BY DAVID MAYERS, BLACK & VEATCH MANAGEMENT CONSULTING, LLC
Knowledge is Power:
Effectively Addressing Utility Security Risks
The answer comes from first understanding your risks and vulnerabilities followed
by prioritizing investments and budgets to address areas of greatest need. Security
breaches can happen through intentional acts or by utility employees’ and/or
vendors’ lack of awareness or knowledge. Many key vulnerabilities are beyond
a utility’s immediate control, such as connected customer devices, vendors and
physical attack, but there are ways to mitigate risk and system impact.
Evaluating your organization’s security posture enables you to identify critical
cyber and physical security vulnerabilities, define an action plan for improvement
and prioritize and justify investments based on need or benefit. Security
assessments and evaluations should cover the entire enterprise – from bulk power
to distribution to customer service. Such evaluations include:
S ecuring critical power
infrastructure has been a focus of
expanding regulations. However,
these regulations have focused
almost exclusively on the bulk power
system. While NERC-CIP v6 (to
be published in 2017) is expected
to expand requirements to include
low impact assets, much of a utility’s
operations are currently outside the
umbrella of NERC-CIP regulations.
How can utility leaders
secure bulk power,
operations and customer
data when regulations
and budgets are focused
on one subset?
Black & Veatch has a proprietary process for assessing and quantifying risk based
on likelihood and consequence of asset failure, security breach and/or physical
and cyber attacks. Our subject matter experts can identify where your organization
excels at managing risk and where vulnerabilities exist. The quantification of risk
enables utility leaders to identify projects and programs that mitigate the greatest
amount of risk – or provide the greatest benefit. The quantification of risk and
the prioritization of spending based on risk help utility leaders justify costs to
customers and regulators.
For more information about Black & Veatch’s comprehensive utility security solutions, please
visit us at DistribuTECH, Booth #2625, or contact us at ManagementConsulting@bv.com.
Change and Configuration
Management Are changes
to systems monitored and controlled?
Identity and Access Management
Are you doing enough to secure access
to critical data? If not, do you know
how much it will cost you?
Threat and Vulnerability
Management Does your technology
allow you to identifying and managing
Situational Awareness Does your system
collect, analyze, alarm, present and use security information
to create a common operating picture (COP)?
Continuity of Operations
Do you have a response plan? Has it
Supply Chain Risk
Management How are you
managing the risks associated with
Workforce Management Do your
resources have the right skills and training to
maintain a secure environment?
Physical Security Program Management Are you
using current technology? Are your physical measures sufficient?
Reputation and Communication
Management Do you know how to effectively
respond to stakeholder concerns?
Program Risk Management & Governance
Does your program foster a risk-based culture? Are
you prioritizing and mitigating risk effectively?