The hype over smart grid has become focused on the idea of “advanced distribution management systems” (ADMS). But so far, few utilities have implemented ADMS beyond pilots and incremental tests....
Cybersecurity, Part 2
Opportunities and Challenges for State Utility Regulators
In Part I of this article, which appeared in February's PUF, the authors examined the evolving role of state regulators in addressing cybersecurity in the energy sector. While state commissioners have not traditionally regulated this area, many are now grappling with the proper role to play. Part II surveys best practices in various locations and recommends methods for developing regulatory procedures that will ensure the security of critical energy assets.
These include asking whether the utility prioritizes controls, assets and C-suite involvement; converges technical controls with IT controls; implements test and drill measures; creates a culture of security; willingly shares threat information regarding its regulators and industry counterparts; and ensures regular audits.
Prioritize Controls, Assets and C-Suite Involvement
The first step a utility must take in evaluating cyber-readiness is to identify essential asset systems and networks contributing to critical functionality that need to be protected. It is important to think of risk as influenced by the nature and magnitude of a threat or hazard, vulnerabilities to that threat or hazard, and the consequences that could result.
Risk assessment includes analyzing dependencies and interdependencies, identifying threats, weighing vulnerabilities and evaluating potential impacts on critical assets.
In a survey of over ninety-six hundred global executives, forty-one percent of U.S. respondents had experienced one or more security incidents during the past year. A separate survey of nearly two hundred companies showed that when a breach does occur, boards are most likely to hold the CEO accountable.
This shows that responsibility for attacks is seen as a broader business issue, shifting the onus away from the chief information security officer (CISO) and the IT security team. With such high stakes, many agree that information security deserves full attention at the highest levels of any company.
Yet, cybersecurity is still considered a purely technical matter in some corporations. One study showed that only five percent of C-suite executives consider cybersecurity the highest-priority corporate initiative. It's second to last on a list of ten major corporate initiatives. Instead, they prioritize issues such as acquiring customers and growing internationally.
On the other hand, security executives overwhelmingly rank cybersecurity as the