IBM: Cyber-Security Practices Key for Electric Power Sector
And, by definition, a smart grid has more access points and multiple networked systems, which open the door to more potential cyber security breaches. To address this, a host of industry and government standards and regulations, such as the North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC-CIP) standards, have been developed. IBM says policy-making bodies are increasingly interested in several challenges electric power companies face, including: · Integrating information technology (IT) and operational technology (OT) networks due to grid modernization and other business initiatives · Exposing both IT/OT networks to the Internet—either directly or indirectly, whether intended or not· Eliminating internal threats posed by disgruntled employees and human error by authorized technicians “I’ve been working in utilities for 25 years and I have never observed as much scrutiny about cyber security as I have in the last 18 t0 24 months,” said David Batz, director of Cyber & Infrastructure Security at EEI. There are increased expectations for the reporting of compliance with security and privacy directives. Scrutiny by federal agencies such as the Federal Energy Regulatory Commission (FERC), the North American Electric Reliability Corporation (NERC), and the Department of Energy (DOE) is likely to expand, IBM said. Future versions of the NERC-CIP standards promise to expand the scope and depth of utility compliance requirements. There is also a sustained and targeted effort from the regulatory and policy-making communities in key markets around the world to push the industry toward full preparedness. Meanwhile, in addition to making change start at the top, other recommendations IBM has for energy and utility companies include viewing security as risk management, creating a fully integrated security enterprise, implementing security by design and using business-oriented security metrics and measurement. Kuberski said utilities can gain better visibility into the effectiveness of security strategy by applying the risk management principles that have worked well for managing the traditional risks faced by electric utilities. IBM’s Bochman noted that management needs a framework with which to establish a baseline for current security programs to understand the context and critical interdependencies and to set priorities accordingly. The framework applied needs to ensure that security metrics are easy to understand and share throughout the organization. Such a framework is in development, sponsored by the U.S. Department of Energy (DoE) with help from Carnegie Mellon University – the Electricity Subsector Cybersecurity Capability Management Maturity Model (ES-C2M2) initiative. The Carnegie Mellon Software Engineering Institute (SEI) is advancing maturity models. The SEI, in support of the DoE, fosters the adoption of the Smart Grid Maturity Model (SGMM) by electric utilities and service providers and works to advance smart grid software engineering. “The idea of a maturity model is to define levels of maturity for the industry,” said Austin Montgomery, energy sector program lead at Carnegie Mellon University. “The SGMM is an effort to identify what it means to modernize the grid. The industry has been very good at coming together on things. There’s been a lot of lip service about public-private partnerships, but I think this is a true one,” Montgomery added referring to the effort between DoE and the private sector. “We use the SEI maturity model,” Kuberski said. “It’s about creating awareness. We know we can’t do it all by ourselves. We promote things like threat information sharing.” Meanwhile, for his part, Allan Schurr, vice president of strategy and development for IBM Energy & Utilities, said he has been working in the area of smart grids for about 10 years and in the early days, “Security was an add-on patch. Now the design includes security at the initial phases. We started seeing that three to four years ago and now it’s a standard.” In addition, Pepco’s Kuberski said that although the risk is now greater for cyber security threats, “With risk comes benefit.” He said the smart grid enables companies like Pepco to push automation out to customers and provide services that promote efficiency and cut costs for consumers. He added that it is a delicate balancing act of assessing risks involved and applying security measures as need to allay the threat of breaches to various systems based on their level of exposure.
· Mitigating threats to IT and OT systems from the widespread use of mobile devices, social media and easily portable USB drives, and lack of governance for the use of these tools in critical environments