U.S. electric companies – all to facilitate the timely sharing of digital threat information and situational awareness tools.
3. Identifying top threat scenarios: Given the criticality and physical spread of the grid infrastructure, the electric power industry was forced to look at threats from a holistic perspective early on. The industry practices a defense-in-depth approach to security, where multiple security elements are layered to protect a critical asset to make it less vulnerable to attacks. The identification of digital threats has come to the forefront recently as an increasing number of operational processes have digitalized. Having an existing framework in place to identify top threat scenarios has made it easier to incorporate the newer digital threats.
4. Understanding that regulations and controls are important but not sufficient: The electric power industry is the only critical infrastructure sector with obligatory, enforceable cybersecurity standards. Although these standards play an important role in creating a baseline for establishing grid security, the industry realizes that these standards are not sufficient to ensure protection in the face of ever-evolving, dynamic threats. The conscious adoption of more proactive, risk-based approaches to digital governance and management – versus reliance on compliance and controls – sets the electric power industry ahead of others.
5. Implementing response and recovery plans: Electric power companies have developed detailed response and recovery plans as part of their risk management programs. Regular live exercises, where combined physical and digital attacks are simulated, help them uncover the strengths and weaknesses of those plans and update them accordingly. Here too, recent megaevents such as Superstorm Sandy led to the realization of the importance of industrywide and government collaboration. The North American Electric Reliability Corporation conducted the second industrywide grid security exercise known as GridEx II in November 2013, and Grid Ex III is planned for the fall of 2015.
Five DRM areas where the energy industry could improve:
1. Better mapping of digital perimeters: The digital perimeter that was limited to data centers decades ago expanded in the ’90s to include connected terminals and was further stretched at the beginning of this century to include third-party providers that were increasingly integrated in the supply chain. The multiplication of digital network access points – along with the reliance on third parties to provide components and management personnel to critical IT, industrial control and operational systems – means that electric power companies find themselves protecting a digital perimeter that they no longer completely understand, control or manage. That picture worsens if you add fourth-party providers (subcontractors or technology vendors of third-party providers).
To close this gap, electric companies should have a deeper look at their digital perimeters. Utilities should identify all critical assets and business processes where third parties (and fourth parties) are involved and then ensure that these parties are subject to the same levels of security requirements as their own employees and assets.
2. Better understanding of digital integration risks: The past two decades have seen a progressive digitalization of industrial control and operational systems and their integration to IT – and most recently to the Internet of Things. These technical interdependencies are not always well understood and are potentially hiding a new class of critical vulnerabilities. Many of the control and operational systems were developed in isolation from the rest of the computing network by engineers who did not always think about the security implications of integrating them with other digital systems. These issues are exacerbated by the fact that the workforce of the electric power industry has been aging along with the equipment and that many of the operational experts are retiring in great numbers.
To solve this issue, the industry must accelerate efforts in studying digital integration risks before hackers or cyberterrorists do. This effort will require collaboration among operations, IT, vendors and cybersecurity experts, along with industry information-sharing. Some initiatives are underway, such as the recently announced collaboration between the University of North Carolina’s Energy Production and Infrastructure Center (sponsored by several electric power companies) and Waverley Labs, a specialized digital risk management firm, but these efforts must multiply to close the most critical exploitable gaps.
3. Better quantification of risk to improve mitigation strategies: To date, we have not seen established methodologies to quantify implicit, actual and targeted digital risk, given the complexity of having to mesh disparate data streams regarding vulnerabilities, threats, controls, and operational and financial consequences. Although we applaud the industry’s and the government’s “whatever it takes” attitude, it is not always clear where and how many resources need to be applied to best mitigate digital risk scenarios. In absence of digital risk quantification, the default behavior is to revert to technology-driven approaches where many digital assets are treated as equal, which invalidates a business-aligned, risk-based approach that most companies would want to adhere to.
To reiterate this point, the quantification of digital risks is one of those DRM practices that we believe to be essential for informed decision-making regarding the prioritization of risk mitigation initiatives and proper budget allocation, yet one that has received little attention. If not taken seriously, the electric power industry may be caught overspending on some low-priority digital security initiatives while not paying sufficient attention to critical ones.
4. Continuous monitoring of digital risk: Traditionally, companies have conducted digital security checks at timely intervals, most often to comply with regulatory mandates. That is no longer sufficient in today’s ever-evolving threat environment. Being on continuous watch for anomalies that could reveal developing or ongoing attacks is essential for a proactive approach to DRM. Although most companies have implemented real-time security monitoring and have even built security operations centers, they are drowning under a deluge of technical monitoring data and a lack of understanding of actual business risk and event context. Without this understanding, all that data remains difficult to correlate, interpret and act upon.
To resolve this impasse, executives must break down organizational silos and get business operations, IT, and the cybersecurity and incident response teams to collaborate on context and monitoring. This collaboration is critical to ensure proper detection and response to known threats and is absolutely essential for uncovering new threats.
5. Development of digital risk transfer solutions: Electric power companies should not be left alone to defend themselves against digital threats, especially when they have done everything to comply with obligatory and voluntary industry cybersecurity regulations. Although they are responsible for protecting their operations and for implementing DRM programs to ensure grid resilience, they have to rely on government to protect them from internal or foreign attacks.
To help with this problem, companies should have the option to transfer risk to third parties as part of their digital risk mitigation strategies, especially for catastrophic events. Most traditional insurance policies still do not cover catastrophic failures (though some new cyberinsurance products are becoming available). We believe that two factors could greatly help. First, the emergence of generally accepted digital risk quantification methodologies would allow insurance companies to include digital risk as part of their actuarial models. Second, Congress should extend TRIA-type (Terrorism Risk Insurance Act) federal backstop coverage that was enacted after the Sept. 11, 2011, attacks and that is expiring, which could be justified as part of the government’s mission to protect and ensure continuity of the nation’s critical infrastructure.
Nick Sanna was the 2014-2015 President of the DRM Institute, a not-for-profit organization formed to identify and communicate best practices for managing digital business risk. Previously, Sanna served as CEO and COO of enterprise software and services companies in IT security, IT analytics and performance management.