Utility Management in IT Security

At the the Mueller Mi.Net Conference (Mi.Conference), Mueller invited Anil Gosine, a cybersecurity expert, to discuss Internet of Things (IoT) concerns and general Utility IT shortfalls that are inherent to the industry. During his presentation, a few items of note came up regarding Utility Management and their ability to react to cybersecurity threats:

1.) In a 2016 survey, over 80% of Corporate Executives that responded stated they felt they could not understand a cybersecurity report and that their organizations were not prepared for a major attack (both security against and mitigation of effects)
2.) In the same survey, 40% of those respondents stated they were not concerned about their lack of understanding, as they felt they were not liable for the repercussions of hacking nor the responsibility of protecting customer data. Their defense seemed to be based on the fact that this should be IT responsibility

When thinking about this survey example, it made me wonder how concerned the Utility Managers are with cybersecurity, and how they feel their role is played regarding responsibility in the event of an attack. As we work with Utilities to help deploy Automated Metering Systems, I often see the responsibility for this Utility project be pushed off to IT due to being related to technology, however these systems are more about change across the entire Utility, which the IT group cannot effectively manage without support. With this comparison in mind, I’m curious how many Utility Managers would have a similar outlook to customer data protection and responsibility, even if they did not directly realize it until now.

Another troubling situation is the continued prevalence of IoT discussions related to Smart City and Smart Utility goals. As Utilities continue to expand these networks and add new devices, we are seeing more opportunities for edge computing (situations where the endpoint runs applications and performs calculations) and SCADA-like use cases. SCADA systems have always been ‘islanded’ for security reasons. Many of the devices for IoT have use and operational requirements that necessitate connection; the potential for direct device control by an attacker multiplies the data issues in the event of an attack and can pose larger consequences for the community. None of these concerns are new for the electric industry, but water and gas are continuing to evolve with their own complex application needs, and as these needs develop, the potential for malicious actors to turn their eyes toward these Utilities becomes much greater.

In closing, IT and cybersecurity questions for Utility Leadership:
1. Is our IT Team supported with clear enough directives to act decisively?
2. What can Utility Leadership do to improve our organization to be resilient in the face of attacks?
3. How do we change as an organization to handle the power and transformations coming from IoT and Smart Cities / Smart Utilities?