When Exelon merged with Constellation, Joe Glace started reporting directly to the president and CEO, Christopher Crane. As the Chief Risk Officer for the mega-utility, it was imperative that he was part of company’s executive committee.
"The new Exelon will have a significantly increased scope across the energy value chain,” Crane said at the time of the announcement in December 2011. “It is vital to our future success that we diligently manage risk from an independent and enterprise-wide perspective.”
Utilities have long guarded against typical risk factors that they face. But when it comes to cybersecurity, it’s largely uncharted territory. Some of the largest investor-owned utilities have responded by adding someone to the C-suite, but there need to be many more.
“Often, there’s a chief information officer, and then many levels down is security,” Andy Bochman, security lead at IBM, recently told Greentech Media. “But they need security with enterprise coverage.”
Bochman said that one of the first questions he asks when he meets with utilities now has to do with who is running security. If it’s not someone reporting directly to the CEO, then that is something that should be remedied.
As IT spreads across the grid, there will be a deluge of investment in smart grid cybersecurity in coming years. GTM Research predicts spending on cybersecurity products and services will grow from $120 million in 2011 to $237.6 million in 2015, making it the second largest segment behind distribution automation in terms of utility enterprise IT spending.
IBM, which is just one of the major players touting its cybersecurity expertise as part of its smart grid offerings, has five recommendations for utility cybersecurity best practices in a white paper that was released last year.
- Understand that change beings at the top. Whether you call it a Chief Security Officer, Chief Risk Officer or another name, this has to be the first step. This person should cover security for IT and OT and report directly to the CEO.
- View security as risk management. “Most utilities already have mature methods and metrics for estimating and preparing for other types of risks, including fires, hurricanes, ice storms, audit failures, fuel price volatility or macroeconomic changes,” Bochman writes in the paper. “These same proven methods can and should be applied to cybersecurity risk.” And again, get a senior-level advocate.
- Create a fully integrated security enterprise. Many utilities are integrating OT and IT, and while that presents additional risks, it can also help streamline security management. There needs to be centralized authority at the top, but then cybersecurity strategy should be applied and tailored to every group within the utility. IBM recommends taking a DOD approach and setting up a security operations center.
- Implement security by design. “One of the biggest vulnerabilities in information systems -- and wastes of money -- comes from implementing services first, and then adding security on as an afterthought,” said Kris Lovejoy, IBM Chief Information Security Officer.
- Use business-oriented security metrics and measurements. Bochman emphasized this point when speaking to Greentech Media. It’s not enough to collect information; there needs to be business processes in place and analytics that are integrated into a utility’s operations. The metrics can vary, but should be easy to obtain, easy to understand, and easy to share. Bochman repeated that it’s not enough to say you have a security guy. He should not only be at the top, but should also be able to speak in plain English about the issue to others in the organization.
Even though security isn’t new to IBM, it established two dedicated security divisions last year to be a leader in this space. Its top recommendations come from the IT world, but extend to OT. Some of them are not expensive or complicated, such as searching for bad passwords or training employees on identifying phishing scams.
“The only answer is to change, at a fundamental level, the way companies operate,” Lovejoy said. “This must recast the way people handle information, from the C-suite to summer interns.”