By Ted Schneider
In June, I’ll attend EEI’s Annual Convention in San Diego where I’m excited to hear Robert Herjavec, founder of information security firm Herjavec Group and Lead Shark on ABC’s “Shark Tank,” talk tech. Security is a passion of mine. The second person I hired for the ARCOS CloudOPs team was a cyber security engineer. A little over a year after joining ARCOS as its CTO, I watched the Ukraine fall victim to a hack of its electric infrastructure.
Since then, the number of discussions about security that we’ve had with clients has grown exponentially. Security requirements are mushrooming. And groups inside utilities dedicated to cyber security are ballooning. Maintaining security is a moving target, though. It’s more than minimizing downtime; security is about giving your organization and technology a multi-tiered buffer zone allowing time to ignore, trap and reject the negative intrusions or loading.
Most security problems happen because of human error. Someone unwittingly opens the door to a breach, or the organization didn’t have good security protocols. I recall a story of a fire that destroyed a customer’s data center; data was lost because the IT organization failed to back-up its data center with off-site technology. Rarely is a breach the work of a global cabal. Nonetheless, our industry must marshal the expertise to protect the U.S. grid from threats like the one that hit Ukraine.
I’m not indicting the utility industry or its IT pros. I am saying that utilities are experts at generating power and distributing water, gas and electricity. They’re best served by turning to IT professionals who specialize in security.
In a recent meeting, my colleague mentioned that a rising interest in cyber security might cause customers to argue that their data is safer with on premises solutions instead of the cloud solution we use at ARCOS. I see a cloud solution as safer. Here’s why:
- First, ARCOS is challenged every day by more than 125 utility companies (and counting) to adhere to their specific security protocols. While one (or two) of those utilities might be stand-outs in terms of their approach to IT security, the collective experience of serving that many security policies gives us far more experience than any one utility’s field of vision.
- Second, even an on premises solution eventually has wires to the internet, which means vulnerability. To mitigate our vulnerability, ARCOS runs daily scans of both its network and the connections we have to the internet to determine if and when there’s an opening. Our system recently detected what it thought was a breach and locked itself, which frustrated a number of our software developers working on projects. But the security protocols we put in place worked, and the system was basically saying, “I think something is amiss here; I’m locking folks out, while you investigate it.” We had time to investigate and determined it was a non-event.
- Third, every six months we undergo a third-party Service Organization Control (SOC) 2 Type II audit to verify that ARCOS is meeting or exceeding the standards we’re holding ourselves to with regard to the security, availability and confidentiality of our software platform and processes.
- ARCOS is continuously re-investing, updating, and upgrading its technology based on two things: feedback and ideas we get from our customers and our desire to constantly improve the way ARCOS and the utility industry do business.
Security is also about keeping a thread of common sense in every policy requirement. At a former company, a security auditor dinged us because he thought we should have our laptops locked to our desks. To me, that kind of thinking is having your head in a cloud, instead of your data.
In the meantime, I’m looking forward to reporting back on what I learn at EEI. Stay tuned.