Securing the grid, an unavoidable imperative
Water, gas, electricity: compromise the safety or effective delivery of any of those resources and the world as we know it stops. It’s not surprising that our utilities have become clear targets for anybody seeking to disrupt the social, political or industrial fabric of society.
When we think about the challenge of securing a utility grid today, we need to take the widest of perspectives.
The challenge spans both physical and digital landscapes – and indeed the areas where these two cross-over. The perimeter of a reservoir, for example, can be safeguarded both by fences to discourage entry and cameras to relay digital alerts of attempted intrusion.
With the growth of the Internet-of-Things, the once-distinct boundaries between operational and information technology become fuzzier. Russian hacks on Ukrainian electricity provision, for example, targeted operational control technologies which until recently, were rarely considered as points of vulnerability.
But security isn’t just concerned with increasingly distributed delivery and control systems. As utilities serve domestic, commercial and public-sector customers, they also manage a vast set of confidential data. Customer usage patterns, payment details, physical addresses and the rest, must all be protected and secure.
A wider and evolving security perspective
The utility security perspective is continually evolving too. We are used to reading about the latest hack-attack approaches – straight denial-of-service attacks are just one weapon in the criminal’s cyber-armory which now includes IoT botnets, a whole range of ransom-ware, spear-phishing, and more besides.
The ingenuity of the names is sadly outpaced by the ingenuity of the attack methods.
And it’s not just the methods which mutate. Both utility distribution models and their supporting operational and information technology architectures are also dramatically changing. Just consider, for example, how cloud services, virtualization and mobility have impacted the experience of both utility workers and customers in recent years.
The cost conundrum
The increasing sophistication of the security landscape has intimidated some utility companies. It’s become so complicated that they have questioned the affordability of designing, implementing and managing a genuinely overarching security policy.
This worries me for two reasons.
Firstly, not only does it mean a utility service provider unwillingly accepts points of weakness in their business and operational processes.
Secondly, it also means they are limiting the confidence with which they can take advantage of new approaches and technologies. The opportunities for new business-to-business collaboration, for example, that are implicit in the mass-adoption of smart meters, are closed to those who are unwilling to meet the security challenges.
In short, the cost – both in terms of cash and trust – of not developing and maintaining an overarching security strategy, will always be greater than the cost of investment.
In security consultancies with utility clients, I have been particularly focused on the design of universal service architectures and on the challenges of identity and access management.
One of the greatest personal rewards for me has always been about the fact that team engagements create new shared value for all those involved.
Just as it has been a privilege to learn from the inside view of operations from experienced utility professionals, so I hope, I have helped increase their understanding on how to craft and operate a sustainable and effective security strategy.
Perhaps this appreciation of the team is particularly noticeable when working with utility companies, simply because our dependence on the services they provide us as citizens and as members of business or government organizations is so critical.
One thing is for sure. As the utility business model expands to embrace ever-wider degrees of B2B collaboration, and as customers expect more focused and personalized services, the composition and collaboration of the security team will continue to expand.
Business-driven security strategies
Digital transformation is central to the Atos business proposition, and digital transformation is pivotal in new utility operational and commercial models.
The importance of establishing sustainable security strategies is massively heightened as a result.
Unless utility companies can establish effective overarching approaches to security, they risk compromising both continuity and trust.
Just as important, however, is that without an approach to manage the evolving security landscape, it becomes impossible to take advantage of advances in both technology and business practice.
We are keen to share practical experience in digital transformation in utilities, and keen to ensure that effective approaches to security and cyber-security are developed to satisfy rapidly evolving utility business models.