energy efficiency
 Space Invaders
Protecting America’s power information systems from outside interference
by Dan Didier
LEGACY SYSTEMS. COMPLEX NETWORKS. TIGHT BUDGETS.
These are just a few of the vulnerabilities that position the energy sector as a hot target for cyber criminals. Unlike many other industries, where financial losses are the top concern, an attack on our nation’s critical infrastructure will not only have an economic impact, but could be detrimental to the health and safety of workers and residents in nearby communities. Don’t think malicious actors aren’t paying attention - attacks on electrical and energy companies are on the rise.
From nation-states and politically motivated hackers, to script kiddies and disgruntled employees, threats are coming from an entire host of adversaries, each looking to take advantage of the industry’s pitfalls and recent shift toward digitization. Adding fuel to the fire, the energy industry has a unique set of security requirements. This leaves many energy companies struggling with a tough choice: Do they want to be compliant, or secure?
Unfortunately, most power organizations are so laser focused on compliance that they lose sight of what must be done to actually improve their security program. Why? For one, this compliance-based approach predates the modern age of cybersecurity; it’s been a part
of the energy sector for so long that it’s baked into the operations. With security risks becoming greater and greater, it’s time for energy companies to make the switch from a compliance-based approach, to one that uses risk to guide their security programs.
Ideally, power companies should focus on both compliance and security, where compliance is a byproduct of the security program. There isn’t a single way of doing this, however, and it all depends upon the potential risks of each organization. Here’s a closer look at how energy companies can vastly improve their security programs, while maintaining compliance at the same time:
Expand Approach: The security issues of an organization cannot and should not be addressed only by the compliance or IT departments – nor should security be pigeonholed into any other department. If
a security program is going to be successful in today’s increasingly digitized environment, it must be elevated to a business decision that includes all departments; security threats impact the entire business – not just a single department.
One problem with leaving it up to compliance is that, like all departments, the compliance department has many other issues to focus on. Plus, when security decisions are made within the bounds of existing compliance functions, it prevents the organization from
  making risk-based decisions, instead relegating the security function to a checkbox in a long list of checkboxes that all share the same budget. Likewise, the IT department is trained to look at cybersecurity as a technology issue when, in fact, many of a company’s top risks have nothing to do with technology, and everything to do with people and processes.
Focus on Risk: More than half of executives within the energy industry concede that they have not fully identified the risks they could be exposed to. This is alarming on all levels, because understanding an organization’s unique risks is the only
way a company can begin to implement a comprehensive security plan to address those vulnerabilities. If a risk management capability is not established early
on, companies will be solving the wrong problems, wasting valuable resources,
and leaving critical assets under protected. On the other hand, establishing and prioritizing risk can help companies can gain much more value from their resources, all while reducing the risk to their business.
Have a Corrective Action Plan: Once priorities have been established using risk, companies should develop a corrective action plan that can be successfully carried out with the company’s available resources. This plan should clearly identify top risks, the individual (not department) responsible for the execution and planning necessary to remediate the risk, how much it will cost the organization, and a target date for remediation. Not only does the plan help provide visibility to senior leaders and the board, but it allows everyone to agree on the cost, and path to resolution.
 62
NOVEMBER•DECEMBER2018 /// www.nacleanenergy.com