Electric Grids are one of the Most Important Critical Infrastructures
Creating Policies as an Ongoing Process
After developing an information security policy and operationalization strategy for the management and maintenance of networks and systems regarding the ongoing operations of the energy sector, it remains vital for cybersecurity staff to determine security policies and the methods of updating them frequently. This process involves determining ways to examine how well policies are working in specific departments and assert any target metrics. These services represent the culmination of all strategies used to create security policy at this point, and identifies ways in which staff at all levels make an appropriate contribution to the overall security and effective operations of the electric grid as a critical infrastructure. Continuously evolving security policy has many benefits and in some cases drawbacks regarding time, budget and lack of resources. Overall, these practices should affirm the methods used for operationalization, are considered an important part of policy development, and assist the organization in reaching its strategic operations: in the case of the energy sector, strive to give consumers access to electricity with as minimal disruptions as possible annually or any other metric the company may use to evaluate the functionality of its policies.
Electric Grids as Critical Infrastructures
Security policy makers should understand the importance of developing and implementing measures for the energy sector, as this critical infrastructure remains a vital component of everyday use and bolsters the American economy by providing energy to all forms of businesses throughout the country. When examining the United States’ use of critical infrastructures through the interdependency model, cybersecurity professionals can see the magnitude of what could take place should the energy sector become compromised; it would have a direct effect on networks and systems that operate other critical infrastructures-it could take down transportation, financial, defense and other crucial components and services within the United States. The interdependency, when technical components are working properly and there is no human error, becomes a great strength for the United States as each sector will do its best to function in ways that will help the other’s operationalization. On the other hand, ineffective security policies and human error could make it easier for hackers to use cyberattacks as an act of cybercrime, or a state or non-state actor launching malicious cyberattacks as an act of cyberwar. Phishing attacks is one of the most frequently used strategies to try to gain unauthorized access to energy sector networks, the majority of previous attacks have occurred through an employee clicking on a malicious link through company e-mail which causes the installation of malware and other threat agents. Phishing attacks are one of the most frequently used methods of gaining unauthorized access to critical infrastructures; as a part of a strategy to constantly evolve security strategy it would be effective to create a metric that identifies the number of times employees click on these malicious links, as well as what happens to networks and systems when they do so. Other important metrics would be to measure the effects of energy loss, damages caused by natural disasters, human error and other areas to determine where it is best to apply the company’s cybersecurity resources. Protecting networks for the energy sector has its individual challenges, but also commonalities with the policies necessary to protect other critical infrastructures, businesses and governments. Information security remains one of the most important factors when maintaining and evolving security policies. It would be sound strategy to create metrics that measure the effectiveness of information security, data loss, the number of data breaches (including those occurring by human error), as well as ensuring that the company is using the latest software and hardware for protecting the energy sector: anti-virus and anti-malware programs, secure networks, intrusion detection prevention systems, firewalls and other systems that promote security policy. This can sometimes present a challenge when upper management does not have the budget to install all of the technologies or implement each component of a security policy, they would need to work with their cybersecurity professionals to determine which changes are most critical and provide a solution for those and hopefully address the other components at a later time.
Corporations and Governments
Developing ongoing security policies for the energy sector will differ from organization to organization; one from the private sector may choose operationalization factors using certain strategies, while government entities may use its various departments to assist in the process of updating security policy. Even though budgets will always remain a factor for both public and private entities, there are particular areas of concentration that many cybersecurity professionals would consider best practices that could promote security efforts. Upper management and cybersecurity professionals should collaborate on the decision to identify the most crucial information that needs to be protected regarding the energy sector. The types of information that are present in all organizations are a significant factor as well (passwords, confidential files, stored data, communication found on company’s public drives), but also any energy sector specific information regarding the management of security controls (SCADA, PLCs and other systems) should be a high priority for the developers of security policy.Providing ongoing development and staff training regarding the protection of this information would most likely be the first step in the process of updating security policies; promoting information security is something that must take place at some level regardless of the types of budgets that may be available, even providing security in this area with only a few measures and staff training would be better than not providing a solution at all. A solid next step in the process would be to match the components of the company’s strategic objectives with its plans for evolving security policy. Taking a look at the current metrics regarding the company’s effectiveness to provide energy resources will give cybersecurity professionals the ability to do a comparative analysis between the current metrics and the ones from years prior, the discovery of this information is crucial because it informs cyber staff and upper management with valuable data that can be used when deciding where to allocate the budget and other resources. This information will also let the company know if they need to install new technology, develop security patches using software engineering or other components, or bring on staff and work with third-parties that can help the company modernize its security policies with their specific certifications and experience. Also the following procedures are important to carryout no matter what is available in the budget: the development and training of a disaster recovery strategy, restricting access to websites and personal email that could potentially have threat agents, and develop procedures for backing up all data just in case systems are compromised with wiper malware or other similar threat agents. For companies with a substantial budget the following measures will help them continuously improve upon their security policies: incorporate network segregation in order to make it more difficult for threat agents to move through networks, implement new systems and security settings, make an investment of time to monitor network traffic during particular time frames where threat agents are likely to appear, use multi-factor authentication and other techniques that promote security, as well as invest in new levels of encryption. The social engineering factors should always be present when evolving security policies: encourage staff to avoid downloading suspicious files and links, report malicious traffic, refrain from using personal accounts (e-mail, social media, etc.), and never divulge company credentials to unauthorized individuals.
Investments
While the operationalization of upgrading policy remains vital, the biggest potential setbacks to the evolution of security policies regard the need for upper management to invest in time, money and resources. It is counterintuitive to observe the amount of time that cybersecurity staff may have to update policies when they may be working in a time sensitive setting; perhaps they discover a live threat agent on the networks when they are conducting their assessments to gather information for the new policies. In many circumstances it may seem as though there is never enough time to develop and implement everything in a time efficient manner. On the other hand, money and resources are also very important, but cybersecurity professionals can scale down their initial plans to ones that more accurately fit the company’s budget. However, the energy sector and all other critical infrastructures should be managed by public and private entities that have substantial budgets, in order to increase availability of resources and prevent the loss of lives.