Security, of both the physical and cyber varieties, has been on the lips of power insiders for decades now. Discussions about the physical side of the issue usually peak after accidents like the one slowly evolving at Fukushima Daiichi over the last month or attacks like the ones on the World Trade Center in New York a decade ago. The discussion comes and goes with a social ebb and flow that mimics human behavior patterns: It’s high when humans have something to fear in the recent memory; it’s low when that recent memory begins to fade from the synapses.
The cyber ones, on the other hand, don’t really ebb much. They have been steadily growing in strength and decibel level as the smart grid gets more of a foothold and creates more potential security endpoints to cover. Concerns in that area rarely grow less numerous, and a recent study by the Ponemon Institute may kick up a few new arguments as well.
Unfortunately, the study shows that pesky patterns of human behavior are apparent with the cybersecurity elements of power as well---namely that workers don’t think management understands the value of their work, that compliance is something everyone has to do but few think is valuable, and that the “terrorist” you really need to worry about may already be inside your cyber walls, so to speak.
The study, “State of IT Security: Study of Utilities and Energy Companies,” was published this week by Ponemon Institute and sponsored by Q1 Labs. They surveyed 291 IT and IT security people in the energy industry for the results, picking people specifically involved in securing assets, systems and infrastructure.
My favorite finding is one gripe that you could find with any gig, anywhere, in any office in the U.S.: The boss totally doesn’t get what I do or how important it is. 71 percent of the survey respondents said “the management team does not understand or appreciate the value of IT security,” according to the survey’s specific wording. Now, keeping in mind that the people doing the talking here are likely not a part of the management team, this seems quite standard for corporate America: The boss doesn’t get it. Unfortunately, however, we’re not talking businesses that make bingo cards or bracelets or BB guns. This is the power structure we’re chatting about---the backbone of health, security, luxury and industry.
If the boss really doesn’t get it, we’re all in a lot of trouble here---not just the corporate employees, but all of us in this power hungry society. Adding to the issue, those employees in the survey don’t see what they’re working with as state of the art technology, nor do many of them think their companies are very proactive in keeping risk at bay in this area. So, the bosses don’t get it, aren’t forking over cash for it (likely because they don’t get it) and really don’t want to think about it or plan ahead for it.
Again, we can all hope this is just a problematic human perception and not the actual truth, but it’s still a bit scary to think about. Still, even if the boss doesn’t get it, they have to comply with NERC standards and regulatory objectives that force the utility into security compliance, right?
Well, yes and no. There are, indeed, standards for this sort of thing, but the respondents in this survey overwhelming said that compliance isn’t a major push with their company and that, besides, it’s super difficult to comply anyway. Plus, in the end, the regulations in place don’t really help with security. They’re just not very effective.
Just in case you want to keep score, here’s the bottom line so far: The boss doesn’t get how important security is, isn’t paying for it, isn’t bringing in the right technology and, in the end, what we’re all forced to do by those pesky regulations doesn’t help a whit anyway.
Scared yet?
Finally, in the area of just how much they will cost and who exactly is causing those security issues, you might get to breathe a small sigh of relief. It’s not nearly as frightening as you think. No multi-million dollar price tags are popping up today, and no terrorists are rearing dangerous heads. While those survey respondents admit that an “exploit” on their company network could occur in the next year, the average breach would clock in at a modest cost of $156,000. (OK, that’s not modest to me, but it is modest to a large corporation, let’s say.)
Additionally, we don’t need to fret so much about outsiders and scary terrorists. Most of those breaches will be caused by people who already work at these organizations. While leadership issues (like who the heck is really responsible for security) are contributing to the problem, there isn’t an overwhelming need to shore up systems against angry outsiders---just a need to get a good look at potentially angry insiders.
This small survey may note, inadvertently, the biggest hurdles to cybersecurity that power systems face: ourselves. Someone needs to be in charge of security and take responsibility for it. Someone needs to think it’s important, invest money in it and really figure out how regulations can help, rather than hinder, the issue.
The problem remains though: Who will be that mysterious “someone” for your utility?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment