Adapting to the Future of Utility Security
Print Issue: January 2020
As technology progressed and evolved during the 20th century, the growing field was incorporated into everyday life—televisions entered homes, CCTV became standard in businesses, and digital communication drove changes in business practices. This gradual shift was notoriously interrupted by the first major, impactful cybersecurity event of the new millennium, generating anxiety over the “Year 2000” or “Y2K” problem.
The problem was a group of computer bugs linked to calendar information or formatting for dates that would refer to the new millennium, starting with the year 2000. Several computer programs identified years through the last two digits; therefore, software would not be able to differentiate between the years 1900 and 2000. Many people worried that computersʼ mistaking 2000 for 1900 would result in fundamental errors in registering or displaying the proper calendar date.
Fears of the impact from these anticipated errors ranged from a mass disruption of the financial markets to aircraft plummeting from the sky as onboard navigation systems and pilot controls ceased to work. Within the utilities industry, there was also the fear that the Year 2000 problem would ultimately lead to a failure of critical infrastructure. Millions of dollars were spent on preparing for Y2K through the purchase and installation of “new millennium” computer systems, which ushered in the cybersecurity age.
Through the Y2K panic, utility security professionals learned that they need to be less concerned about “what the world is coming to” and be more attentive to whether the security team is nimble, knowledgeable, and adaptable enough to address any shifts in global trends. As we consider the future trends and demands imposed upon security managers, there are four key focus areas that must take precedence for the utilities security industry if we want to achieve any kind of significant change.
Prioritize and Focus
At the top of the list is the way the utility is structured within an organization, because organizational structure influences the delivery of security services across all sectors. Although cybersecurity has become one of the top focal points for all utilities, different environments will establish how security plans are prioritized and applied.
According to the Canadian Standards Association’s guide for security management of the petroleum and natural gas industry, a security management program should identify the key areas for security delivery, including: effective governance, risk management, cybersecurity management (information technology and operational technology—IT and OT), a physical security program, an information security program, a personnel security program, security incident management, and appropriate program management controls. These are the standards concerning security management for any organization. But while considering an uncertain future, some parts of the program may require more emphasis and attention to keep the program healthy, vital, and focused.
A telecom, for instance, has facilities that require physical and personnel security applications, but the highest priority of the organization is probably cybersecurity and the protection of technology infrastructure to maintain optimal up-time and generate profits. Similarly, an electric utility like a power plant has invested billions of dollars in power generation facility assets, power lines, and other infrastructure, and therefore has a high requirement for physical security and people controls. However, cybersecurity has also become a dominant part of the security plan, and it continues to grow in importance. There is no one-size-fits-all way to develop a security program; instead, context ultimately drives the application of the security plan.
Tailoring the program and its essential requirements to the context of a specific enterprise will keep security management relevant, helping leaders identify and address changing trends. Equally important, as a utility adapts to market trends, new technology, and societal pressures, the effective security team will remain nimble and in-step with the organization, proving the team to be more than another line in the budget. Instead, organized and efficient security teams will be key players in change management and risk management.
Educate and Hone
Over the past 40 to 50 years, the development and differentiation of the professional security industry have increasingly called for consideration of specialized professional qualifications. Security as a profession instead of a gig demands developing education, certifications, and designations.
The successful security manager of the future will be much more than a security expert. To effectively discuss and debate risks at the executive or C-suite level, a security manager should be knowledgeable about physical security, cybersecurity, and business management, as well as the organizational structure and business drivers for the enterprise.
The need for advanced and specialized education is becoming clearer, especially with the continued evolution of cybersecurity and physical security. This relationship between two interdependent yet separate sectors is not only driving the need for honed and specific professional skills, but it is shaping core educational requirements for future security leaders.
Security leaders must continue to educate themselves to adapt to external threats while also educating others about security’s contributions to the utility. Security managers need to be fully engaged as business managers, too—staying abreast of relevant market trends to understand what factors influence business decisions and how to adapt security practices to help meet those desired outcomes. Focusing on enterprise security risk management (ESRM) with a business mind-set is essential to maintaining parity between the security group and the rest of the organization. Equally important is effectively communicating how security priorities can operate as business drivers, portrayed with the correct context and priority, with their ROI understood at the executive and board levels.
Communicating how security teams operate can influence an organization as it considers how to adapt to market and societal changes. The security department is not a standalone operation within any utility. A security team that functions as a business group within the organization will have a healthy two-way dialogue with senior management and employees on a planned and continuous basis. This dialogue can take the form of risk reporting and more urgent forms of intelligence-sharing, in addition to the normal day-to-day dialogue security managers have with their teams, their managers, and the executive layer of the organization.
Altogether, the security manager is required to understand the business, understand how the business impacts security options, and understand what this translates into as financial requirements, risk prioritization, and contingency planning. This is an important ongoing responsibility that requires collaboration and useful knowledge about the utility in order to be functional.
Regardless of the source or scope of a threat, the security group is called to focus on the priorities before them. Effective teams do so by applying the right skill set at the right time, having a strong network of subject matter experts inside and out of the business, and being resourceful—all of which enable them to successfully adapt to fluid situations.
Converge and Cooperate
Security professionals’ investment in expanding their business and security acumen often pushes them toward a wholly integrated security risk management model. This will become more fundamental as technology and regulations evolve, changing the mind-set of utilities senior managers and causing them to seek cost-effective approaches across a company.
Taking risk management into a full and comprehensive integrated ESRM model is now paramount. Security teams operating under a converged physical and cybersecurity model—with individual subject matter experts coordinating and cooperating in the day-to-day delivery of security—are more likely to notice trends and effectively communicate them to decision makers while also providing prioritized solution sets. As utilities expand the use of technology, it will be necessary to have cybersecurity teams and physical security teams focused on what they respectively do best. Each side is simply too complex for one specialist to manage it all.
For example, in the past several decades, utility functions have increasingly migrated towards automation. However, the use of operational technology has created a critical cybersecurity problem for utilities. Unfortunately, bringing operations technology such as industrial control systems into the mainstream information technology network only exacerbated the problem.
While specialization is essential, cyber and physical security functions often fail to understand each other’s business, stresses, or operational value. While this does not make the endeavor ineffective, it can be improved upon.
There is also the advancement of various security technologies: video surveillance, access controls, unmanned aerial vehicles (drones), detection systems, robotics, analytics, big data, integration platforms, biometrics—the list of physical security tools intertwined with cyber features only continues to grow. These tools are no longer just physical. Evolving technologies and tools emphasize the need for an integrated and converged model for security specialization. Additionally, it is important to realize that such models do not negate all physical security specializations or all cybersecurity specializations—rather, we need security departments that can simultaneously operate in both worlds, supported by cyber and physical specialists working in tandem.
Adapt and Innovate
Security managers should foster a culture where change is healthy no matter its trigger, creating a leaner and more agile team. The fourth focus area utility security leaders should consider is adaptability.
While it will ultimately be up to senior leadership to set the overall organizational strategy to keep the business healthy and relevant as the world changes, security managers should remain aware of external shifts that can impact an organization. First and foremost, if we can predict the likelihood of certain situations, then we should meet changes or threats before they impact the organization through planning and change management.
For example, before smart metering and the smart grid, which together electronically transmit information about power usage and detect variations, utility security focused on physical challenges like plant protection, metal theft, and people-related security concerns. The smart grid ushered in a new focus for utilities, turning the spotlight onto cybersecurity risks in a significant way. Utilities that were already developing a technology platform for their operations—and had developed the knowledge and resource bases for adapting to the smart grid technology platform—were well ahead of the change. In contrast, utilities that were unprepared faced a steep learning and implementation curve, which they are still climbing today.
A large part of being adaptable is about preparation. The more we can see coming—with planning, foresight, fact gathering, imagination, awareness, 10-year outlooks, and other cognitive tools—the better prepared we are when threats emerge. Planning for a more fluid operating model and building in realistic contingency models with a three- to five-year focus is simply good security management in any operating environment.
Industry professionals saw Y2K coming long before 1 January 2000 arrived. Utilities, like all organizations, adapted by learning about the problem and addressing the issue well in advance of the anticipated Y2K date. Understanding the current and future needs of their businesses allowed for not only the replacement of old computing systems with updated ones, but also for the purchase and design of new systems for the organization’s future requirements.
Security leaders must present solutions with strong business justifications for any necessary security spending. But if the organization opts to accept some security risk in favor of spending on other company needs, the security team should be ready with a contingency plan, able to effectively operate in light of the realities presented. Adapting to change also means acceptance, often of circumstances beyond our control, and applying fresh thinking to achieve the best results possible with limited resources.
Forecasting potential disruptions over a 50-year period might seem like an exercise in guesswork, but security leaders can leverage this long view as a tabletop exercise to determine what could happen and how security professionals would need to adapt to address those trends. If the future seems bleak, or even just challenging, immediately start to consider the needs for education, information, peer networks, security program changes, and new technologies, and begin implementing those changes to future-proof your program.
Security leaders should be driving change management. It is entirely possible that the greatest changes in security management will come from innovators outside the security industry, but innovative thinking within today’s security sector makes it more likely that security professionals themselves will develop tomorrow’s solutions.
Security management in the 21st century is about adapting to change and driving innovation. Within the professional discourse that has taken place within ASIS International and other like-minded security organizations in recent years, there is already the spark that will allow tomorrow’s security leaders to meet the challenges they face.
Edge of Tomorrow
Although the future sometimes seems bleak and technology is evolving at a breakneck pace, adaptable security professionals take these challenges in their stride. By leveraging an informed management approach, keeping a vibrant network of experts, understanding the business and its key drivers, and applying innovation strategically, utilitiesʼ security leaders can get ahead of the curve and deliver forward-facing solutions for the enterprise.
Adopting a holistic security risk management model provides best assurance that the security department is aligned with the organization’s current and future needs. Keeping one eye on the present day and the other on future requirements—whether societal change, innovating through technology, responding to a shifting world view, or fostering relevant skill sets to manage it all—is a solid way to keep ahead of even the most imaginative threats.
Doug Powell, CPP, PSP, is a security project manager of security and emergency management at BC Hydro in British Columbia, Canada. He has more than 35 years’ experience in utilities security and is vice chair of the ASIS International Utilities Security Council.