Abstract
Smaller utility operators have to balance the extreme pressures of keeping their critical services available and the constant cyber security threat they are under. Many operators have found it difficult to know where to start or our paralyzed looking for the best solution.
This article suggests that operators should get started with the basic blocking and tackling of IT security. Then use an iterative approach to crawl, walk, and run their cyber security practices to acceptable levels.
Background
Utilities today are under ever-increasing pressure to keep the proverbial lights on. In addition to expecting (demanding?) reliable, cost-effective delivery of power, we have also become the most connected generation ever to exist. Our devices cannot function without this supply of “ electric oxygen” that supports our digital lives and business.
Keeping the power on is hard enough from a purely operational standpoint. It involves complex systems of generation, transmission, and monitoring. As power demand has increased, the expectation of its reliability and affordability has also risen. These pressures have increased the need for utilities’ OT networks to embrace the need for IT solutions. Industry 4.0 is coming.
For mid-sized operators, this creates numerous challenges.
Highly trained and skilled electrical engineers and technicians now have to behave like IT professionals. This alone is a significant shift for an organization to make.
With the lack of IT expertise and the enticing threat profile of a small utility, you have an exponentially increasing cyber risk. Once being the smaller operator, likely meant you had a lower cyber security risk. However, given the ever-increasingly connected nature of the generation and transmission of electricity, many believe smaller operators are at the highest risk compared to their larger brethren. The latter have larger budgets and resources to defend themselves.
The problems facing mid-sized utilities in the cyber security realm.
Funding. There is no way around it; security is not free, and the costs can vary wildly depending on who you ask.
Like securing your home, where there is a never-ending supply of locks, fences, gates, and alarms to protect your home. Organizations have to grapple with a blinding matrix of software, hardware, and consulting services. Most of these vendors offer specific solutions to specific parts of the cyber security problem. Leaving operators to wonder, do I need this? What else do I need along with this?
Costs can seem like a never-ending black hole of unexpected expenses for many trying to address the overall issue.
Having a realistic understanding of budgeting for cyber security can be hard enough.
And operators need to find the money in an increasingly tight budget. Or worse yet, to justify a rate increase to regulators and customers to address the issue.
Skill Sets. Few operators have dedicated IT or security staff. Most operators have had to introduce connected systems to their facilities in some form or another, but they have done so with a mixture of existing staff and vendor engagement. This leads to a broad skills gap for the organization; after all, you cant expect an electrical engineer to pick up the same skills as a 10+ year IT or security veteran.
But let's face it, hiring a dedicated IT or cyber security professional can seem like it will do little to help with the overall mission of keeping the power flowing reliably and affordably day to day.
Lack of visibility. What keeps most CIOs in the energy space awake at night right now? It is the idea that they don't know if their systems are already compromised. Those targeting utilities and critical infrastructure tend to be more patient than those attacking the enterprise. Threats can lay dormant for years. Organizations cannot assume that their systems are safe because they appear to be operating normally today.
How to get started. Many smaller operators are starting from scratch. This can feel like an overwhelming obstacle. Instead of allowing operators to take a crawl, walk, run approach. Much of the conversation around the topic tends to be alarming and hyperbolic. It suggests to those trying to get started that they have to be hyper-secure on day one. That would be great, but it is not realistic or practical.
Solutions
Just get started with plain and straightforward objectives. Often many approach cyber security as a one-time event. You have a project goal of reaching ultimate protection. You receive security paradise, close the project and move on. We believe this is a significant reason many leaders stay paralyzed and do nothing of subsistence to help their organization's overall risks.
Instead, you should approach your cyber security program as a continual improvement effort. Constantly evaluate where you are, what the risks are, and what mitigation strategies are possible.
Iterative practice
Start with your vision.
Your vision may not be crystal clear this early in the process. That is to be expected. But you will have to do some soul-searching to understand the risks you are willing to accept for your organization. Experts can help identify the risks and assign weight to them. Experts can also provide guidance on industry standards and frameworks. Still, ultimately, you will have to decide which risks you are willing to accept based on the available resources and cost. If it all seems foggy, don't stress. Things will become more evident as you iterate and improve.
Figure out where you are.
Implement a discovery process to help identify risks and areas of improvement, giving weight to these findings. You will not find every risk if you’ve never done this before. You will locate additional risks in future iterations.
In the first discovery process, your goal should be to identify gaps in basic blocking and tackling of IT and cyber security defense practices.
Create an iterative plan and feedback loop.
Create a plan from the outputs of the discovery process. Break up your efforts into small 2-4 week sprints. Remember, the goal here is to be iterative in the approach versus the fire and forget mindset. An iterative approach will allow you to grow stronger over time, adjust to any changes in the environment, and ease the organization into new security routines.
Execute.
Once you have a plan, you can begin the execution phase, evaluating each sprint against defined measurements till you have worked through the bulk of your initial discovery list. As you execute, keep a register of any new improvements or risks found.
Rinse and repeat.
Security practices constantly change, requiring a diligent review, execution, and monitoring cycle. You now come full circle back to a discovery phase. The register you kept from the execution phase can be evaluated in the next discovery phase.
Conclusion
Cyber security is not a one size fits all blanket, and the environment is continuously changing. Security is a spy vs. spy dynamic that is better managed with an agile approach. Be practical and realistic about what you can do now - the basics will take you a long way. Lastly, always remember that security is not a destination but a journey.