Utilities should operate on the basis that it will only be a matter of time before they suffer an attack that successfully breaches their defenses. However, the GISS suggests different levels of readiness among organizations. Having a cyber breach response plan (CBRP) that automatically kicks in when the problem is identified represents an organization’s best chance of minimizing the impact. There are key strategic questions for utilities to consider:
Cybersecurity — how will you ensure you can withstand attacks, isolate and assess the damage done, and shore up defenses to prevent similar breaches in the future?
Operating model optimization — what is the right balance between managing risks in house and outsourcing or co-sourcing?
Business continuity planning — how will you continue to operate as normal while remedying the attack?
Compliance — what are your duties in reporting the breach to the appropriate authorities, and how will these be discharged?
Public relations and communications — how will you communicate clearly and effectively with all potential stakeholders, including employees, customers, suppliers and investors, both directly and via the media and social media where there is public interest in the breach?
Litigation — how will you assess what potential litigation the attack leaves you vulnerable to, or even whether you have any recourse to legal action itself? How will you forensically record and maintain evidence for use by law enforcement agencies?
Insurance — do you have cyber insurance and is the incident covered? In which case, what can be claimed?
Maximizing investment — have you built rate cases or responded to performance-based incentives that would recover cyber investments and withstand regulatory scrutiny?
Digital investment — what do you see as the biggest benefits of investing in secure digital platforms and new ways of interacting with a growing, empowered customer base?
Collaboration — what are your competitors seeing as their greatest cyber threats? Are you stronger working as a community to counter threats than working alone?
Cybersecurity as everyone’s business
Understanding the threat landscape — detecting the potential risks on the horizon — is the groundwork of good cybersecurity. It allows utilities to limit the time they spend outside normality, to understand when and why they have moved into stress, and pre-empt the development of a full-on crisis.
Fighting back — protecting the enterprise from cyber risk — builds on this groundwork. It gives utilities the skills and confidence to deal with stress and crisis more effectively, with tools and processes that provide a framework for responding to attackers.
Having a robust response plan is the final piece. Utilities capable of employing a well thought-out and tested CBRP in which everyone understands their responsibilities, will de-escalate the crisis much more quickly.
By pulling these strands of cybersecurity together, utilities can respond in a more agile and resilient way, even in the face of the significant and increasing risk posed by diverse and often sophisticated cyber attackers. The tools and technologies required to meet threats are already available. In fact, many of them have developed innovative policies and processes for optimized use. This leading practice now needs to become the industry standard.