by Ron Brown, PWC
Recent surges in severe weather and an increased frequency of cyberattacks have clarified two points: Electric utilities no longer can afford a short-term approach to business continuity and disaster recovery and they should be better prepared for unexpected disruptions.
Consider, for instance, Superstorm Sandy. It hammered the mid-Atlantic and Northeast in October and left flooding and wind damage estimated at $71 billion.
During the storm, more than 8.51 million homes lost power, according to The New York Times.
At the same time, a new report by computer security firm Mandiant shows that advanced cyberattackers target energy, oil and gas companies more frequently than any industry except aerospace and defense.
The “Mandiant 2013 Security Report” found that 14 percent of advanced attacks in 2012 targeted energy, oil and gas concerns-an increase of 40 percent over the previous year.
President Barack Obama in February issued an executive order on cybersecurity that recommends sharing of classified information among the government and owners and operators of critical infrastructure, including utilities.
Sharing this information might provide electric utilities with warning and response recommendations for potential attacks or attacks in progress. The order is aimed at raising awareness of cyberthreats and their potential impacts.
Without a risk-based business continuity and disaster recovery (BC/DR) program to counteract such threats, electric companies could be vulnerable.
The number of companies without programs is surprising. PwC’s “The Global State of Information Security Survey 2013” found that only 52 percent of utilities respondents have implemented a BC/DR strategy.
This is particularly troubling, given the lessons of Superstorm Sandy and the upsurge in cyberattacks.
If your company were hit by a disaster, natural or otherwise, would it be prepared to maintain operations and availability across the business?
Utilities should move aggressively from a defensive responsive capability to a more offensive, prepared stance regarding events that can have prolonged impact on their ability to generate, transmit, distribute and provide critical customer and internal business services.
Using the BIA to Avoid Risks
Business continuity planning is an offensive strategy to reduce recovery impacts and costs. BC/DR is risk avoidance.
That’s why an effective program begins with a thorough business impact analysis (BIA) that identifies then prioritizes critical business functions and supporting capabilities needed to sustain services during unexpected disruptions.
The BIA together with a risk assessment is required to classify unique, critical business threats, determine the likelihood of core business disruption, and identify the associated cost of loss.
As such, the BIA must be performed with owners of individual lines of business.
The BIA provides an understanding of business-interruption risks and impacts and helps prioritize recovery needs by identifying key business areas that require attention and driving the appropriate level of consideration so business needs are aligned with the BIA-and are in place to mitigate risk.
The outcome of the BIA establishes requirements for investments in recovery capabilities, as well as prioritizes functions not commonly identified as critical to utilities, such as back- and front-office processes that support nonoperational functions.
After requirements are confirmed, strategies should be developed to mitigate potential business interruptions.
These strategies should be approved by executive leaders, who set the tone and commitment needed for recovery plan development and implementation.
Prior to deployment, plans should be exercised and validated to confirm requirements and recovery expectations.
Even organizations that have performed BIAs must be diligent. Severe storms are redrawing the lines of safety, and that makes it increasingly important to regularly update the existing BIA.
Sandy, for instance, flooded areas that never had been under water.
As a result, flood zones have been redefined in certain areas, and that might dictate a reconsideration of disaster recovery plans.
Regular exercising of BC/DR programs is equally critical.
Yet around-the-clock availability requirements often make it difficult for electricity providers to perform extensive exercises, particularly for plans that address long-term interruptions.
A risk-based approach also dictates that critical vendors, suppliers and partners participate in BC/DR exercises.
These third parties also should have their own BC/DR plans.
It might be beneficial for them to have an audit of their programs as proof of readiness.
Planning Beyond the First 48 Hours
Sandy confirmed power outages can endure far longer than 48 hours, yet many utilities limit planning and exercising to the first two days of an event or less.
Electricity providers should think beyond survival of an interruption and develop long-term recovery capabilities and planning.
Most utility emergency plans include mutual aid agreements and procedures such as recruiting storm response crews from other states or regions, developing alternative delivery and transmission process controls capabilities because of technology interruptions, and prioritizing critical services to be maintained to support safety and health services.
Mutual aid agreements have existed among utilities to mitigate disruption in field operations, but there might be opportunities to broaden collaborative efforts to call center backup and other support functions.
Electricity providers also should prepare for incidents that might prevent employees from working in corporate facilities. If a call center is under water, for instance, it will be necessary to plan for employees to work at a remote location or leverage a service provider. Even with these plans, if customer service or outage management systems are not operational, recovery options might be affected severely.
As a result, a comprehensive plan and approach to conducting exercises are not “nice to have” but are necessary because of the complexities and interdependences that typically are not uncovered until a comprehensive exercise is conducted.
Beyond planning, electric utilities should conduct business continuity exercises for durations beyond 48 hours and publish results internally so all employees understand the processes. BC/DR personnel should document processes that failed or were inefficient and make sure these gaps are remediated. These reports can provide lessons that improve the BC/DR program and potentially reduce recovery costs.
The Right Technology for BC/DR, Cybersecurity
BC/DR is not strictly a technology exercise, but having the right technology is important to supporting an effective BC/DR program. With the advent of smart grid and smart meter technologies, utilities can gain insights into the location of problems. But this increase in knowledge can augment reliance and risk in the event of disruption. Electric utilities should carefully and broadly consider how new technologies are used and incorporated into overall BC/DR plans.
As managers evaluate new technologies, they should rethink and embed processes that can help streamline disaster recovery efforts. These might include mobile devices, apps and GPS services to dispatch and track power-restoration workers more efficiently and streamline damage assessment.
The right technologies also can enable employees to work remotely if corporate facilities are unavailable. In addition, social media can help identify and communicate situational issues quickly, but procedures and processes should verify information.
Most electricity providers prepare only for risks they consider likely, such as hurricanes, winter storms and floods. Given today’s environment, they also should plan for extraordinary but possible threats such as cyberattacks and events that provide little to no notice. An effective cybersecurity program dictates an offensive stance that requires thinking like potential adversaries. What information do they want? Whom would they target? How would they infiltrate? Answer these questions and seek input from your BIA, which has identified your most valuable assets, and craft a cyberstrategy to protect them. Ensure employees know what they are protecting, why they are protecting it and their roles in protecting it.
As cyberthreats multiply and constantly evolve, it becomes increasingly difficult for an electric utility alone to safeguard its data, networks and service-delivery capabilities. As Obama’s executive order on cybersecurity underscores, electric utilities potentially have much to gain by collaborating with government agencies and policymakers to share cyberattack information and strategies. They also want to be protected from privacy lawsuits if they share customer information and from negligence suits for failing to act on warnings.
Finally, some electricity providers think they can avoid planning for unlikely events because they might never happen. That’s not a risk worth taking.
Disaster recovery should be elevated to a strategic investment and supported with a cost-benefit analysis. Demonstrating, for instance, that investing a relatively small amount can provide a huge cost savings after a disaster can be convincing.
An effective BC/DR program that embeds strategy, processes, technology and security into the fabric of an organization might be costly but can pay off many times over if needed.
Ron Brown is a managing director with PwC’s governance, risk and compliance practice. He has more than 25 years experience in developing business continuity capabilities and delivering management services to help clients establish structured and consistent programs that improve operational performance and resilience.
PowerGrid International Articles Archives
View Power Generation Articles on PennEnergy.com