WASHINGTON, D.C.–With the threat of cyber-security breaches impacting the electric power sector increasing, IBM has come up with a set of best practices for energy and utility organizations to adopt and live by.
At an event featuring leaders from various parts of the electric power ecosystem here, IBM opened up the floor for discussion about cyber-security in the electric power sector, proposing that there are practical ways to improve management and execution of enterprisewide cyber-security.
Indeed, Andy Bochman, security energy leader for IBM Security, said one of the core best practices or recommendations IBM has for electric power organizations regarding cyber-security is that they understand that change begins at the top.
“The best way for a utility to introduce cyber-security into its infrastructure is to go in with a high-ranking executive to own the cyber-security risk for the enterprise,” Bochman said.
An IBM paper on the subject said, “IBM believes that no other single action will do more to galvanize a new approach to security in an organization than the appointment and empowerment of a Chief Security Officer (CSO) responsible for enterprisewide cyber-security and compliance. The CSO must have ultimate control and responsibility for securing IT and OT [operational technology] across all lines of business, and as needed, into the extended supply chain.”
Michael Kuberski, Chief Information Security Officer (CISO) at Pepco Holdings, said his role does exactly that. Pepco Holdings is the primary utility company in the Washington, DC, area. Pepco Holdings is one of the largest energy delivery companies in the Mid-Atlantic region, serving about 2 million customers in Delaware, the District of Columbia, Maryland and New Jersey. Kuberski told eWEEK he just earned his new title this year, as he was formerly Pepco’s manager of enterprise architecture and now in the newly minted role of CISO where he looks at cyber-security from an enterprise view.
Kuberski makes no bones about the need for fastidious security at Pepco. “We see ourselves as a clear target being near the White House,” he said. “So we look at cyber-security across the enterprise.”
IBM notes that as the planet becomes smarter and increasingly interconnected, critical infrastructure systems that were previously isolated from other networks are now connected with both critical and non-critical systems—many of which are not under the direct control of infrastructure operators. This interconnectedness can enable many new efficiencies and conveniences. But it also means that, while every business must continue to refine and improve its security capabilities, critical infrastructure industries—like electric utilities and associated providers of technology and services—must adopt best practices in policy and controls.
“For as long as the electric grid is going to rely on digital infrastructure to operate, we’re going to be concerned about cyber-security,” said Scott Aaronson, director of government affairs at Edison Electric Institute (EEI), the association of shareholder-owned electric companies.
To be sure, whether motivated by international competition, corporate espionage, nation-state sponsored espionage, political ideology, organized crime, a grudge against an employer or even idealism, malicious hacking continues to expand. The proliferation of “how to hack” materials online does not help matters. Nor do the free or affordable high-powered tools make things any easier for security professionals. Social networking also makes sharing both information and successful techniques just as easy for these hackers as for anyone else. The combination of complex network connections that no one fully owns, a largely opaque software supply chain and the vulnerabilities inherent with human operators provide a ripe environment for hackers and those with malicious intent, IBM said.
Moreover, traditionally, a single-direction flow of power and data on isolated systems was the norm. Yet that is now giving way to more dynamic and integrated electricity production and delivery systems along with advanced metering infrastructure, IBM said. Sensitive operations and personal data are now moving over common or integrated communications infrastructure, flowing in multiple directions within a dense, multi-nodal system.