Oct 13 2021

How Utilities Should Conduct Cybersecurity Training

Attacks on utilities have surged. Here’s how to prepare employees for defense.

Training is a critical part of any IT strategy. Employees should feel comfortable and confident using digital tools in order for them to be properly adopted and for organizations to truly reap their benefits. This is particularly true when it comes to security tools, as employees can be a point of vulnerability.

Cybersecurity is a particularly crucial area of training for utilities. Several high-profile hacks have left the industry reeling, and new legislation and federal mandates have put the industry’s security front and center. It’s necessary to have the right tools, but it’s also critically important to ensure your workforce is trained to take the right measures.

McKinsey notes that there are “three characteristics that make the sector especially vulnerable to contemporary cyberthreats.” Those characteristics include an increased number of threats and actors targeting utilities, an expanding attack surface, and the sector’s “unique interdependencies between physical and cyber infrastructure, including billing fraud with wireless smart meters, the commandeering of operational technology systems to stop multiple wind turbines, and even physical destruction.”

Utilities Face Unique Cyberthreats

According to McKinsey, “The cyberthreats facing electric-power and gas companies include the typical threats that plague other industries: data theft, billing fraud, and ransomware. However, several characteristics of the energy sector heighten the risk and impact of cyberthreats against utilities.”

The first characteristic McKinsey lists is an expanding threat landscape that includes more threats from more actors. These threats include sophisticated players, such as nation-state actors. A January 2020 alert from the Department of Homeland Security warned against the threat posed by nation-states to critical infrastructure, noting that previous plots “have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.”

Utilities are the targets of less sophisticated attacks as well. Ransomware continues to be a major threat. Following recent attacks, Duke Energy CEO Lynn Good told Bloomberg, “The industry understands that we are a target.”

Despite a growing awareness of the increasing need for improved cybersecurity within the energy sector, McKinsey notes that inconsistencies still exist in utilities’ ability to secure funding to invest in cybersecurity controls. “In many states, regulators lack the dedicated talent needed to review cybersecurity program budgets, which factor into a utility’s billing rates to customers,” McKinsey says. “Additionally, certain municipalities offer energy services independent of a major utility. This may alleviate customer concerns with existing energy players in the market, but many of these municipalities remain underprepared or understaffed to ensure the deployment of enough cybersecurity controls to decrease risk.”

Established Frameworks Exist to Help Combat Cyberthreats

In a CDW Tech Talk webcast in July, CDW Field Solution Architect for Information Security Tyler McChristian pointed out that IT security concerns have been heightened this year because of an uptick in highly publicized attacks in the first half of 2021.

For organizations re-examining their security strategies, McChristian said, “The first thing I always say is to be proactive. That might not necessarily be another security toolset. I would encourage organizations to take a look at their security posture from a technical or policy perspective. Starting with something like a penetration test or aligning to a security framework is really going to help you, as an organization, evaluate where you are today, where you might need to improve and what is the best path forward.”

He recommended two common frameworks for businesses to use as best practices. According to McChristian, the Center for Internet Security’s CIS Controls and the National Institute of Standards and Technology’s Cybersecurity Framework are great places for any organization to start.

In addition, the Cybersecurity and Infrastructure Security Agency has developed its own cybersecurity framework to help organizations better manage cybersecurity risk and improve cyber resilience.

MORE ENERGY AND UTILITIES SECURITY: Explore the industry benefits of IAM.

Federal Agencies Set Goals for Cybersecurity Performance

As it was instructed to do in President Biden’s July 28 memo on cybersecurity and the nation’s critical infrastructure control systems, the Department of Homeland Security has developed preliminary cross-sector control system cybersecurity performance goals as well as sector-specific goals.

As part of that process, CISA and NIST identified nine categories of recommended cybersecurity practices and used these categories as the foundation for preliminary control system cybersecurity performance goals.

In September, CISA announced it has set the following definition for its training and awareness goal: “Train personnel to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.”

Objectives for Cybersecurity Training and Awareness

The goal sets baseline objectives for training, which include ensuring that control system operators and administrators understand cybersecurity concepts, terminology, activities and the threat environment associated with implementing cybersecurity recommended practices. CISA will recognize an organization for achieving this goal if it requires regular cybersecurity awareness training for all employees and role-based training for control system operators and administrators.

Control system operators and personnel also should be able to recognize the indicators of potential compromise and know what steps to take to ensure that a cybersecurity investigation succeeds. According to CISA, this goal has been successfully implemented if the “organization has dedicated resources and funding available for control system operators to attend technical training and conferences on latest indicators of potential compromise and best practices for response.”

Organizations can prove their implementation of enhanced training objectives by demonstrating that they provide either web-based or instructor-led training on control systems security to ensure an overall understanding of their roles and responsibilities. Such training is available from several IT companies, such as Mimecast, and from organizations including the American Public Power Association.

undefined undefined/Getty Images