You don’t need to be an expert in IT or have a huge consulting budget to champion your utility’s cybersecurity program. First and foremost, you must recognize that every city employee, utility employee, and governing official plays a key role in maintaining a cyber defense that protects business operations.
Yes, You Can!
You can take charge of coordinating, educating, and motivating personnel, emphasizing that policies and procedures are as important as equipment or software improvements. Then, when you follow the Cybersecurity Action Plan for community-owned utilities and city governments, you will establish a solid and affordable cybersecurity strategy with accountability among utility employees, board members, vendors, and customers.
Cyber Threat is Real and Growing
Today’s cyber threat is multifaceted and ever evolving. All utilities and municipalities must defend against criminals stealing information and extorting them for financial gain as well as nation states or terrorist groups seeking to sabotage information systems that operate critical infrastructure. Increasingly, community-owned utilities and city governments are targets of ransomware and other cyber-attacks.
Ransomware attacks are the tip of the iceberg. Cyber criminals are leveraging the COVID-19 emergency by sending out “phishing” attacks that lure your employees to click on malicious links or files, taking advantage of teleworkers using insecure home WiFi systems. Disgruntled former employees and other bad actors have accessed outage management, 911, text messaging, and other services to send fraudulent messages to customers. Insurance providers are looking more closely at the controls and recovery systems utilities have in place, to make sure they can restore services in a reasonable amount of time.
To avoid the operational, financial, and reputation harm of a debilitating cyber-attack, you must elevate your cyber defenses. But you don’t need to start from scratch or invest enormous sums of money. There are national resources to tap for guidance, including a proven Cybersecurity Action Plan to walk you through the steps.
Step 1. Assemble the Troops
The first step in building your cybersecurity program is to create a committee of the key cyber risk stakeholders from the various business units in your organization. The primary members of your cybersecurity committee should represent no less than five main pockets of personnel:
- IT or network information security
- Operations technology security
- Risk management/insurance
- Compliance or privacy
- Executive sponsor from the C suite:
- Often the general counsel or chief financial officer—someone of a very senior rank who must own the issue and drive the cultural change.
- Even if the general counsel or CFO takes charge of the cybersecurity effort, the utility general manager or the city manager must maintain overall accountability for the cyber program to ensure effective governance and roles/responsibilities remain clear.
Who and how many people serve on the cybersecurity committee depend on the size of utility or municipality.
It’s imperative to understand the roles and goals of the various stakeholders serving on the cybersecurity committee. The risk manager who makes insurance purchases must identify, quantify, and manage cyber risk mitigation effectively as it applies to the insurance policy. This requires interaction with and support from all of the business operations of the organization. Finance officers strive to maximize the return on investment in technology and insurance expenditures. The CFO must understand the economic impact of cyber risk mitigation because he or she “cuts the checks” for technology investments and fees for network security professionals and insurance policies.
Your legal department is also critical to the cybersecurity effort. Currently, utilities and city governments are contending with a patchwork of privacy and cybersecurity regulations by NERC, FERC and the states. In states like California, there are new regulations regarding the collection and use of customer data. In addition to ensuring regulatory compliance, the legal department must address contract liability issues when dealing with third-party vendors. Many organizations sign third-party vendor contracts for convenience without addressing liability issues. Is that company providing information on the Cloud securely? Do they have a backup plan if their data center gets compromised? What legal responsibilities does our utility have if Cloud provider goes down? What customer information do they receive? These are only a few of the cyber issues your legal team and leadership team must address.
If the members of your governing board or city council haven’t come to you yet about cybersecurity, they will before the end of year. They are following the ransomware news stories and will ask what the city or utility is doing about cyber risk. While you may not choose to assign a governing board official to the cybersecurity committee, it’s imperative the board has visibility into the work of the committee and receive regular updates.
Of course, information security personnel must participate in the cybersecurity committee. For utilities, operations technology (metering, SCADA, GIS, outage management, etc.) can have different requirements than IT security. Therefore, it’s vital to include on the cybersecurity committee representatives with expertise in IT and OT architecture to ensure the organization’s resilience.
Build a Cross-Functional Team
Cyber attacks threaten every segment of business operation, from customer service to third-party vendors. Therefore, in addition to the key stakeholders from senior management, risk management, and information security, the cybersecurity committee should become a cross-functional team with representatives from every department. This assists in establishing security awareness and culture.
Step 2. Assess Your Cybersecurity Maturity
After assembling the troops, your next step is to determine the current state of your cyber defenses. The Cybersecurity Scorecard from the American Public Power Association is the perfect place to start.
The Public Power Cybersecurity Scorecard is an online self-assessment tool for community-owned utilities to assess cyber risk, plan improvements, prioritize investments, and benchmark their security posture. Based on the DOE Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2), the scorecard provides utilities with a starting point to address cyber risks. Utilities start by completing a simple self-assessment of their cybersecurity program. From there, get guidance, reports, and tools to help improve your cybersecurity.
There are additional industry resources available to you. For example, Hometown Connections, Inc., the non-profit organization dedicated to supporting community-owned utilities, provides a low-cost Cybersecurity Assessment to identify the organization’s cyber vulnerabilities and design a detailed cyber defense program based on industry standards and best practices. AESI-US, Inc., a consulting services partner of Hometown Connections, provides the Cybersecurity Check Up service that includes a customized cybersecurity program survey; comprehensive review of policies, standards, and procedures; and remote testing of high risk applications.
Whether or not your organization is required to comply with federal cybersecurity standards, you should use them as a starting point. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides controls to enhance the cybersecurity framework, risk posture, information protection, and security standards of organizations. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) is a set of requirements designed to secure the assets required for operating North America’s bulk electric system. All owners and operators of the bulk power system must meet the mandatory nine NERC CIP standards to avoid huge fines for non-compliance.
Step 3. Manage Third Parties
Utilities are particularly dependent on third party suppliers and vendors. Often, cybersecurity controls are not extended adequately into the operations of data handling or hardware and software of the vendors. When negotiating contracts, follow these guidelines:
- Incorporate cybersecurity requirements into your RFPs as contractual commitments
- View third parties as “untrusted” – specific access control required
- Request that the third party sign your cybersecurity policy or ensure they can comply with your security standards outlined in the contract
- Ensure that proper notification, respond and recover processes are in place
- Request regular cybersecurity reporting from the third party
- Request the right to audit the vendor’s cybersecurity procedures and/or premises
Step 4. Build a Roadmap with Task Owners & Budget
As you design your cybersecurity program, remember the three legs of the cyber stool: people, process, and technology. Your roadmap must spell out who conducts which tasks and when, how will oversight and governance work, and how will you communicate about the organization’s cybersecurity efforts. The roadmap must make clear that cybersecurity is a never-ending journey for the entire staff and governing board.
Budgets—How Much is Enough?
When designing a cybersecurity program, many officials are hindered by the prospect of establishing a realistic budget. Today, there are metrics among major organizations that can provide broad budgetary guidelines for utilities and city governments:
- Cybersecurity mature operators such as banks and telephone companies will typically budget for cybersecurity 15 – 20% of the project budget for any IT system/project (operating expenditures + capital expenditures).
- Most of the utility industry is currently spending < 3% of total budget for IT security and < 1% for OT security.
- 10% of the total budget for critical systems and 5% for other systems is often appropriate for utilities today.
- Based on increasing cyber risk for utilities, budgets are expected to increase.
Consider Enhancing Risk Mitigation by Buying Cyber Insurance
Statistics show that the most likely insurance claim against your organization within the next 12 months will involve a cyber-crime. Such a claim is more likely than automobile or worker compensation liability. Cybersecurity insurance policies fill the gap in traditional business insurance policies, to cover liabilities and costs associated with the impact of a cyber event that impacts the confidentiality, integrity, or availability of data or technology. Key to analyzing the purchase of cyber insurance is knowing how to quantify risk.
Marsh Wortham, the insurance partner of Hometown Connections, has developed a proprietary loss estimate calculator exclusively for members of the American Public Power Association. Marsh Wortham can input into its predictive model utility revenue and number of customers to estimate their cost of both a data breach (including ransomware) and business interruption loss following a cyber-attack.
In addition, Marsh Wortham offers community-owned utilities innovative risk assurance options for breaches of customer and employee data and protects against risks not covered by property & casualty policies or TORT immunity statutes for municipal entities.
By understanding the basic cyber threats and calculating the potential for financial loss, community-owned utilities and municipalities can make an informed decision about cyber risk insurance purchasing. More often than not, the best strategy for cybersecurity is to combine a balance of spending on technology, professional services, and insurance.
Ready, Set, Go
Now you know the basic parameters of launching an effective cybersecurity program:
- Cybersecurity is a risk management issue, not an IT issue.
- Ongoing attention and support by the executive team, management team, and governing board is crucial to the effort.
- The cybersecurity committee must include representatives from all business operations.
- Cybersecurity is a continuous process, not one and done.
- Tools, frameworks, and standards are available from the American Public Power Association and professional services firms.
- Consider investments in technology upgrades, personnel/consultants, and privacy/liability insurance as the likely best course of action.
Remember, you don’t need IT certifications and coding skills to manage a cybersecurity effort. The program requires a commitment to protecting the business operations of your organization using good project management across the enterprise. You can do it. Get started today.
For More Information
Vice President, Client Services
Hometown Connections, Inc.
Mark McKinney, MSIM, CISSP, CISA, CFE, CCFE
Director, Cyber Security Practice Area, AESI-US, Inc.
770-870-1630, ext. 279
Doug Westlund, P.Eng., MBA
Senior Vice President and Principal Consultant, AESI-US, Inc.
770-870-1630, ext. 278
Senior Vice President, FINPRO
Cyber Practice Zone Leader
Marsh Wortham, a division of Marsh USA, Inc.
Senior Vice President, FINPRO Energy & Power
Marsh JLT Specialty