Cyber and OT Security Consulting for Public Utilities

Protect confidential customer and billing data; safeguard corporate and employee data; and secure OMS, SCADA, and substations with Utility Security Consulting from Acumen.

Acumen delivers cyber and physical security consulting services to all levels of the organization, developing policies and procedures and providing technical skills that may not exist on staff. Acumen also provides protection for smart metering, telecommunications, monitoring systems, and physical protection systems.

Acumen provides cybersecurity services as part of the Hometown Connections Cybersecurity Program.

Cyber and physical security consulting for utilities (electric, water, gas) leaning on best practices and meeting appropriate industry standards

  • Cyber protection based on established security frameworks and authoritative sources
  • Cost-effective identification of vulnerability and risk analysis
  • Demonstration of due diligence to identify initial security posture
  • Utility staff time commitment in approximately one day
  • Identification of the cybersecurity maturity level of the utility
  • Recommendations for improving the security posture and maturity level for the utility, based on the results of the cybersecurity check-up

  • Avoid a potential disruption in service
  • Loss of reputation
  • Negative financial impacts
  • Dangerous physical conditions for staff and customers

When it comes to cybersecurity, many people don’t know what the right thing is. We needed policies to help set expectations and provide accountability. We also wanted to improve our cybersecurity governance, so we could be more strategic with available resources. We hired Acumen to do a risk assessment for Utilities and use the NIST cybersecurity framework to do a gap analysis to see where we were and what our opportunities for improvement were. Then Acumen helped us develop a roadmap for maturation.

— Jen Barna, cybersecurity analyst for Fort Collins Utilities

Organizations must be pragmatic and choose the right level of security that balances acceptable risk (tolerance), budget, and other factors. Although risk cannot be eliminated, it can be mitigated. Firewalls, malicious code protection, etc.—a fortified defense is only part of the mix. A 360° perspective on cybersecurity also includes strategies and policies, along with solid plans for risk management and disaster recovery.

Alert

As the recent reports on the SolarWinds breach make clear, supply chain/third-party breaches are the most significant cyber risk you face. Acumen has developed a robust Supply Chain/Third Party Cybersecurity Management Program based on authoritative standards.

The Cybersecurity Check Up service from Acumen consists of three components:

  1. Cybersecurity Program Survey
    A customized survey-style assessment to be completed with the utility.
  2. Policies, Standards & Procedures Review
    Review of a representative set of existing cybersecurity-related polices, standards, and procedures based on the survey results.
  3. Remote Testing
    Remote testing of high-risk web applications.

Designed for utilities requiring a starting point for a cybersecurity program or a quick health check of an existing cybersecurity program, Acumen bases the remote Cybersecurity Check-Up survey components on the ten (10) domains described in the Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model:

  1. Asset change and configuration management
  2. Risk management
  3. Cybersecurity program management
  4. Identity and access management
  5. Supply chain and external dependencies management
  6. Workforce management
  7. Threat and vulnerability management
  8. Situational awareness
  9. Event and incident responses: continuity of operations
  10. Information sharing and communications

Acumen’s deliverables for the Check-Up service include:

  • Dashboard view of utility’s cybersecurity posture
  • Scan results
  • High-level recommendations

Based on the results of the Cybersecurity Check Up, the utility can tap into any of the following additional services to build/augment their cybersecurity program:

  • Training for the board/executive team and IT/OT technical staff
  • Develop or validate Core Policies, Procedures, and Governance:
    • Templates for a “fill in the blanks” approach to setting policies, procedures
    • Roles and Responsibilities matrix (RACI)
  • Cyber Vulnerability Assessments (CVA)
  • Risk Assessments
  • Penetration Tests
  • Cybersecurity Program Development

The utility’s risk management program must incorporate the physical security of its facilities. Acumen’s Physical Security Assessment examines the overall physical security of buildings, specific equipment within the building facilities, and locations while factoring in key business objectives. Acumen evaluates all the physical security controls, such as:

  • Visitor entry and verification procedures
  • Access control systems (including badges)
  • Security guards and guard rotation
  • Data center and control center specific controls
  • Document destruction
  • CCTV or other surveillance cameras
  • Alarms
  • Life safety systems
  • Exterior & interior lighting for security & safety purposes
  • Landscaping for crime prevention
  • Crisis management & business continuity programs

Workplace violence protection and training

Acumen supports the integration and communications that marry IT and OT with technology strategy and planning, architecture design, communications network planning, system installations and configuration, system integration and commissioning, data management and historians, SCADA/GIS/OMS Services, on-going sustainment and support, and custom software development.

Download this catalog which describes the cybersecurity training services from Acumen. For more information, send an email to info@hometownconnections.com.

  • Your Utility Is Required By Law To Establish An Identity Theft Prevention Program

    Federal and many state regulations require electric, water, wastewater, and gas utilities to establish an identity theft prevention program. Utilities must have policies and procedures in place to detect, prevent, and mitigate the theft of personal customer information. What does this mean for your community-owned utility? You must evaluate and address all of the ways…

    Learn More: Your Utility Is Required By Law To Establish An Identity Theft Prevention Program
  • Cybersecurity After COVID-19: 10 Ways To Protect Your Utility & Refocus On Resilience

    In the wake of the COVID-19 pandemic and the resultant implementation of social distancing directives, altered business processes, and new economic realities, community-owned utilities must review and address their technology infrastructure and cybersecurity measures.

    Learn More: Cybersecurity After COVID-19: 10 Ways To Protect Your Utility & Refocus On Resilience
  • 3 Best Practices To Prepare For A Ransomware Attack

    Cyber-attacks remain a top business risk for all utilities and municipalities, increasing in frequency, severity, and sophistication. At the top of the cyber-attack list? Ransomware.  The recent attack on the Colonial Pipeline is focusing heavy attention on the threat of ransomware on U.S. energy infrastructure. The bottom line: planning is everything. Learn the three best…

    Learn More: 3 Best Practices To Prepare For A Ransomware Attack

Contact Us

Let’s Talk About Your Utility

Whether you’re planning a major initiative or just exploring options, our team is here to help. Reach out and we’ll connect you with the right consultant.

651 Commerce Drive Roseville, CA 95678