EnergyBiz Magazine recently published Cybersecurity: To Move Forward, Leverage the Resources. The article essentially reiterated the energy industry’s forward thinking posture when it comes to cybersecurity. Considering that organizations and industries with the most critical infrastructure are the most security conscious, it’s not surprising that the energy industry is at the forefront as an early adopter of advanced security and digital risk management frameworks.
The article then went on to highlight a variety of official resources focused on grid modernization, e.g. the National Institute of Standards and Technology Interagency Report 7628 “Guidelines for Smart Grid Cyber Security” and the U.S. Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model.
In each instance, these official resources offered guidelines and best practices for what to do to protect critical infrastructure but did not provide substantive guidance on how to do it. For many, knowing how to do it is the most difficult or challenging aspect of cybersecurity.
The nation’s electric power grids are arguably the most important assets to protect from cyber attacks. Beyond following minimum guidelines, there are innovative and proven methodologies that focus on understanding the relationships between computers, computer networks and the electric grid so those responsible can identify and quantify failure scenarios. This is proving to be an effective technique for mitigating risks and maximizing protection of this critical infrastructure.
Consider the joint initiative that UNCC and Waverley Labs performed with Duke Energy for grid network modeling and risk management related to threat scenario identification and related cyber vulnerability/threat quantification, prioritization, and response. The collaboration leveraged advanced knowledge processing that integrated IT systems and cyber security data with operational and physical data. It enables energy companies to model consequences and quantify business impacts associated with each risk. This technique is now being evaluated by other power companies as well as a growing number of large government agencies with highly critical IT infrastructure and infrastructure initiatives.
Stay tuned and watch this space for additional guidance on a variety of new cyber risk quantification procedures and knowledge-based analytical frameworks for digital risk management.