Utilities are the targets of less sophisticated attacks as well. Ransomware continues to be a major threat. Following recent attacks, Duke Energy CEO Lynn Good told Bloomberg, “The industry understands that we are a target.”
Despite a growing awareness of the increasing need for improved cybersecurity within the energy sector, McKinsey notes that inconsistencies still exist in utilities’ ability to secure funding to invest in cybersecurity controls. “In many states, regulators lack the dedicated talent needed to review cybersecurity program budgets, which factor into a utility’s billing rates to customers,” McKinsey says. “Additionally, certain municipalities offer energy services independent of a major utility. This may alleviate customer concerns with existing energy players in the market, but many of these municipalities remain underprepared or understaffed to ensure the deployment of enough cybersecurity controls to decrease risk.”
Established Frameworks Exist to Help Combat Cyberthreats
In a CDW Tech Talk webcast in July, CDW Field Solution Architect for Information Security Tyler McChristian pointed out that IT security concerns have been heightened this year because of an uptick in highly publicized attacks in the first half of 2021.
For organizations re-examining their security strategies, McChristian said, “The first thing I always say is to be proactive. That might not necessarily be another security toolset. I would encourage organizations to take a look at their security posture from a technical or policy perspective. Starting with something like a penetration test or aligning to a security framework is really going to help you, as an organization, evaluate where you are today, where you might need to improve and what is the best path forward.”
He recommended two common frameworks for businesses to use as best practices. According to McChristian, the Center for Internet Security’s CIS Controls and the National Institute of Standards and Technology’s Cybersecurity Framework are great places for any organization to start.
In addition, the Cybersecurity and Infrastructure Security Agency has developed its own cybersecurity framework to help organizations better manage cybersecurity risk and improve cyber resilience.
MORE ENERGY AND UTILITIES SECURITY: Explore the industry benefits of IAM.
Federal Agencies Set Goals for Cybersecurity Performance
As it was instructed to do in President Biden’s July 28 memo on cybersecurity and the nation’s critical infrastructure control systems, the Department of Homeland Security has developed preliminary cross-sector control system cybersecurity performance goals as well as sector-specific goals.
As part of that process, CISA and NIST identified nine categories of recommended cybersecurity practices and used these categories as the foundation for preliminary control system cybersecurity performance goals.
In September, CISA announced it has set the following definition for its training and awareness goal: “Train personnel to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.”
Objectives for Cybersecurity Training and Awareness
The goal sets baseline objectives for training, which include ensuring that control system operators and administrators understand cybersecurity concepts, terminology, activities and the threat environment associated with implementing cybersecurity recommended practices. CISA will recognize an organization for achieving this goal if it requires regular cybersecurity awareness training for all employees and role-based training for control system operators and administrators.
Control system operators and personnel also should be able to recognize the indicators of potential compromise and know what steps to take to ensure that a cybersecurity investigation succeeds. According to CISA, this goal has been successfully implemented if the “organization has dedicated resources and funding available for control system operators to attend technical training and conferences on latest indicators of potential compromise and best practices for response.”
Organizations can prove their implementation of enhanced training objectives by demonstrating that they provide either web-based or instructor-led training on control systems security to ensure an overall understanding of their roles and responsibilities. Such training is available from several IT companies, such as Mimecast, and from organizations including the American Public Power Association.
