Oct 16 2024
Security

Security, Governance and IAM Are a Strategic Imperative for E&U Companies

To securely manage all of their data, organizations must have this trio in place.
Matt Morgan
by

Matt Morgan is an Associate Editorial Director and award-winning content creator. He is a contributor to BizTech and writes about software, storage, cloud and compliance topics.

Energy and utility companies have an immense amount of data they must securely manage to optimize grid operations. However, volumes of data can also bring significant challenges in terms of protecting sensitive information and staying compliant with regulations.

To securely manage all of their data, E&U companies must prioritize three key areas: security, governance and IAM controls. Together, these form a robust framework that puts IT leaders in a better position to secure their critical  infrastructure.

Click the banner below to learn why cyber resilience is essential to enterprise success.

x-cyberresillience2-static-2024-na-desktop x-cyberresillience2-static-2024-na-mobile

 

1. Security: Safeguarding Critical Infrastructure

Across the U.S, the utilities and power infrastructure is increasingly vulnerable to cyberattacks, with the average attack rate surging to 70% in 2024. “Utilities are low-hanging fruit for cyberattacks because many of them use outdated software,” writes Douglas McKee, executive director of threat research for SonicWall, in Reuters.

That’s why it’s essential that IT leaders invest in safeguarding their critical infrastructure. Organizations can follow a set of cybersecurity baselines issued by the U.S. Department of Energy, Office of Cybersecurity, Energy Security and Emergency Response (CESER) in February 2024.

The baselines include asset inventory, tightening IT and operational technology security, mitigating known vulnerabilities, running third-party validation of cybersecurity controls, supply chain incident reporting, strengthening vendor and supplier cybersecurity requirements, and changing default passwords. The hope is that these guidelines will fortify future defenses and help organizations detect any nation-state threat actors lying dormant in U.S. critical infrastructure.

Additionally, the North American Electric Reliability Corp. Critical Infrastructure Protection standards require companies to follow set security management controls, electronic security perimeters, systems security management, incidence reporting processes, vulnerability assessments and more.

Four Ways to Bolster E&U Security

In an interview with BizTech, Mike Mestrovich, CISO of data security company Rubrik and former deputy CISO of the CIA, described four ways an organization can perform a cybersecurity self-assessment. Here’s what you need to know:

  1. Continuously monitor for threats, which may require contracting with a vendor to identify blind spots in security and threat evolution.
  2. Patch for known vulnerabilities to defend against attacks. Using a patch management system can streamline the process and reduce downtime.
  3. Use an identity management tool, such as multifactor authentication, for threat detection.
  4. Increase cyber resilience by preparing for attacks, backing up critical systems regularly.

 

2. Governance: Providing Data Integrity and Compliance

Once your security measures are in place, effective data governance is the next step. Without data governance, energy and utility companies cannot trust if the data they are using is high quality and trustworthy.

“Ultimately, the goal of governance is knowing where data comes from, what it is, who can access it and when it should be retired,” notes IBM.  

“A strong data governance foundation helps activate business-ready data by helping to increase transparency, trust, and understanding of data and how to use it (aka literacy), to accelerate time to insights, while allowing sensitive data to remain hidden unless appropriate,” according to the IBM whitepaper.

To achieve quality data, an individual or team should be tasked with owning it, including how it is collected, validated, stored, shared and disposed of, with practices standardized across the organization.

With quality data, E&U companies can simplify their data analysis, compliance and reporting measures immensely, says Stewart Bond, vice president of IDC’s data integration and intelligence software service, in a recent BizTech article.

DIG DEEPER: Data governance offers a proactive approach to mitigating AI-related issues.

3. IAM Controls: Enhancing Operational Efficiency and Accountability

The third component is to deploy a set of identity and access management controls so only authorized individuals have access to sensitive data. IAM also provides a clearer sense of accountability for individuals with privileged access who are continually monitoring for abnormal activity and flagging potential threats, writes Sharon Chand, a principal at Deloitte Risk & Financial Advisory and the cyber risk secure supply chain leader for the firms’s Cyber Risk Services practice.

Once IAM is in place, organizations can start to move toward a zero-trust model, which can bridge any gaps in IT and OT security systems, according to the National Institute of Standards and Technology.

DISCOVER: How E&U companies can modernize their IT today.

According to NIST’s National Cybersecurity Center of Excellence, there are several ways to incorporate IAM into critical infrastructure, including:

  • User authentication and authorization services based on identity and assigned roles
  • Device authentication and authorization services to verify and control access for connected equipment
  • Identity and access governance tools that convert human-readable access requests into machine-readable authorizations
  • Industrial control system components, such as remote terminal units, programmable logic controllers and relays
  • Physical access control devices that integrate standard communication interfaces
  • Communication devices that enhance OT security by adding capabilities for authentication, authorization, access control, encryption and logging.

“Previously, there was a lot of focus on making the perimeter of a company very difficult to get into. That protected the organization’s soft center. Now, that perimeter is gone because a company is connected to its cloud provider, the grid system and other ecosystem partners across the company’s footprint. We need to extend cyber controls out to the endpoints where zero trust has a strong role to play,” says Chand.

AndreyPopov/Getty Images

More On

Related Articles

Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report