The state of cyber resilience
With the threat landscape presenting new challenges every day, The Global Information Security Survey (GISS) investigates the most important cybersecurity issues facing power and utility (P&U) organizations.
Growth in digital and connected devices, along with the convergence of information technology (IT) and operations technology (OT) systems, have increased the significance of cyberattacks on critical infrastructure, including the power grid.
Over decades, utilities have learned to better respond to potentially catastrophic events. Commodity supply shocks, storms, natural disasters, equipment failure, terrorist attacks and the growth in cybercrime have all driven utilities to improve their approach to business resilience and risk management.
But the GISS results indicate the need for improved resilience in their ability to respond and recover from cyber incidents so that safe and reliable operations can be restored and maintained.
Cyber resilience is a subset of business resilience. It focuses on how effective utilities are in implementing three critical components.
Sense is the ability of utilities to leverage intelligence capabilities to identify, anticipate, and detect cyber threats and attacks proactively across their entire digital ecosystem. Security awareness should extend to both internal and external stakeholders, including vendors and third parties.
Resist mechanisms are basically the corporate shield. They look at how much risk a utility is prepared to take across its enterprise, and then establish the required controls to manage it to that level. Compliance with regulatory standards continue to play an important role as utilities mature to a risk-based model - the US is leading the way in defending critical infrastructure while Europe is making important progress in privacy and data protection.
React is the readiness capabilities of the utility to deal with disruptions, through emergency management, incident response, crisis management, and forensic investigations. As the data-driven grid and digitization of utilities evolves, resilience in cybersecurity and business continuity will be increasingly tested and relied upon.
The cyber-resilient utility
Although utilities strive to be agile and prevent the next threat from becoming a reality, the fact of the matter is that they cannot prevent all threats.
Let’s not get blindsided and complacent - cyber agility does not automatically result in cyber resilience.
Today’s emergency services: The cyber breach response program
Given the likelihood of suffering a cyber breach, utilities must develop a strong, centralized response framework as part of their overall enterprise risk management strategy.
Utilities can achieve this by developing a centralized cyber breach response program (CBRP). The CBRP enables a cost-effective response that mitigates breach impacts by integrating stakeholders and their knowledge. It helps utilities navigate the complexities of working with outside counsels, regulators and law enforcement agencies, and manage the day-to-day operational and tactical response.
More than a traditional program management office, the CBRP can help verify that:
- An organization’s business continuity plan is appropriately implemented
- A communication and briefing plan among all internal stakeholders is developed and enforced
- All breach-related inquiries received from external and internal groups are centrally managed
A centralized cyber breach response program brings together a wide variety of stakeholders who must collaborate to resolve a breach.
Key characteristics of a cyber-resilient utility
Cyber resilience demands a comprehensive, enterprise-wide response — an in-depth understanding of the external and internal drivers of change across the business and operational landscape. Utilities have an opportunity to think outside of the box — seek to understand risk tolerance and identify options for decision-making amid uncertainty that strengthens their security posture.
Understands the cyber threat
Utilities need to map and assess security controls across physical assets, digital infrastructure, and business processes to identify cyber risk and capabilities. Only 27% of survey respondents confirmed that their security function focused on the internet of things (IoT). This leaves them vulnerable to an IoT cyber incident that can potentially disrupt grid operations.
Defends the critical assets — the crown jewels
The increasingly complex risk landscape is creating potentially serious cybersecurity issues for critical infrastructure, data protection and privacy. A resilient security operating model goes beyond compliance by managing the risks that matter most and deploying valuable resources to where they are most needed.
Embraces an “all in it together” attitude
Collaborating with industry stakeholders and government agencies improves understanding of evolving threats and approaches to risk mitigation. Sharing information externally allows utilities to assess their security posture, expose any gaps, and contribute to the latest developments in policies, standards and leading practice.
Establishes a risk-enabled culture with exceptional leadership
Clear communication, direction and example-setting from leadership is essential for raising the awareness and focus on security to the same level of priority as health and safety. All utility employees, contractors and suppliers need to have a stake in protecting the company, and everyone is a risk manager from the CEO down.
Adopts an integrated, agile approach to managing risk
Confusion on roles and responsibilities may be contributing to a less effective risk environment. Integration, alignment and coordination of activities offers an opportunity for greater effectiveness, efficiency and coordination of enterprise-wide resources.
Provides effective governance and oversight
A three lines of defense operating model supports an objective second line focused on providing security governance and oversight of the performance and execution of security controls by the first-line operations and business units. This includes a comprehensive mapping of key cyber risks to organizational roles and responsibilities.
Cyber resilience is about knowing how to respond effectively to the impact of a breach when — not if — it occurs. And to minimize the damage.
EY’s Global Information Security Survey (GISS) investigates the most important cybersecurity issues facing organizations today. It covers over 20 industry sectors and captures the responses of 1,735 participants around the globe, including 81 from the power and utilities (P&U) sector. We base our findings on those insights and our extensive global experience of working with P&U clients to help them improve their cybersecurity programs.
Click to enlarge the images below.