How to Implement Strategy for the Electric Grid
A Risk-based Approach
A risk-based approach adopts the appropriate strategies and procedures needed by cybersecurity staff for managing networks and resources used to maintain and increase security for entities with access to the electric grid. According to some cybersecurity experts, a risk-based approach determines the frequency and magnitude of events associated with a company’s ability to make decisions on how to address risk and vulnerabilities comprehensively. Risk-based assessments apply theoretical security concepts as common procedures for use by cybersecurity experts; the approach aims to provide direct solutions to security issues and not just compiling information regarding cyberattacks like other frequently used approaches. It is important to note that sometimes cybersecurity professionals make the mistake of confusing a “threat-based” approach with the comprehensive analysis required to provide security solutions using risk-based strategies. The most effective risk-based approaches holistically examine risks, threats and vulnerabilities while providing practical measures that promote information security. One of the most important aspects of analysis occurs when cybersecurity professionals identify specific threats and vulnerabilities and determines how likely it would be for these risks to compromise networks and illegally access data. This process gives organization’s the opportunity to decide which threats and vulnerabilities to address first according to the likelihood of it appearing and how much potential loss or damage it may cause to networks and critical infrastructures. All threats and vulnerabilities do not require immediate forensic examination and mitigation; in many circumstances a threat or a vulnerability may be so low of a risk that upper management may be unwilling to use financial resources in order to mitigate them, instead choosing to focus on the most pressing issues. Effective approaches also include a number of professionals from different departments collaborating in order to conduct a risk-based approach, many organizations choose different personnel to research and mitigate parts of the risk: IT staff, cybersecurity and upper management.
Operationalization
The operationalization of security policies regarding management of energy utility services, remain similar in design and scope to the promotion of security measures for other critical infrastructures, government and private institutions. The risk-based approach for the energy sector would include four objectives in order to effectively implement new policies: operationalize policy using technical and human resources across departments, determine roles and accountability for staff, gather intelligence and other significant points of data, generate a report for upper management at the conclusion of the assessment. The risk-based approach also categorizes objectives in the following three categories: information security, vendor management, and business continuity. Implementing effective security policy for each category promotes network and information security; successful efforts conducted by cybersecurity staff ensure that energy, other critical infrastructures and company assets remain as secure as possible. In a previous assignment, I created a policy entitled “Energy Sector: Information Security Policy 2020” (which will be referred to as the “energy policy” for the remainder of this document); it contains four pillars that promotes security for organizations with access to the electric grid. The procedures within these four pillars are best applied through the components of a risk-based approach: governance, assessment, mitigation, monitoring and events. The steps of the energy policy do not align perfectly with each component of the risk-based approach; however, cybersecurity professionals can apply the contents of the four steps of the energy policy with at least one or more of the five components.
Governance
Prior to implementing the steps of the energy policy, cybersecurity professionals should make decisions on the personnel with governance over particular parts of the security policy. Determining governance remains an important first step that would benefit any policy regarding the energy sector. This process may involve executive staff and board members being assigned particular jurisdictions relative to implementing portions of the overall energy policy. It also refers to staff taking specific roles that will allow them to conduct intelligence gathering and mitigation without disrupting daily business operations. It remains significant for roles to be assigned prior to the implementation of the energy policy; some significant roles include determining the staff responsible for updating policy, who will be responsible for communication with vendors and other third parties, and someone who will train staff on new security policy. This would also be an effective time to assess staff roles, responsibilities and ensure that everyone involved in implementing the energy policy has the appropriate access to company technical assets.
Assessment
After governance has been established, it remains significant to examine the OSI model, TCP/IP, and the technologies connected to networks as a method of identifying areas in which intelligence gathering, forensics and mitigation strategies may need to be applied in order to bring compromised networks and devices back to a secure level. Based on the findings of the various assessments, cybersecurity professionals can identify the most effective methods of implementing the first step of the energy policy: “integrate physical controls, isolate (threat agents), prevention systems, firewalls and vulnerability assessments. Conducting assessments determines the most efficient time to transfer from SCADA controls and PLCs to physical controls, and also identify devices that should be removed from the network in order to isolate threat agents. These assessments can also target vulnerabilities, and recommend the installation and maintenance of firewall settings and intrusion detection systems (IDS).
Mitigation, Monitoring
Mitigation refers to the process of isolating, identifying and implementing strategies and policies that provide solutions to threat agents and vulnerabilities. Monitoring includes examining existing network traffic, or new traffic after re-connecting or removing an exploited device on the network. In order to better align with the risk-based assessment model, some cybersecurity professionals may want to implement step 3 of the energy plan during the mitigation stage: “identify forensic information and indicate a point of entry.” Once this information has been collected, it would be beneficial to apply step 2 of the energy plan with the monitoring sector: “implement incident response, staff notifications and monitor traffic. While monitoring traffic may take an extended period of time, it provides a strong indicator of the functionality present within a previously compromised network.
Events
In the final stage cybersecurity professionals look for indicators of an event taking place that affects company networks and systems. The initial point of entry for the threat agent will always be one of the featured events; however, there may be associated events that negatively impact network and system performance. Anything that affects the functionality of company assets should first go through the mitigation and monitoring stages, and then be submitted by a report to upper management. This would be the appropriate time to implement the last step of the energy policy: “remove all threat agents and submit a report to upper management.”
Obstacles
Depending on the circumstances taking place within a given cyberattack, there may be negatives that affect implementing new policies. Three of the most common drawbacks include poor communication with third parties that provide software as a service, the potential for disruptions within daily business operations, sand allowing IT to address security issues without the knowledge and assistance of cybersecurity staff and upper management. One of the most significant drawbacks concerns staff’s ability to assign governance in the most efficient ways possible, but unfortunately this particular step may require several hours of planning and implementation which most executives would prefer to use that time for mitigation, monitoring or coordinating team meetings in order to pinpoint solutions to the threat agents that affect networks and systems. When providing these solutions, it may seem as though there may not be sufficient time to address the security issues; however, once the threat agent becomes isolated it should provide cybersecurity staff with an environment in which to execute its policies without the prospect of the threat agent moving through networks. Even though upper management can use in-house cybersecurity staff or request services from third-parties, these cyberattacks can cost thousands of dollars to defend against, which may or may not be feasible to implement with the company’s current budget. They often have to conduct a cost benefit analysis in order to find out if implementing new security policy is worth the time and money.
Availability
The operationalization of the energy policy is necessary for ensuring that consumers have access to electricity with as few disruptions as possible. A utility services company, by implementing the new energy policy and the risk-based approach, has the potential of making electricity available 99.999% of the time-which is an important strategic objective since all critical infrastructures experience some form of slowing down or halting throughout the year. When companies develop strong policies and supplement them with an effective operationalization strategy, they can improve in their strategic objectives to provide energy resources continuously without digital and physical disruptions.