Earlier this month, the United States Department of Energy announced a $220 million program to upgrade the electric grid. In the announcement, the program outlined the funding would be spent to help advance grid research between the agencies laboratories and private sector organizations.
This announcement was the follow up of a potentially much larger program of $4 billion to modernize the electric grid. This initial funding will focus on things such as the integration of renewable energy and development of energy storage, but more importantly they intend to research at ways to protect the grid from cyber-attacks.
Although this larger task will take time, it’s great to see investment occurring in the aging infrastructure that exists today. As utilities invest in security enhancements to support a more robust utility grid, they should understand a baseline on the viewpoint of security. Therefore we wanted to share some of our insights gained from our Industrial Internet of Things (IIOT) survey respondents.
In this blog we will review some of the areas to focus on and use the responses of respondents from our survey. We hope by doing this executives in the utilities industry can compare how they are responding to the challenges and compare it to how other industries are dealing with security as well.
Breaches Come from All Directions
Although the attention in the news on security breaches is often about malicious hackers or government sponsored attacks, our respondents confirm that it is by people who have direct and physical access to the plant, distributed infrastructure, or IT systems that cause the most common security breaches.
Have you had any plant IT security breaches? If so, from what source? (N=251, all respondents)
When developing a security strategy for infrastructure it is important to realize all the possible opportunities there can be to attack infrastructure, whether malicious or not. Now as IIoT enables and Smart Connected Assets begin to be integrated within the enterprise, the opportunities and chances for breaches increase. It will always be a battle, but not one that can ever be given up.
Who is in Charge?
Interestingly, we when ask the question to our respondents as to who is responsible for security, we do get a wide range of response. Typically security rests in the IT department, as we often correlate security in the cyber form. But as Information Technology (IT) and Operational Technology (OT) converge a direct conversation will need to occur between the Line of Business and IT.
Who in your plant is responsible for access/physical/cyber security? (N = 251)
Often, the Line of Business has been purchasing and directed to purchase technology solutions to operate the business and creating “Shadow IT” departments of their own. This opens up the flood gates of opportunity for cyber-attacks. The good news is we increasingly see more direct involvement of new IT implementations, and therefore, if cyber-security is standardize, the chances of malicious attacks can be reduced.
Increase Management’s Visibility to Security
With all the news of cyber-attacks in a variety of industries, CEO’s of some larger organizations losing their jobs, and market shares being reduced in others, it was a bit of a surprise to see that 73% of those who are responsible for security report to someone other than the CEO.
Alarmingly, 34% are reporting to someone below the executive leadership line all together. Security and the planning for security should have responsibility and direct line reporting to the CEO. The buck stops there and they are the first faced with crisis management in the result of a breach.
To whom does the most senior security person in your enterprise report? (N=251)
Security is a catch-22. A solution can be put in place and the next minute there is a potential for a breach. It’s a complex issue that is compounded exponentially when asset infrastructure is disperse across a wide geographic area or spans many plants. As new technologies like the IIoT and Smart Connected Assets become integrated, a clear security plan that can evolve and adapt will be needed.
The Department of Energy is on the right track as they realize large investments are needed to tackle this issue. More importantly, there will be continued investment and collaboration within the utilities industry to make sure we make the electric grid as secure as possible.
NEW Research Spotlight on strategies and recommendations for minimizing risk through a migration away from monolithic, single-plant MOM architectures through exploration of Cloud and IIoT technologies that are advancing in manufacturing today.