Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/1222824
24 | 20TH - 26TH MARCH 2020 | UTILITY WEEK Customers Roundtable Cyber-security and Resilience, London, 27 February 2020 It's important, though, to use such visu- alisation in a positive way, said another. "For licensed, regulated companies it can show how justifiable, recoverable investment in our infrastructure is a benefit to our busi- ness, helping us manage our risks, and new and emerging risks." Another speaker added: "In this day and age I'd be surprised if utilities in any shape or form didn't understand cyber controls must be in place. And I'd be very surprised if budget wasn't available. It's just about work- ing out where the money is best spent." While a lot of emphasis is on what utili- ties do with technology, the respond and recover part of the operation can be where you make most cultural gains. "All you need to do is to bring people together, to improve, to do the exercises. So, for example we've ridden the wave of the Coronavirus so far [for three days at that stage] because we have this preparedness. And in a heightened state of alert we do more things with cyber – so it promotes what readiness there is." You also discover which people genu- inely need access to systems and those who don't – and may never have it again, added another guest. "As with the Coronavirus, you find out where your resilience is. What you need to do in addition, net new, to BAU." Bringing OT and IT together, although retaining some form of separation, was how various speakers saw new cyber cul- tures in utilities panning out – and sev- eral were experiencing this already in their organisations. "We don't just align, we integrate," said one. "The risk management is tied up with the things that both OT and IT are doing – so preparing people, safety, the environment, asset and reputation. My [OT] risk assess- ment is tied up with theirs [IT]. We're not selling a purely cyber message we're selling a cyber and safety message. Because the whole security function has got responsibility for physical and cyber." As the journey towards a smart grid con- tinues, we will see even more converging of those two worlds, predicted one guest. "There will be a lot of insights coming in. Security in isolation will just no longer be sustainable." But a cautionary note was also sounded: ensure important operational intel is not lost. "I'm oŠen worried that if we take too much of an IT-centric view on how to secure these things, we can end up with the wrong solu- tions in place, and that can be expensive. "Engineers are the best people to know how these things can be breached. You can't make any of these big IT moves in isolation." So, having a completely converged OT/IT 'mono-culture' was not viewed as the answer by the roundtable delegates. There is still a need for specialist tools, although there could be a common platform – "a converged, protective layer that supported and allowed two different cultures". The major cultural challenge for us all, added another speaker – as these functions meet and the space looks very different from what it is today – is how do we bring two worlds, that don't naturally overlap, together? "How do we start to see the harmo- nisation of that skill-set for what you need from a manufacturing and IT perspective?" Maintaining trust aer a breach? Making decisions during an incident, and aŠerwards, that are "correct and adequate" was an essential response put forward, as was ensuring that you maintain the trust of your board. "It's not just about the business, it's about how you personally manage the crisis, how you communicate it and ensure everyone has bought in. That's also the best way to man- age customer trust." "It's also critical to ensure that the comms you are receiving are from the right person, and that the message hasn't been changed," was another piece of advice shared. "How you access an organisation in a cri- sis speaks volumes," said a fellow speaker. "Being overt and out there. Saying this is what's happened and we recognise it. Plus, practise the comms, and know who is going to say what and when in any scenario." Maintaining trust is also about having the confidence to say I don't know, said another. "I think it's entirely reasonable for a CEO not to know the answers to tech questions. And I do worry sometimes that leaders are too con- fident; it can come across as unauthentic, not transparent." "Own the narrative and get the message out there that you want to get out," advised another. Solid, trusted industry information- sharing can also help, agreed the group, which thought that perhaps it was now time to build on existing mechanisms. The two different worlds of OT and IT can actually be an advantage in a breach situa- tion, said one speaker. "There are different things you need to do to attack them. And in an OT world there can be security through antiquity, diversity and obscurity. This can allow more time to react to a threat." Understanding the risks and defining your risk tolerance for the way you want to operate is another key consideration. "In the absence of limitless resources," explained continued from previous page Best practice takeaways 1. Creating cyber awareness • Be proactive and inclusive • Secure board buy-in • Build on health and safety ethos • Converge operational technology and information technology where appropriate, but retain specialisms 2. Maintaining trust aer a breach • Respond quickly and own the narrative • Manage cyber's reputation within the company • Practise preparedness • Be honest and consistent in your message, internally and externally 3. Cyber security and tomorrow: • Threat modelling is the way ahead • Cloud will have a vital role to play • Supply chain risks likely to rise • Mass decentralisation will create new Internet of Things security challenges