Who Is Your Utility’s Chief Risk Officer?

Cybersecurity requires a top-down approach.

When Exelon merged with Constellation, Joe Glace started reporting directly to the president and CEO, Christopher Crane. As the Chief Risk Officer for the mega-utility, it was imperative that he was part of company’s executive committee.

"The new Exelon will have a significantly increased scope across the energy value chain,” Crane said at the time of the announcement in December 2011. “It is vital to our future success that we diligently manage risk from an independent and enterprise-wide perspective.”

Utilities have long guarded against typical risk factors that they face. But when it comes to cybersecurity, it’s largely uncharted territory. Some of the largest investor-owned utilities have responded by adding someone to the C-suite, but there need to be many more.

“Often, there’s a chief information officer, and then many levels down is security,” Andy Bochman, security lead at IBM, recently told Greentech Media. “But they need security with enterprise coverage.

Bochman said that one of the first questions he asks when he meets with utilities now has to do with who is running security. If it’s not someone reporting directly to the CEO, then that is something that should be remedied.

As IT spreads across the grid, there will be a deluge of investment in smart grid cybersecurity in coming years. GTM Research predicts spending on cybersecurity products and services will grow from $120 million in 2011 to $237.6 million in 2015, making it the second largest segment behind distribution automation in terms of utility enterprise IT spending.

IBM, which is just one of the major players touting its cybersecurity expertise as part of its smart grid offerings, has five recommendations for utility cybersecurity best practices in a white paper that was released last year. 



Even though security isn’t new to IBM, it established two dedicated security divisions last year to be a leader in this space. Its top recommendations come from the IT world, but extend to OT. Some of them are not expensive or complicated, such as searching for bad passwords or training employees on identifying phishing scams.

“The only answer is to change, at a fundamental level, the way companies operate,” Lovejoy said. “This must recast the way people handle information, from the C-suite to summer interns.”