Managing crises when they hit is something that all utility companies have to deal with. Adverse weather, natural disaster or vandalism etc. can all wreak havoc.
How a power company or utility responds and recovers is critical to their business continuity and reputation management.
However, as utilities – like other companies across industries – look to adopt leading digital technologies such as cloud, mobility, data analysis, Internet of Things (IoT) and artificial intelligence (AI), threats to business continuity have become compounded by cyberattacks and cybercriminal acts.
From people, assets and data, security is a top priority for utilities and an increasing challenge with the growing risks. The risks remain rife as many boards still struggle to set the challenge in a business context, demystify the complexities and, move beyond the jargon, to understand the real risks of IT security in the digital and ‘totally connected’ world. And, utilities need to have a game plan.
Integrated security strategy
In this digital era, with global and dispersed offices, and mobile workers, all connecting to the business networks – security can no longer only focus on protecting physical and virtual assets within the confines of the brick and mortar office or onsite. Rather, a comprehensive security strategy needs to reflect the interdependence of physical and virtual security – and the importance of this.
Typically, one department or outsourced contractor will provide services to shield the IT systems, and another will guard physical assets. However, in today’s increasingly connected world, the physical and virtual assets are interdependent – making a co-ordinated security approach ever more important, bringing information technology (IT) security together under one management umbrella.
The best practice is to have an integrated security model that unites IT and physical security for ultimate assurance. By having a single view of cyber and physical security operations, physical security can be handled through field-based IT staff, a central control centre and an access control team, while cyber defence operations act as the front-line against IT threats using a security operations centre, a computer emergency response team and a unit dealing with abuse over the network. Meanwhile, specialist cyber operations can act as a nerve centre for proactive network defence, monitoring incoming threats and devising strategies to stop information assets from being compromised.
Securing every endpoint
Once an integrated security strategy is in place, the utility should have a better understanding of both the potential imminent threats – as well as any threats the it may only be faced with in a few years’ time. Attention should then be turned to protecting each layer of the network and every endpoint.
In the past, it was simple to protect the business networks and devices within the work space. However, when mapping out a security strategy today, the first thing utilities need to understand is that the scope of security needs to stretch to cover a far wider range of devices and access points. In fact, for any business offering cloud and IoT-based or driven services to customers – and with the proliferation of devices – this has not only added layers of complexity to protecting the business network, but has also made endpoint security more critical than ever.
A proactive approach to endpoint security would include the network, applications, critical data and identity security, where the utility can then build this out across all their endpoints and business sites. For an endpoint driven security strategy to be truly effective the following needs to be top-of-mind:
• Endpoint security must be fully integrated into an overall cloud computing/security strategy.
• There must be a known common security goal for the business. This reduces the potential risk of dislocation in security processes, which can also create unnecessary vulnerabilities.
• The security strategy must ‘bring together’ the beginning, middle and endpoint under a single, central endpoint-protection infrastructure and policy-enforcement mechanism that does not hamper users, or impact the performance of their machines.
Security is about trust and transparency. Utilities who fail to develop a clear idea of the risks and the strategies that are required to protect employees and business assets, will not survive long in this new digital age.
Investing in the latest technology alone, however, shouldn’t be the first priority – as this is only as effective as putting up fences. As people and things become increasingly connected, the need for streamlined, centralised and intuitive security measures is only intensifying. Utilities should therefore begin by undertaking a full SWOT analysis of their current controls and best practices – and take time to understand how these will stand up against threats they are actually seeing.
It is only by understanding and identifying the potential gaps that the controls can be refined to plug these. And then, with embracing the capabilities that new and innovative technologies – including cloud computing and IoT – boast, a utility will be well placed to build more effective prevention capabilities across their business network and exploding number of endpoints. And, able to maintain a sustainable risk position against the evolving threat landscape in the digital world.