This summer the U.S. government created the National Risk Management Center to coordinate the defense of U.S. infrastructure – including energy companies – from cyberattacks. The NRMC isn’t the only group focused on security. EEI’s Electricity Subsector Coordinating Council (ESCC) also partners with the government to protect the grid. And the American Public Power Association offers online tools to help its members with security concerns. Cybersecurity is a hot topic; the stakes are high.
It’s encouraging to see the government bring public and private players together. This reminds me of how lawmakers kick-started patient security via electronic health records more than a decade ago.
What makes someone secure are the practices they engage in around the clock and the type of platform they invest in. And, frankly, we’re better than most of our utility company partners in this regard only because generating power is a utility’s core competency; writing code and designing secure, cloud solutions is our expertise.
When I’m called by our salesforce to speak with a potential customer (whether in the U.S. or Canada), my conversations are nearly 100-percent about security. In spite of the fact that our solutions have an uptime of 99.98 percent (and in some months 99.997 percent), the security discussions seem to zero in on what happens the other .02 percent of the time. Securing our customers’ applications is paramount. But an inordinate amount of time is spent talking about those .02-percent what-ifs. Consider this: a .02-percent chance exactly mirrors the odds – according to the National Association for Sport and Physical Education – of the WNBA drafting a high-school girl to play basketball.
Utility industry vendors have to ensure their systems are at least as good if not better than anything behind their customers’ firewall. The typical SaaS, or cloud, platform gets threats every second of the day. When utility company IT pros compare cloud platforms to that of an on-premises system – which is the kind of system that’s a bit neglected and dusted off when there’s a crisis – they see the distance traveled to keep customers secure. Unlike an on-premises system, SaaS solutions don’t go offline because a worker failed to apply a patch to the platform’s server.
For instance, if a large portion of the grid goes down, our company has redundancies across tiers, regions and time zones. We have servers in far-flung locations to maintain uptime and reliability, and those data centers housing our servers have backup power, too. In fact, today’s state-of-the-art data centers have phenomenal physical and electronic security. Vigilant vendors also run penetration testing (i.e., pen tests) internally and externally for protecting their infrastructure by enlisting the support of “ethical hackers.”
While it isn’t fruitful to spend a lot of time on the less than .02 percent, considering what-if scenarios matter very much. A savvy vendor will think through what happens if a hacker impersonates an employee and consequently develop a protocol before it’s needed. As a vendor or a utility, you have to continuously invest time and talent for security. For instance, meeting certifications like SOC 2 Type II are good; exceeding the certification is better. And even when you’re exceeding expectations, be careful. Just because you have insurance doesn’t mean you should drive like a madman.
A key to security is catching the bad guys quickly and then stopping them. Strategically, that means building fences around fences around more fences. A fence can be a webcam, motion sensor, biometrics or any other combination of pitfalls and gates. Taking security as granularly as you can lays an ever increasingly complex number of traps for intruders to trip over.
In spite of the headlines about some remarkable hacks and breaches, the utility industry and its partners are making defensive strides. Here’s why I write that: By way of background, I worked in industrial automation and later the healthcare industry for the better part of my thirty-year career. Getting systems right was job one in industrial automation because if you didn’t get things right, it could kill someone. That experience has helped me vet and mitigate risks the utility industry faces today.
What I learned from healthcare is that once the government goes full bore with an initiative, things lift off. Take electronic healthcare records (EHR). In the 1960s Lockheed developed one of the first electronic clinical systems, a forerunner of today’s EHR. The Department of Veterans Affairs then began dabbling with EHR in the 1970s. Things inched along in the 1980s and 1990s. Around 2004, the U.S. government created a national coordinator for health information technology. The president then signed a bill into law that incented healthcare providers to adopt EHR. Soon afterward the EHR became ubiquitous.
Healthcare was a laggard in terms of administrative IT and security. But doctors and hospitals caught up quickly when the government pressed the issue. Cybersecurity is now arguably one of our nation’s top concerns. If, as an industry, utilities and their partners focus on the right cybersecurity what-ifs and put in place smart protocols, we’ll increase the likelihood of early detection and shut down the bad guys.