New Ways to Manage Risk
WITH A GROWING CONSENSUS on the need to better protect utilities from the risk of cyberattacks, there is a push for utilities to implement a type of risk management used in the IT world. It is called Governance-Risk-Compliance (GRC) management. When looking at GRC management as an expanded security risk assessment platform, it is most important to put GRC into the proper context. Let us first consider what is leading us to this shift in utilities security practices and then how GRC could work if properly expanded and adapted to the industry.
One of the main reasons for this shift—apart from an obvious need to bring utilities security practices into the 21st century—is a proliferation of IT-based systems now used to manage the integrated electricity grid, water systems, gas supplies, and other daily operations. In addition, allowing customers interactivity with their utility and providing conservation tools online has become the norm. Next generation energy consumers expect nothing less than mobility and information at their fingertips, and utilities will have to comply.
To meet all of these needs, utilities and others are creating virtual pathways, through inter-connected systems, to core information technology (IT) and operational technology (OT) assets. These OT assets include the core Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used to manage daily grid operations.
The problem is that compromise of these ICS/SCADA systems could lead to loss of electricity to millions of individuals, businesses, and public-safety systems resulting in massive socio-economic and environmental damage. And various malware vendors that collect and analyze cyberattacks have found evidence that these systems are, indeed, targets of attacks already. Thus, the way in which IT traffic is restricted and controlled across this system becomes of primary importance.
A Move to GRC
Enter GRC management. When we think about more traditional methods of security risk assessment (or threat-risk assessment, as it has also been known), we see a fairly common assessment methodology for physical assets. This includes: categorization of assets with criticality rankings, identification of all prevailing threats (all-hazards approach), identification of vulnerabilities based on detailed examinations of the asset environment (includes people and processes), and assignment of impact/disruption values based on criticality and overall risk ranking. Ultimately, the risk assessment leads to prioritized mitigation planning that ultimately leads into a business case development cycle.
GRC, having been developed as an IT tool, pulls risk information out of a detailed view of governance structures. This would include risks related to system management, IT-related responsibilities of various groups throughout the enterprise, and IT risks stemming from the utility’s business relationships with partners, vendors, and other stakeholders. It would also include IT risks related to standards and policy compliance (leading to vulnerability assessment) and may include data received from automated vulnerability scans, such as logs of unauthorized login attempts. In brief, the assessment indicates where IT risk exists based on an evaluation of policy and process management desired to keep the IT system healthy, usually as aligned to an adopted standard set like ISO 27000. Depending on the maturity of the organization, there may be multiple standards against which GRC is applied, including more detailed IT management standards based on those established by respected entities, such as NIST.
GRC does not assess compliance based on some standards frameworks, such as NISTIR 7628. Moreover, GRC does not assess risk in the same manner as a traditional security assessment. For example, there is no ability in the GRC model to assess threat actors or their capabilities and no ability to demonstrate enterprise risk based on things like physical security requirements and similar inputs. Criticality is not even called out as a priority in all cases. One is led to ask, then, what risk is really being measured through this GRC platform, and is the IT GRC platform comprehensive enough to address a smart grid environment?
But a follow-up question would be if not GRC, then what? There is the North American Electric Reliability Corporation, Critical Infrastructure Protection, or NERC CIP compliance model, which has historically not used GRC. But as helpful as NERC CIP is in addressing critical cyber asset identification, security, and management, NERC CIP does not apply to the distribution grid (which delivers electricity to consumers and comprises most of what we call the smart grid), and it is, therefore, an incomplete standard for addressing smart grid (distribution) complexity.
On the other hand, the more traditional risk assessment (physical) model, while it is comprehensive enough in its methodology, and while it works well with regard to the inspection of physical IT asset protection, does not even contemplate IT standards, IT governance, and compliance components and, therefore, it cannot produce an adequate risk reporting across the enterprise.
Recognizing all of these factors, the answer to assessing the risk for the new smart grid environment may be a much more advanced form of GRC to include the attributes of comprehensive physical asset protection assessment and those of the IT governance and compliance model.
Risk assessment in this new cyber-risk environment must have a complex means of assessing risk in a dynamic and continuous process, and it must produce real-time risk reporting since threat profiles can change rapidly. Situational awareness inputs, including utility security incident and event management inputs (SIEM), log information, and system-wide alerts need to be funnelled into such an engine to provide appropriate risk indicators for management on the fly.
Other data points, such as staff training metrics, personnel changes, access privileges, and environmental indicators, are equally important for understanding risk across the system. Risk assessments must factor in external threatscape information, such as what other utilities are reporting, and news about relevant activities of cyber-criminal groups and their capabilities. Some advanced GRC engines are currently the best vehicles for adapting to these needs.
Assessment of IT risk and physical risk must be integrated with information flowing to a single assessment engine. But even this is not enough. A vastly expanded GRC platform is needed. Furthermore, this expanded GRC assessment must be a continuous process, using as much automation as possible and including manual inputs for information that cannot be scanned in.
This objective is a daunting, complex goal to consider. But it is absolutely necessary in this complex environment we are now called to manage within the utilities sphere. Getting to this goal will require some fundamental changes, including the development of new skill-sets in the area of security expertise, the development of more comprehensive security software, and the development of utility operations paradigms to accommodate these changes. Attitudes, skill-sets, and processes need to change quickly to meet the expanding operational risk.
Fortunately, there has already been recognition of and movement on the need to develop new skill-sets. We have seen increased uptake in IT certifications held by utilities security professionals. The agenda of the ASIS International Utilities Security Council has shifted to include more cyber-focused issues. Collaboration between the ASIS Utilities Security Council and the ASIS IT Security Council has increased over a relatively short time, indicating both a desire and a need for traditional security professionals within the utility sphere to learn more and apply more IT security practices to their daily security management practices.
The Critical Infrastructure Working Group, a collaborative body of numerous ASIS council leaders and others, has started developing a cyber-education initiative to help traditional security professionals transition to a more IT-savvy security knowledge base. Priorities for ASIS education program development and certification requirements have also clearly shifted more toward the cybersecurity end of the spectrum.
The Utilities Security Council’s recognition of the need to become more IT-centric has also been reflected in its white paper series. All of the papers issued in 2012—including those that covered smart grid security, integrated security, and a future view on certification requirements for utilities—addressed IT-based issues. This represents a key tipping point for what remains a primarily “traditional” group of security professionals who have usually been labelled by their IT counterparts as “physical” security professionals.
As for the tools needed to adapt an expanded GRC model, GRC software products exist today, and one or two of the developers of those products are trying to address utility needs. The best avenue for adopting this risk-assessment process today may be to apply the most comprehensive GRC software package available, one that has demonstrated the concept of real-time, diverse feeds, and work with that vendor (the author prefers not to identify specific vendors) to develop a more customized model of what your enterprise needs, with a view to the future.
Compliance management will need to take a dominant position in this development, because regulatory compliance is important for utilities, and because it is possible that the enterprise does not yet fully understand it. A compliance exercise using a robust GRC engine can help flesh this out.
Finally, given that even transmission line checks and substation maintenance schedules form part of utility compliance, and assist overall utility security, along with dozens of other requirements across the company, a GRC engine should be adapted to include this type of issue. And making it inclusive of these considerations can also help to build a business case for acquiring funding approvals. After all, if any task is important for the ongoing resiliency of the utility, it should be measured in terms of compliance management and as a contributor to overall risk. GRC management can assist with this.
This article has not explored many of the other factors that will feed into heightened cybersecurity concerns for the utility, like continued adoption of cloud services and expansion of mobility tools, not to mention a complete set of security concerns related to social media and Bring Your Own Device policies. Each will impact the security stability of the utility and electricity grid in new ways and add complexity to security management. Managing vendors to ensure appropriate technologies have security “by design” will be equally important in the overall, ongoing risk assessment. There are many vulnerability points in utility operations separate from and contributing to security management issues. Each must be factored into the daily security risk management cycle.
Doug Powell, CPP, PSP, is manager of security, privacy and safety governance and risk for smart metering at BC Hydro in British Columbia, Canada. He serves as vice chair of the ASIS International Utilities Security Council and chair of the Critical Infrastructure Working Group. He is also an associate to the Infrastructure Resiliency Research Group at Carleton University in Ottawa, Ontario. He has more than 30 years’ experience in the industry and has been recognized with numerous awards. The Utilities Security Council has written white papers on many of the topics discussed in this article as well as others not addressed here. These papers are excellent resources to begin understanding the scope of security risk management issues today.