Utilities are by nature very conservative. Their highest values are reliability and safety, but as most utilities transition to more competitive business environments, there's a new value contending for the top slot: trust.
Like an organization in any industry, proving yourself as a responsible protector of sensitive data is one way to establish trust, as is keeping the lights on in the case of utilities. But like good reputations, both take a long time to build, and both can be lost in a few seconds. Most energy sector security professionals know that keeping their currently fielded information technology (IT) and operational technology (OT) systems and networks patched and otherwise protected is hard but doable.
The truth is, the vast majority of utilities are getting the security job done. However, this is only part of the battle, as security teams, already spread thin by myriad compliance, privacy, cyber and physical security requirements, face a blend of new issues: new devices, services, and information that they now need to incorporate and implement into an already complex environment.
Mobility, big data and cloud are three significant technology advancements that are continuing to change how organizations across various industries operate. Each brings with it a number of advantages, but also new cybersecurity challenges and, depending on location, numerous privacy and compliance requirements, as well.
Let's look at each for a moment.
For most employees at an energy utility, it’s not a desk job. More than their peers in many other sectors, utility companies have used and managed mobile devices as essential tools for a long time, outdoors, on the ground, in the air, and in their trucks.
Field teams servicing residential, commercial and industrial customers, and building, maintaining and repairing often-remote pipe, power lines and substations is what the business is all about. And getting direction and sending prompt updates on equipment condition and work status are tasks that put mobile technology in the hands of utility field personnel as soon as the devices appeared several decades ago.
It's time to acknowledge, though, that as the capabilities of each device have expanded, and the amount of (sometimes sensitive) data they hold increases, it's time for a robust approach to securing these powerful new endpoints. This can include endpoint management systems to maintain current policies and upgrade software, as well as tools to improve mobile application security.
Today, many utilities are trying to determine the best strategy to manage and capitalize on new data that continues to flood in from approximately a few million smart meters, not to mention what’s being captured via social media outreach programs and new customer portals. There’s also the question of how best to secure and protect privacy when sharing customer usage data with third-party value-added players.
A few big data security questions come to mind for utilities to consider:
- Is there an inventory that outlines where all the data is located -- both legacy and newly created?
- How about classification? Even if one knew where the largest swaths of data resided (e.g., databases, applications, spreadsheets, emails, social media, etc.), is there a consistent method for describing it?
- Speaking of owners, many utilities haven’t assigned responsibility for managing data sets. How best to begin? Who are the right types of folks for those jobs and what are their specific responsibilities?
- And lastly, this overarching question: what is the utility's policy for data management and security?
Seems like a tall order at first, but the good news is there are information governance best practices and data security tools that can help utilities begin to manage these challenges, and some organizations that can serve as good models for programs at utilities that are just getting started. And once the data house is in order, utilities can use it to better understand their customers, reduce outages and/or restoration times, and more.
Some industry insiders will say cloud services are less secure. To which several industry security colleagues will respond: “Less secure than what? How secure are you today and how do you know? How do you measure the level of security?”
Far from a threat, cloud is an opportunity for utility chief information officers (CIOs) and chief security officers (CSOs) to take a fresh look at their applications and data assets, rethink how security, privacy and compliance activities are accomplished, and gauge whether there’s a chance to do these things better, if not, ultimately, more cheaply, as well.
For itself and its clients, IBM considers cloud security an essential security best practice, one in which all of the elements are taken into account, including hardware, virtualization, identity and access management, web application security, network security, endpoint security and data security.
In all three of these categories, the particular energy sector mandate, whether from the perspective of a utility or a supplier to utilities, is clear. As before, be conservative and be careful. In an increasingly competitive marketplace, applying the core values of reliability and safety to these new technologies will do much to promote the precious attribute utilities now care about more than ever: the trust of customers.
Andy Bochman is the energy security lead at IBM.