According to the North American Electric Reliability Corporation’s (NERC) State of Reliability 2018 report, cybersecurity vulnerabilities are increasing in number. This is not surprising considering the increased adoption of advanced metering infrastructure (AMI) technology, which naturally leads to more entry points hackers and cyber-terrorists can exploit. The improved reliability that AMI brings far outweighs this downside, but the fact remains that utilities with AMI programs cannot afford to wait until an attack to start thinking about cybersecurity. While NERC sets standards for securing the grid with its Critical Infrastructure Protection (CIP) plan, the reality is that if you’re only building a plan to meet these standards, you may not be doing enough.
A truly comprehensive security plan must consider the following:
> Identify risks and develop an action plan. Kick start the process of developing your security plan by undertaking a security assessment of your infrastructure. Once risks have been identified and classified, action plans must be developed and periodically reviewed.
> You’re only as strong as your weakest link. Educating your staff is a critical component of any cybersecurity plan. After all, how effectively can you secure your organization if your employees are using “Password123”? Establish a culture of risk management throughout all levels of the company, from your executives to your IT team to your customer service representatives. Establish mandatory security policies for employees and clearly communicate those policies.
> Ensure regular reviews and updates. Cybersecurity best practices change as technology evolves. Your security plan should evolve, too. Regular monitoring for threats is an operational necessity, but an annual risk assessment should be budgeted into your security plan as well. An effective annual risk assessment encompasses a review of policies and procedures from recruitment and human resources, audits of vendor security protocols, as well as an overall vulnerability assessment of hardware and software. Global agencies, such as Information Systems Audit and Control Association (ISACA), provide recommended guidelines in performing comprehensive risk assessments. Not only should your security plan be regularly updated, but your software systems as well. It is essential that your IT team keep software systems current with available patches to diminish the likelihood of a hacker exploiting the vulnerabilities these patches were created to fix.
> Hold vendors and consultants to your security standards. Vendors and consultants should not only have security policies written into their contracts, but these policies should hold contractual penalties as well to ensure compliance.
> Use every resource at your disposal. The importance of hiring great information security staff cannot be overstated. IT staff support should be at the forefront of implementing security procedures and maintaining good network hygiene. However, not every utility has the budget for a dedicated cybersecurity team. A practice that every utility should have in place, regardless of the size of your budget, is regular communication with your local FBI branch. They’re more than willing to share cybersecurity best practices that your team can implement. While internal monitoring is indispensable, budgeting for third-party audits of your systems is also required, as day-to-day operations of the AMI network may often dull the senses of internal staff to imminent threats.
With incidents such as the ransomware attacks on the City of Atlanta and Lansing, Michigan’s Board of Water & Light on the rise, it is now more important than ever that utilities have a comprehensive, multifaceted approach to cybersecurity. Regular assessments of security protocol effectiveness, continual updates to these protocols, the involvement of experts outside your organization, and a firm internal education plan will all be vital components to preemptively thwarting cyberattacks to the grid.
Maria DeChellis is the Director of Marketing & Industry Strategy at Red Clay Consulting. As a nearly 20- year industry veteran, Maria has focused her efforts working with utilities to improve the customer experience through technology. She is PMP-Certified and a former utility executive and IT strategic consultant with project management and stakeholder experience in AMR/AMI, Customer Information System, and ERP implementation. Maria is currently the secretary of the Customer Service Subcommittee of the American Water Works Association. She can be reached at firstname.lastname@example.org.