Podcasts

Leadership Lyceum

Leadership Lyceum: A CEO's Virtual Mentor

This podcast series focuses on corporate and industry strategy and trends from the direct vantage point of key industry leaders. Subscribe to the podcast at Apple iTunes. Several interviews are available here: See Podcasts

Public Utilities Reports

PUR Guide Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

Cybersecurity, Part 2

Opportunities and Challenges for State Utility Regulators

Fortnightly Magazine - March 2017
This full article is only accessible by current subscribers. Please login to view the full content.
Not a subscriber yet? Click here to subscribe for one year of Fortnightly Magazine, and gain access to the entire Fortnightly article database online.

In Part I of this article, which appeared in February's PUF, the authors examined the evolving role of state regulators in addressing cybersecurity in the energy sector. While state commissioners have not traditionally regulated this area, many are now grappling with the proper role to play. Part II surveys best practices in various locations and recommends methods for developing regulatory procedures that will ensure the security of critical energy assets.

These include asking whether the utility prioritizes controls, assets and C-suite involvement; converges technical controls with IT controls; implements test and drill measures; creates a culture of security; willingly shares threat information regarding its regulators and industry counterparts; and ensures regular audits.

Prioritize Controls, Assets and C-Suite Involvement

The first step a utility must take in evaluating cyber-readiness is to identify essential asset systems and networks contributing to critical functionality that need to be protected. It is important to think of risk as influenced by the nature and magnitude of a threat or hazard, vulnerabilities to that threat or hazard, and the consequences that could result.

"Regulators should demand that a cybersecurity culture permeate utilities." – Sherina Maye Edwards

Risk assessment includes analyzing dependencies and interdependencies, identifying threats, weighing vulnerabilities and evaluating potential impacts on critical assets.

In a survey of over ninety-six hundred global executives, forty-one percent of U.S. respondents had experienced one or more security incidents during the past year. A separate survey of nearly two hundred companies showed that when a breach does occur, boards are most likely to hold the CEO accountable.

This shows that responsibility for attacks is seen as a broader business issue, shifting the onus away from the chief information security officer (CISO) and the IT security team. With such high stakes, many agree that information security deserves full attention at the highest levels of any company.

Yet, cybersecurity is still considered a purely technical matter in some corporations. One study showed that only five percent of C-suite executives consider cybersecurity the highest-priority corporate initiative. It's second to last on a list of ten major corporate initiatives. Instead, they prioritize issues such as acquiring customers and growing internationally.

On the other hand, security executives overwhelmingly rank cybersecurity as the

This full article is only accessible by current subscribers. Please login to view the full content.
Not a subscriber yet? Click here to subscribe for one year of Fortnightly Magazine, and gain access to the entire Fortnightly article database online.