FIND OUT MORE

WHITEPAPER: IS YOUR C-SUITE PREPARED FOR THE (CYBER) FUTURE?

INTRODUCTION AND BACKGROUND

The electric utility landscape managed by the C-Suite of the 21st century is shifting fast, which presents leaders with an array of changes, challenges and opportunities - managing cyber security effectively is of utmost importance. The steady push towards a secure and DynamicEnergy™ system is bringing a broad range of new technologies that encourage on-site generation and two-way power flows. However, these increasingly interconnected approaches mean that Next Generation Energy (NGE) will face a much wider range of cyber threats, and thus, it will be important for utilities to bolster their overall cyber risk posture and adopt new and broader risk management practices.

While many utilities already use cyber security risk management standards, within many C-suites there is an inherent tension between those who take an alarmist position and those who are more complacent. A holistic-focused approach and methodology enables all concerned to understand and manage cyber threats.

One of the challenges in developing this approach is that small, disparate security groups have traditionally managed physical, electronic and information cyber risks. They only work on a targeted subset of critical assets and/or systems to meet requirements imposed by regulatory bodies such as NERC CIP. This leaves the larger set of unregulated components and assets across the organization exposed because they have less funding, improper hardening and components that are under-managed.

With growing national attention on the cyber security challenges facing utilities, the C-suite should also be mindful of the role of state elected officials. Those officials are increasingly recognizing the necessity of state regulators playing a constructive part in future NGE solutions and helping to protect the state’s critical public utility infrastructure. Governors and legislative

leaders are making it clear that they need assurance that state public utility companies are taking necessary steps across all components to ensure cyber security. State regulators have also been reviewing the adequacy of cyber defenses by holding annual audits with utilities within the electricity, natural gas and water sectors.

It is critical for NGE C-Suites to recognize the changing nature of the cyber security landscape under their domain and ensure that they have right defenses in place, effective governance and performance metrics, supported by a flexible and effective enterprise oversight program.

PREVIOUS NEXT

2

Brute Force, 4Abuse of Authorized Access, 7

SQL Injection, 4

Weak Authentication, 18

Other, 17

Network Scanning/Probing,

26

Spear Phishing, 109

Unknown, 110

FY 2015 Incidents by Infection Vector1 (295 total)

Cyber threats are becoming more sophisticated and growing in frequency and intensity. That means utility company senior management teams need to be prepared for more attacks, which will be increasingly severe in impact.

Cyber attacks can take many forms. Cyber threats and vulnerabilities created by malicious actors (individuals, organizations, or nation states) are often sophisticated and difficult to detect – posing a significant risk to organizations.

In addition to these more sophisticated cyber threats, threat actors, vulnerabilities and risks exist in other areas:

1. Advances in mobility and end-user technology often lack built-in security measures;

2. Organizational policies and procedures are unable to keep pace with a rapidly changing threat environment;

3. Holistic cyber security program governance with leadership from senior management is lacking;

4. Lack of skilled cyber security professionals within IT and OT for critical infrastructure sector organizations.

CYBER THREATS AND UTILITIES

1. NCCIS/ICS – Cert Year in Review 2015

PREVIOUS NEXT

3

Power and UtilitiesCYBER ATTACKS

26%

All other industries74%

2. NCCIS/ICS – Cert Year in Review 2015

3. Ponemon Institute and Unisys, “Critical Infrastructure: Security Preparedness and Maturity”, July 2014

https://www.hunton.com/files/upload/Unisys_Report_Critical_Infrastructure_Cybersecurity.pdf

It is also clear that energy companies and utilities remain top targets globally, based on incidents reported to US ICS CERT in 2015.2

It is clear that energy companies and utilities will continue to become increasingly susceptible to these cyber threats, threat actors, vulnerabilities, and risks as they deploy new technologies and digitize their internal and customer-facing platforms to compete in an evolving marketplace, while meeting changing customer expectations. The problem is that most utilities are not ready for these increased threats, and yet they are facing increased regulatory pressure to do more.

In particular, smart metering systems represent one of the most acute cyber attack vectors to distribution networks. Utilities that moved earliest on smart meter rollouts may face the greatest problems as some of these products lacked important security functionality. These have become greater vulnerabilities since their installation, as they have not received vital security updates.

Many major smart meter deployments expanded through matching grants from the American Reinvestment and Recovery Act (ARRA). While this

rush helped grow the smart meter market, it also left many potential gaps. Smart Grid deployments that received ARRA grants were required to implement an initial security plan and received annual US Government security reviews during the grant period. However, after this, many utilities relaxed their cyber security practices and they did not always implement updates and patches to Smart Grid systems and communications, as well as to connected internal systems in IT, OT and business departments.

While many utilities accept the need for action to manage these threats, they face a number of barriers to the implementation of better cyber security. These include the fact that there is often a limited budget for this work, as organizations focus on capital investment rather than operations and maintenance. This reflects an overall view that the operations of the utility come first, and that can often overrule security needs.

A further problem arises in upgrading legacy systems. A recent study by the Ponemon Institute found: “Fifty-four percent of respondents are not confident or unsure that their organization would be able to upgrade legacy systems to the next improved security state in cost-effective ways without sacrificing mission-critical security.”3

PREVIOUS NEXT

4

Equally, organizations may simply not have the staff to implement the required work. Utilities often have skill shortages, particularly in IT/OT cyber security departments and attracting, training and retaining the appropriate talent is a challenge. This is more difficult because not all utilities are in locations with easy access to the necessary skilled people - with good cyber resources in high and growing demand, retaining these employees is challenging. Even when companies have such people on staff, they may find themselves so busy that they do not always obtain the training they need.

A final problem is that some utilities do not recognize that reliance on compliance strategy and standards alone gives a false sense of security. In particular, compliance on Bulk Electric Systems (BES) Cyber Systems alone will not guarantee security or protect the complete enterprise. An effective approach is one that provides protection through an enterprise cyber security plan and an implementable program for all components in the organization.

PREVIOUS NEXT

5

To overcome these barriers, utility leaders can implement a holistic enterprise-wide, risk-based cyber security program. This should start with the integration of cyber security with information technology, operational technology and other forms of risk management. Support from the right level of governance authority is needed.

This should provide proper identification and implementation of the appropriate internal controls across the organization’s components (applications, hardware, network, code, information, sites, personnel and media) and be based on risk to reduce the overall threat landscape.

Many organizations spend all of their time focused on implementing a handful of requirements. While utilities need to remain compliant with NERC CIP requirements, following this minimalist approach causes a majority of assets to be unprotected, leaving gaping holes in the perimeter. This approach may work for short-term compliance purposes, but it is important for an organization to think differently if it wants to establish a truly mature cyber security program. Leaders will benefit from digging deeper, going beyond run of the mill health checks and gap assessments, and looking beyond just IT and operations.

The first step in this process is establishing a baseline, which means understanding how the organization compares to its peers. All organizations should have a cyber security framework in place – regardless of whether it is the NIST Cybersecurity Framework (NIST CSF), ISO 27002 or NERC CIP, as long as it identifies which controls are in place. This is key to a holistic approach.

Once the appropriate controls framework is in place and accepted by the organization, the next step is evaluation. A traditional gap assessment or health

check examines an organization from a very high level. It then produces information that is either too broad for an organization to understand and implement, or it validates a preconceived belief that the organization is in good shape, neither of which are helpful. A deeper dive is required. For utilities, this means assessing business systems, customer data, IT systems, operational technology (OT) systems including SCADA, and physical security. In cases where health records and credit card data is stored (i.e. nurse stations, cafeterias, etc.), HIPAA and PCI assessments are required as well.

THE KEY STEPS IN A HOLISTIC APPROACH

Device/HW

Application/SW

Network

Information

Source Code

Media

Personnel

Organization

Location

PREVIOUS NEXT

6

DIGITAL TRUST

Enterprise-Wide Risk Based Cyber Security Program

Cyber Security Program Implementation

Cyber Security Departmental Formation

TON

E AT

TH

E TO

P

FRA

MEW

ORK

CAPA

BILI

TY A

ND

IND

EPEN

DEN

CE

ENTE

RPRI

SEG

OV

ERN

AN

CE

MEA

SURE

MEN

T A

ND

MAT

URI

TY

Risk Posture is Aligned with Defined Levels of Organizational Risk Tolerance and Appetite

Organizations spend a great deal of time and money on risk assessments, only to have them sit on a shelf gathering dust once the report has been reviewed by a handful of risk managers in the organization. This happens when the wrong people carry out a risk assessment at too high a level in the organization, resulting in distorted risk calculations and limited guidance on mitigation strategies. For example, asking people to comment on technology, applications, and processes and procedures outside of their normal job and daily duties often produces unusable information. To mitigate this flaw, a risk assessment needs to focus on functional areas such as software and applications, hardware, physical, etc. and ask the owners of each to comment. By doing this, the assessment can focus on the threats that are important to the relevant stakeholders - providing more accurate answers.

When PA works with clients, the object is to combine the information gathered in the gap assessments on the maturity of controls with a tailored risk assessment response. This enables a more realistic calculation of risk, which allows the organization to prioritize its mitigation strategy. With controls mapped directly to the threats, the strategy is easier to understand, and most importantly, it is implementable.

One final and essential step in the holistic approach is to develop a risk-based cybersecurity program. The five-pillar approach, which is described in greater detail in the next section, can help an organization do just that.

PREVIOUS NEXT

7

ORG

AN

IZAT

ION

AL

COM

MIT

MEN

T

TON

E AT

TH

E TO

P

SETS

ORG

AN

IZAT

ION

AL

CON

TEX

T

The five pillars cover: tone at the top, governance, capability and independence, the framework and measurement and maturity. Organizations should measure and test their performance in each of these areas.

TONE AT THE TOP – CONVERSATIONS AND COMMUNICATIONS

This pillar focuses on the need for the executive team to assess the organization’s readiness for change, the appetite for risk and the approach to Organizational Change Management (OCM). All of these factors should be considered carefully, with management being prepared to take on responsibility for proper cyber security and the establishment or enhancement of a cyber security framework.

At the heart of this work, is the need for an executive team to be committed to the change, and communication of that commitment across all units and all people in the organization. If the organization does not understand the leadership commitment, the importance of any changes may be misunderstood, which will hinder achievement of the goal. Communications then need to be consistent with the enterprise plan and echo executive commitments and commentary.

Each organization also needs to assess how much and where they are willing to absorb risk, and the resource pool (people and funding) that can be committed to mitigate risk. The risk posture is not only essential to risk mitigation, but also helps to reinforce the organization’s commitment to its identification, mitigation and management.

Finally, executive management needs to take active interest in the messaging it uses to ensure consistency and commitment. This is the foundation of OCM and necessary to implement new standards of operation, including possible changes within cyber security.

THE FIVE PILLARS

PREVIOUS NEXT

8

ENTERPRISE GOVERNANCE - ORGANIZATION AND DEFINED OUTCOMES

The executive team needs to provide effective governance to the cyber security effort in order to maintain organizational commitment and alignment within the overall strategy. Proper accountability and monitoring should be in place to check if defined goals and outcomes are achieved. The authority to perform identified functions has to be clearly in place, documented and communicated. If the people given the responsibility do not have clear and known authority to perform, the organization will view their roles in cyber security as an optional or highly deferrable part of their duties.

Education of the executive team, board and other senior and mid-level management should also be in place to ensure proper engagement and accountability to perform and guide their organizational efforts to complete cyber security tasks. In addition, they need to be sure that clearly defined, assigned roles and the operating protocols are in place to provide clarity to each role in the cyber security framework.

Finally, reporting of cyber security efforts with a focus on results must be in place and the frequency and structure of that reporting should be reviewed and agreed upon by the performers and executive management. They should then revisit the reporting standards and update them as the framework matures over time.

CREA

TES

CON

SIST

ENCY

ENTE

RPRI

SE G

OV

ERN

AN

CE

STR

ATEG

Y &

OB

JECT

IVES

PREVIOUS NEXT

9

ESTA

BLIS

HES

RO

LES

CAPA

BILI

TY A

ND

IND

EPEN

DEN

CE

ORD

ER O

F O

PER

ATIO

NS

CAPABILITY AND INDEPENDENCE - AUTHORITY, PERSONNEL AND TOOLS

Another key role for the executive team is the selection and training of cyber security personnel. They need to have the right tools and executive support in place but the cyber security team, much like an auditing team, needs to have organizational independence in terms of reporting structure. They also need to have enterprise authority to issue standards, provide incident handling leadership and appropriate access control to manage and mitigate risk. They should have ownership and leadership for the cyber security function and senior backing to make it an expected and non-optional part of doing business.

The executive team should also create and formally approve a charter for the cyber security function which makes clear the reasons for and the authority of the cyber security function. Organizational protocols for the cyber security function and roles need to be clear and part of the charter. Education, certification and application of knowledge are foundational components of the cyber security function and should have sufficient organization funding and time committed to keep the cyber security team up to date.

Finally, proper cyber security requires tools to enable proper defense, response to cyber attack/interference and monitoring of cyber infrastructure to enhance the security of the enterprise cyber operations. All areas related to cyber, such as IT, OT, engineering, business operations, production or finance, need to be engaged in enterprise cyber security to enable and support a sound cyber environment.

PREVIOUS NEXT

10

CREA

TES

ENTE

RPRI

SE C

LARI

TY

FRA

MEW

ORK

ENA

BLES

OPE

RAT

ION

S

POLICY PROCESS AND PROCEDURE FRAMEWORK - STRUCTURAL FRAMEWORK AND PROGRAM OPERATIONS

An essential part of cyber security is having a multi-year plan and implementation plan in place. The executive team must ensure alignment with the organization and reinforcement of its importance to the enterprise.

The executive team should oversee and formally approve policy, which includes the cyber security functions, authority and responsibilities of the organization at large and the cyber security function organizational unit. Business function appropriate control standards need to be in place and enforced. They should also ensure that the standards are subject to review and program updates are made over time.

As policy is developed, the organization’s leaders should ensure that supporting communication takes place and that proper implementation of policy is timely and effective. The mandatory nature of policy needs to be clear and enforced. As selection of elements of the security framework takes place, leaders must work to ensure they are put into operation effectively. It is vital that all concerned understand the intent, purpose and actions required to operate within the framework appropriately.

The alignment of framework processes and procedures to the framework standards and policies is critical to ensure clarity and compliance. The executives need to make sure that this is the case, in addition to making clear their support and expectations for the framework to be implemented. Careful management of the consistency and alignment of the processes and procedures must be in place to ensure they are enterprise-wide, with very few exceptions to avoid the issue of conflicting guidelines.

External operational assessments of risk coverage, risk remediation and the cyber security operation will help to ensure that practices are effective and in line with organizational expectations. Controls implementation and selection, reference architecture and system security plans should be reviewed on a regular basis to ensure relevancy and effective use.

PREVIOUS NEXT

11

FOCU

S O

N IM

PRO

VEM

ENTS

MEA

SURE

MEN

T A

ND

MAT

URI

TY

RESU

LTS

& RE

PORT

ING

MEASUREMENT AND MATURITY - PROGRAM MONITORING, ASSESSMENT AND REPORTING

The executive team should assess whether it has the information and data to confirm that the focus and work on the organization’s cyber security program are in line with expectations. They also should ensure that the appropriate level of due diligence is taking place.

To enable a sound operation, carefully selected results based metrics should be in place to provide a realistic and fair summary of the state of cyber security. This includes agreement on the data, definitions of that data and the collection of that information to provide honest reporting. It is important for the executive team and cyber security leadership to agree on the frequency of operations results and program reporting reviews.

Finally, routine external program assessment and continuous improvement is needed. This should recognize the importance of conceptual completeness at the start rather than perfect paperwork. It is better to start earlier with a sound concept and perfect it through testing. Then, if the proper metrics and review mechanisms are employed, the organization will have an objective assessment and real understanding of the state of cyber security and clarity about what needs to be improved.

PREVIOUS NEXT

12

A PA client had five major cyber risk assessments with more than 50 significant recommendations, on which very limited progress had occurred. PA helped the client with the development of a roadmap, which used the five-pillar structure to create a work plan and organize their work. The board and executive officers accepted the roadmap and declared it a top priority for the organization by appointing five of the top nine executives to the SROC (Security Risk Oversight Committee), which reinforced the tone at top.

The SROC Charter established the authority to enact policy and to function as the primary governance body for the cyber security effort. Utilizing the five-pillar model, they developed plans to organize recommendations and other cyber security framework efforts. Organizational Change Management (OCM) methodology was the strategy to educate the organization and set the context around each effort to create and operate the enterprise security framework.

The SROC required the identification of effective measures of maturity and progress prior to the approval and acceptance of any framework process. This kept both the organization-at-large and the cyber security personnel focused on effective results. The roadmap called for setting up a basic security framework, which could mature to a standardized level of operation. Migration plans were made to progress to an optimized level of performance.

The organization is now making material progress and has a comprehensive cyber security framework in place. Enterprise system development and implementation methodologies now include cyber security gates, which must be cleared prior to implementation. The existing catalog of systems are in the assessment process to identify risks and mitigation. The organization-at-large is gaining knowledge through a series of carefully planned and considered campaigns to enhance cyber security and awareness. The journey has begun to enhance and improve the holistic cyber security framework.

THE JOURNEY TO SUCCESS – A CASE STUDY

PREVIOUS NEXT

13

CONCLUSION - HOW CAN THIS APPROACH PROTECT A UTILITY FROM CYBER THREATS

The five-pillar approach helps focus resources on the biggest risks first to support the protection of the entire enterprise, not just to achieve compliance with a specific mandate such as NERC CIP. By implementing an enterprise framework, adherence to mandates means all those involved work to meet specific reporting and evidence requirements and surpass the minimum mandate standards. This approach consolidates cyber security efforts across the organization with a lower total cost, helping to eliminate the costly redundancy that occurs when multiple parts of the utility build ad-hoc cyber security mechanisms.

This organizational Cyber Security Framework fosters security at all levels and offers a proactive approach to the installation and operation of cyber defenses. It helps to achieve the more valuable objective of enhanced service reliability, and mitigates the risks

and costs, which come with service interruptions. It also engages the entire organization from the executive ranks to the front line, which enhances the effectiveness and likelihood of success. All of this means that the five-pillar approach can provide a more effective and efficient journey to enhanced cyber security, which will be critical for Next Generation Energy.

PREVIOUS NEXT

14

PREVIOUS

1_11

_858

04

Corporate headquarters

10 Bressenden Place London SW1E 5DN United Kingdom +44 20 7730 9000

US headquarters

The Chrysler Building 45th Floor 405 Lexington Avenue New York NY 10174 USA +1 212 973 5900

paconsulting.com

This document has been prepared by PA. The contents of this document do not constitute any form of commitment or recommendation on the part of PA at the date of their preparation.

© PA Knowledge Limited 2018. All rights reserved.

No part of this documentation may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying or otherwise without the written permission of PA Consulting Group.

About PA.

An innovation and transformation consultancy, we believe in the power of ingenuity to build a positive human future in a technology-driven world.

As strategies, technologies and innovation collide, we turn complexity into opportunity.

Our diverse teams of experts combine innovative thinking and breakthrough technologies to progress further, faster. Our clients adapt and transform, and together we achieve enduring results.

We are over 2,600 specialists in consumer, defense and security, energy and utilities, financial services, government, healthcare, life sciences, manufacturing, and transport, travel and logistics. And we operate globally from offices across the Americas, Europe, the Nordics, and the Gulf.

PA. Bringing Ingenuity to Life.