Cyber guardians of the grid
Cyber risks are increasingly on the radar.
Critical infrastructure comes under attack. Hackers gain access to sensitive data. A break-in at a facility results in sabotage and widespread damage. The system crashes, and a significant portion of the electric grid is compromised, leaving millions of people and businesses without power for days…
Such disaster scenarios, worthy of a movie plot, are all too real as potential risks today, as evidenced by recent headlines of hacks, data breaches, and damage inflicted—from a major hack of a South Korean nuclear power plant to the constant barrage of smaller-scale attacks against the US power grid, including malicious online probes of potential vulnerabilities in control and other systems. For utility companies with critical infrastructure that is closely linked to national security, identifying risks and assessing probabilities of disaster have become daily concerns.
Risk is no longer limited to physical damage or sabotage at facilities such as power plants and transmission substations. While recent natural events have shown the catastrophic toll outages can take in severing power to millions for long periods of time, whether due to windstorms in Los Angeles or snow in the Northeast, cyber risk increasingly poses serious and ongoing threats to computer networks, operating systems, and sensitive data. Utilities must be aware of risk in all forms, whether at the gates of a nuclear power plant or at a firewall protecting a supervisory control and data acquisition (SCADA) system.
Utilities must heed a call to action by creating and putting in place comprehensive risk-management strategies to identify and deter threats—both physical and cyber. Equally important, utilities must ensure they have the right talent with security and technology expertise, intelligencegathering capabilities, business acumen, and communication skills. This broad scope of capabilities comes together in the roles of chief security officers (CSOs) and chief information security officers (CISOs)—talent that is in high demand and short supply.
Utilities also must recruit board members with expertise in information technology/information security and risk management to help ensure that organizations are adequately prepared as cyber attacks loom and risks escalate. Across all industries, directors and other senior leaders may not give as much attention to cybersecurity as they give to other corporate risks. For utilities in particular, beyond the liability exposure, failure to adequately anticipate, uncover, and mitigate cyber risks could have dire consequences for the organization, the public, and even national security.
This paper examines the risks and threats driving demand for CSOs and CISOs, as well as for external expertise from board members, as utilities gird themselves by assessing potential vulnerabilities to help avert crises. These insights come from conversations with utility industry CEOs; other senior leaders, such as chief information officers (CIOs) and chief technology officers (CTOs); and board members. Their names and organizations are not identified so these expert leaders could speak freely and candidly about sensitive topics. Although this work focuses on utilities, specifically power companies, the perspectives shared on identifying and mitigating cyber risks also apply to many other industries—the retail, banking and finance, insurance, and health care sectors, for example, all have dealt with much publicized attacks and risks.
All companies face risks—this is fundamental to business. Cyber risk, however, differs from business or financial risks caused by economic changes or poor investments. Cyber risk’s nefarious nature makes it especially onerous. Hacking attempts, computer viruses, and technological vulnerabilities constantly target computer networks and servers—just recall “Heartbleed,” a major security vulnerability that reportedly affected as many as two-thirds of all websites in 2014, including several major social media and retail sites.
The US power grid is a frequent target of cyber and physical attacks. These occur once every four days or so, according to an analysis by USA Today, which noted that the small-scale incidents could indicate broader security problems that potentially could lead to a sweeping outage that affects millions of people for days or weeks (Reilly 2015).
“Cyber risk is very different because it could rear its ugly head at any time—this afternoon, tomorrow morning—and lead to an immediate crisis,” a utility board member commented.
US cybersecurity regulations have been imposed in the US electricity subsector since 2008 under the Critical Infrastructure Protection Reliability Standards approved by the Federal Energy Regulatory Commission (FERC). Regulatory compliance, however, is insufficient given the gravity of cyber threats. Admiral Michael Rogers, director of the National Security Agency (NSA), told lawmakers in November 2014 that China, as well as one or two other countries, had the capabilities to successfully launch a cyber attack that could shut down the electric grid in parts of the United States (FoxNews.com 2014). Recent events have only heightened concerns: In December 2014, the South Korean stateowned nuclear plant operator, Korea Hydro and Nuclear Power Co. Ltd., reported that its computers were hacked, resulting in a leak of internal data, including reactor blueprints (Kwaak 2014).
CSO and CISO roles emerge.
As cyber threats grow more sophisticated, organizations must be more vigilant and savvier in detection and deterrence. As industry insiders note, protecting critical infrastructure takes a multifaceted approach—prevention, detection, and response—to uncover hidden threats and mitigate their impact (Dumoulin-Smith 2015).
The need to respond to escalating cyber risks has sparked the emergence and prominence of CSOs and CISOs in recent years, including among utilities and other companies that are part of the nation’s critical infrastructure. “It’s a changing field. Anybody who is in it today is going to watch it truly change over the next five years,” an industry insider commented.
While security roles are common within organizations, what differentiates the CSO and CISO roles is responsibility for cybersecurity and the growing risk from nefarious online threats. These emerging C-level executives also work closely with other senior leaders, such as the chief risk officer as well as CIOs and CTOs, who are attuned to specific risks.
For CSOs and CISOs to be effective, a risk mindset is a must. Equally important is that this talent must have deep understanding of the business and be able to communicate effectively with senior management and the board about the nature and extent of risks. This means connecting the dots from risks and potential threats to the enterprise’s operations. Some CSOs or CISOs have backgrounds in law enforcement, military, or intelligence, making them excellent at identifying and mitigating risks. But coming in at such a senior leadership level without corporate tenure may mean this individual needs mentoring on how to operate within a corporate environment and how best to communicate clearly with the senior management team in language that nontechnical people can understand.
The CSO or CISO must be “somebody you can put in front of the board, somebody who can go and give them confidence,” one board member commented. “You can’t have somebody up there who is stumbling. You can be the smartest person, but if you can’t communicate, it’s not going to help you. This person has to be able to talk to your senior leadership and your board.” Candor is also vital so executives and boards understand it is impossible to eliminate risk completely, though it can be mitigated. “They need to understand what is the open risk still out there, what types of threats are you most vulnerable to, and what’s the level of risk associated with that threat even after you’ve done your mitigating actions,” the board member continued.
CSOs and CISOs who possess all the needed attributes—risk/security, technical, and business experience—are increasingly in demand among utilities and other enterprises considered to be critical infrastructure. To meet the increasingly strong demand for talent, organizations must assess and develop their teams so they have strong candidates within the ranks to step up eventually into the CSO and CISO positions.
CSO and CISOs as leaders.
Given their responsibility for identifying risks, assessing threats, and deploying solutions, CSOs and CISOs need deep knowledge and expertise in areas related to security (physical and cyber), intelligence gathering and analysis, and technology. Other desirable skills for CSOs and CISOs as leaders include:
Cybersecurity is on the leadership agenda.
In the past, cybersecurity risk assessments and mitigation were rarely major leadership concerns, except for CIOs or CTOs. Today, cybersecurity has moved front and center for senior executives and board members. Risk management and cybersecurity have become regular agenda items for boards, particularly in organizations with critical infrastructure.
Organizations across multiple industries are seeking more expertise in information security and risk management. For utilities, having this expertise among board members is vital. Ronald Sugar, former chairman and CEO of Northrop Grumman, who serves on the boards of Air Lease, Chevron, Amgen, and Apple, noted in a recent Korn Ferry Institute report: “You need broad expertise on the board, but it is helpful to have one or two directors who are capable of understanding the key issues related to cybersecurity” (KFMC100 2014).
Regardless of their backgrounds, all board members must become cyber savvy. As Korn Ferry found, cybersecurity is a growing part of the risks that boards must oversee—and it cannot be outsourced. For example, among the 98 directors added to boards of companies in the Korn Ferry Market Cap 100 (KFMC100) in 2013, only 3% had specific security experience. But new directors with risk management experience rose to 21% in 2013 from 5% in 2012 while compliance experience increased to 24% from 12% over the same period (KFMC100 2014).
Because technology pervades every aspect of a company’s operations, so too do potential risks. This makes cybersecurity an enterprise-wide concern. It cannot be confined to one function, department, or business unit, which puts it squarely in the purview of senior leaders and the board. As management and directors get more involved in cybersecurity issues, CSOs and CISOs provide more input to inform decisions around the allocation of resources. This responsibility underscores the leadership skills of CSOs and CISOs. Those with only a risk mindset and without the necessary business acumen might be inclined to say, “Protect assets at all costs.” But that may not be the best use of resources from a business perspective.
Resource deployment decisions require a strategic view of the business—the ability to draw parallels between a risk-threat assessment and the impact on the business. Without this understanding, it is difficult for the organization’s leadership to make cost-effective decisions to mitigate risk and improve cybersecurity while also ensuring the business does not suffer. An organization may identify a potential threat that could have a huge impact if it materialized; the probability of such an occurrence also may be negligible. Given the high impact but low probability, to what extent should the company prepare? “How do you prioritize your resources against your greatest risk when it comes to assets?” a utility executive asked.
Probability and consequence are not synonymous; each vulnerability does not become an imminent threat. Potential risks still need to be identified and assessed. To ensure this occurs, CSOs, CISOs, and their teams should be
involved in the board’s audit and risk committees, giving presentations and sharing information. It then becomes the responsibility of the CSO or CISO to ensure that the committees, the full board, and senior management understand cybersecurity issues, both internally and among third parties with which the organization does business.
Cybersecurity concerns have prompted many utilities to participate voluntarily in industry-wide initiatives to share information about threats and improve risk identification and mitigation. The Cybersecurity Risk Information Sharing Program (CRISP), for example, is such a program to facilitate the exchange of cybersecurity information among electric utilities, the US Department of Energy, and other entities. The program deploys passive sensors, so-called “information sharing devices,” to collect, transmit, and analyze cybersecurity information and intelligence across the electricity sub-sector (NERC 2014). Through CRISP, one utility executive observed, “We have the ability to tap into what other utilities are seeing.”
Cybersecurity needs to become part of the culture.
As CSO and CISO roles emerge and become more defined, these executives more often report to the top of the organization. While risk management may also be tasked to the general counsel or CFO, and the CIO or CTO may also be part of the reporting structure, CSOs and CISOs work directly with senior management. These reporting relationships reveal how much attention enterprise risk has earned in recent times within the organization, particularly at the top.
Cybersecurity also has become an organization-wide issue in all departments, from technology to finance and from marketing to sales. Besides greater awareness of the need to improve safety, leaders and their teams are undergoing training to think about risks, particularly those regarding technology. While many companies push for access to networks and data on virtually any device at any time of day, 24/7 off-site access can create other vulnerabilities, for example, meaning convenience and cybersecurity can be at odds.
Devising workable solutions requires education across the enterprise and developing a culture of security and awareness. “Protecting assets is a shared responsibility for all employees,” a utility executive commented.
Establishing a cybersecurity culture begins at the top with the CEO. This leader must understand the risks and vulnerabilities in an organization and be committed to educating people about these issues. Converting awareness into action requires a proactive CSO or CISO who not only knows the security side but also understands the business and its needs so risk mitigation does not come at the expense of growth—or vice versa.