Cybersecurity for Utilities: Compliance Does Not Equal Security
The utilities industry remains one of the most heavily regulated sectors in the United States. In fact, every utility must demonstrate its compliance with a significant number of rules and regulations designed to ensure that they each can deliver clean, reliable and safe energy, water or related services.
Given such regulatory obligations, utility executives are intensely focused on ensuring that their organizations comply with the guidelines established by the Environmental Protection Agency, the Federal Energy Regulatory Commission and other such entities. Similarly, utility executives are diligent in making sure they align with frameworks such as the North American Electric Reliability Corporation’s Critical Infrastructure Protection standards (NERC CIP).
That attention to regulations is well-placed. Compliance is non-negotiable, not only because it’s required but because it certifies that you as a utility are performing at the highest levels of safety and efficiency. However, you should not assume that being compliant with all relevant rules and regulations means you’re safe from cyber threats. Compliance does not equal security.
Organizations in the utilities space – and indeed in all other industry verticals – are finding that even when they meet regulatory requirements, they still can have vulnerabilities that unduly expose them to cyber risks.
How can this be? Just consider, for example, that CIP didn’t regulate low-impact assets until recently. In that case, a utility could have been fully compliant with all CIP standards yet still have unprotected low-level assets – a gap that hackers could have exploited and used as entry points to higher-impact assets that, if successfully breached, could have hindered utility operations.
The proof of the compliance vs. security gap can be seen in figures from Verizon’s 2021 Data Breach Investigations Report. It tallied 546 incidents this year (including 355 with confirmed data disclosures) in the mining, quarrying, oil & gas extraction, and utilities sector. Furthermore, the report found that social engineering accounts for 86% of the breaches in the sector, followed by system intrusions and basic web application attacks.
Such statistics indicate that organizations remain vulnerable to cyber attacks even when they’re fully compliant with all the rules and regulations that pertain to this industry. Note, for instance, that phishing attacks and other similar social engineering hacking strategies could possibly succeed even if just one single person in a fully-compliant enterprise falls for the scam.
We see a few other reasons for this dichotomy between being compliant and not necessarily being secure.
As stated earlier, some utilities continue to falsely believe that they’ve adequately secured their environments against cyber threats if they are compliant with all the rules and regulations. Therefore, they’re not investing in needed security measures that fall outside of regulatory requirements.
Similarly, some utilities focus more on compliance and thus invest there to the exclusion of adequate security investments. In such cases, executives often want to ensure that the utility doesn’t encounter negative findings and subsequent fines from regulators; they may not realize that the cost of a cyber incident could be significantly more and bring much more disruption than any regulatory action would.
In other cases, utilities combine security and compliance in one function and task the same people with both jobs – even though those two functions require different skills and expertise and must know and implement completely different strategies and standards. In such circumstances, organizations run the risk of doing neither security nor compliance well and thus falling short in both areas.
On the other hand, some utilities have compliance teams and security teams working independently of each other, each in its own silo. That practice can lead to duplication of efforts, wasted resources and missed opportunities to create a strategic risk management approach that addresses both needs in the most efficient, effective manner.
None of these scenarios is acceptable in an era when the number of cyber threats is growing – one study counted 304 million ransomware attacks worldwide in 2020, a 62% increase from the 2019 tally – and the impact of such attacks is also on the rise.
Companies in critical industries such as utilities are facing a constant threat to their ability to maintain operations and deliver essential services. Given that reality, you must devote the same high-level diligence to security as you commit to compliance.
That means having a security team with the resources needed to think comprehensively about the threats that could impact your utility, the likelihood and potential impact of those threats, and how to guard against them.
It means, too, having a security team capable of implementing, maintaining and maturing the people, processes and technology required to protect the enterprise.
At the same time, you must create an environment where your security and compliance teams can work collaboratively. This helps both departments stay on top of needed actions, as regulators are constantly updating standards to meet new challenges and address emerging threats. It also allows both teams to devise strategies that meet all relevant rules and regulations in a holistic fashion that eliminates gaps but doesn’t waste resources by duplicating efforts.
Keep in mind the payoff for such efforts. You’ll have an environment that delivers the reliability and security the company needs and your customers expect, where compliance requirements inform the security strategy and vice versa. Indeed, in the end you’ll have security and compliance in lockstep to effectively counter their common foe: those bad actors who seek to harm your organization.