The New Normal: The Need for Robust Information Security in the Utility Industry

There was a time when information security simply meant making sure to lock a file cabinet.

In a matter of decades, the concept of information security has evolved into a broader and much larger concern for all businesses – and today, thinking that information security is only a tech industry problem may as well be thinking that it’s still about file cabinets. The world we now know continues to reach new heights within the “Information Age” with every passing day.  The emergence and rapid adoption of smart technologies, as well as the Internet of Things (IoT) and all their connectivity, have led to a culture where day-to-day life is almost entirely digital”and nearly everything is documented in the cloud.

With more information comes a greater need to secure the data, and that security requires more dedicated resources and manpower. Utilities and their partner organizations must be prepared to proactively meet these demands and evolve in parallel with the people they serve, as their part within the greater information ecosystem-as customer-oriented businesses-is especially critical.

Another Day, Another Breach

As more devices are being enhanced with smart-tech and the reach and connectivity of IoT expands, more and more information that was previously unexposed now requires security. The rise of IoT isn’t simply affecting the state of security for a handful of tech-oriented industries – the changes are occurring on a much greater scale, transforming everyday life. In 2015, we saw the potential for hackers to remotely access connected medical equipment such as X-ray machines, which could be used as a backdoor into the hospital database and troves of highly sensitive personal information.

The severity of how these changing tides in technology are creating security issues is significant. A Hewlett Packard Enterprise 2015 report on IoT found that 90 percent of devices collected a piece of personal information (name, address, date of birth or more) through the cloud, a mobile application or the device itself—while 70 percent of devices used an unencrypted network service. Overall, 80 percent of devices raised some sort of privacy concern. Such concerns are usually even more amplified for businesses, with good reason.  In a report released in late 2014, IDC predicted that 90 percent of all IT networks will have experienced an IoT related security breach within the next two years, forcing chief information security officers to adopt new IoT policies.

Utilities Must Address the Threat Proactively

The problem is clear: the speed at which we are pursuing greater connectivity and the benefits that come along with it far outpaces the speed at which we are plugging the holes in security connectivity opens up. This perhaps explains why the market for cybersecurity reached $75 billion in 2015, and is expected to more than double that to $170 billion by 2020. Such tremendous growth over the next few years could be attributed to the number of companies who will reactively invest in response, and strengthen their protection only after they have experienced a breach or cyber-attack.

For customer-oriented businesses like utilities, however, it’s important to lead now in making a serious investment in information security, before a potential breach, as the methods and frequency in which breaches occur are growing. The global average cost of a data breach in 2015 was $3.79 million – a cost that could be prevented through a proactive approach to eliminate or minimize the impact.

Strengthening Device Security

As an industry, utilities are building new tech-enabled devices and systems to monitor and gather information that helps better serve their customers.  And so, the same technology that allows electric utilities to track customer usage, can be hacked by individuals with malicious intent and then leveraged for financial threats like identity theft, or physical threats by knowing when homeowners are and aren’t home.  In most instances the devices are designed to “call home” – or in other words, connect back to the utility or system provider – leaving a trail for a perpetrator to potentially follow.

The growing scale of connectivity involves vast levels of aggregation and numerous access points via Wi-Fi and other wireless protocols, and so we must ensure system providers are also implementing the necessary security controls around them. When assessing the exposure and vulnerability of customer data on a household to household basis, utilities must work to secure the technology they employ and enhance it to be tamper-proof. There must be an awareness of the intersection between virtual security and physical, device security on site at the customer’s home. For all the benefits such advancements in tech allow utilities, the appropriate protective measures must be thought through and put in place.

Bolstering the Human Capital

While fortifying security on a device level is critical, having capable and dedicated manpower to defend against attacks and breaches is another important area of focus. From a broader standpoint, organizations must plan to allocate and bolster human capital towards information security to ensure all IT functions are updated, configured and maintained properly. At my company HomeServe, for example, we have a 24/7 Security Operations Center (SOC) who are dedicated to provide real-time incident response and investigations.  This is just the first level of protection for the HomeServe environment and sensitive data.  We also employ an experienced team of professionals who are responsible for ensuring security controls are in place and properly maintained.

Organizations are certainly beginning to take the appropriate steps to address the issue. According to a 2015 survey by Robert Half Technology, the majority of CIOs responding to the survey indicated that they had plans to improve IT security at their organization in the next 12 months. With the rapid speed of technological advancement, for security and intrusion, CIOs must put a plan of action in place to constantly enhance their systems and practices. The most common improvement efforts stated in the survey included employee training, vetting firms with access to their data and hiring more IT security professionals.

Education & Training

While security has always been a valuable capability for any IT professional, we are seeing more and more priority placed on the importance of security training and certification. Robert Half reports that Certified Information Systems Security Professional is one of the top 5 certifications in demand by employers in 2016. Translating that knowledge to application is critical, as Information Systems Audit and Control Association reports that 45 percent of organizations responding to their poll plan to hire more cyber security professionals in 2016, yet 94 percent of those hire expect difficulty finding skilled professionals.

Data security is not just the responsibility of the IT team, however, as they must set the strategy and protocol that guides the full organization’s staff and their partner programs in protecting data and systems every day. It’s become increasingly important to drive awareness regarding security practices for all employees within an organization. During an employee’s onboarding process it is crucial to educate and inform him or her of the best practices to uphold as it relates to security.

IBM reports that 55 percent of attackers are insiders, and in 95 percent of those cases it was human error without malicious intent. To combat that, it is the duty of the IT team to equip their entire staff with knowledge and tips to protect the organization’s information. Such tips may include implementing an automatic lock on mobile devices, not sharing sensitive information over public Wi-Fi and other day-to-day activities that help to keep information and networks secure. Furthermore, it is critical to have processes in place that regulate information access and sharing to and from partner organizations. At HomeServe, all employees are required to take information security training annually to understand areas of risk and ensure adherence to best practices and policy.  In addition, users who have increased access to handle sensitive data are required to take additional security related courses to improve their awareness and knowledge of the security space.

Utilities Must Adapt

Data breaches are happening every day, and it’s not just the high profile retailers. IBM also reports that in 2014 Electric and Utilities made up about five percent of security incidents observed, with a remediation cost per record of about $132 in the energy industry. Utilities hold a lot of sensitive information (name, address, banking details, etc.) about a large group of people in a concentrated area, and so it is incumbent upon the organizations and the partners they share data with to keep it out of the hands of intruders.

As people and businesses continue to embrace innovations that escalate the level of connectivity in their lives, security measures must be proactively adopted in close step to protect newly vulnerable data. For companies, the more that new smart-tech and IoT devices closely integrate with business functions, the more necessary it is for information security to be a robust, living and breathing entity – requiring steadily committed budget and human resources to provide a versatile line of defense.

 About the author: Kenya Soares is Chief Information Security Officer at HomeServe US.  Throughout her career, she has served in key information security roles at Fortune 500 companies, advising executive leaders on how to reduce their risk posture by solving complex security problems and embedding security controls within their business and technology practices.

 

Previous article6 Steps to Becoming a Utilities IoT Ninja
Next articleSouthern Co. welcomes Chinese research facility to carbon capture coalition
The Clarion Energy Content Team is made up of editors from various publications, including POWERGRID International, Power Engineering, Renewable Energy World, Hydro Review, Smart Energy International, and Power Engineering International. Contact the content lead for this publication at Jennifer.Runyon@ClarionEvents.com.

No posts to display