POWER December 2021 - 29

CYBERSECURITY
Leading Practices
Beyond basic hygiene, P&U companies
must adopt a security-by-design
mindset: the business must set and
understand cybersecurity principles and
objectives so they're considered when
new products and services are introduced
and technology is deployed, not
grafted on after the fact. P&U leaders reported
that only 37% are being engaged
with adequate time by the business to
address cybersecurity for new technology
being implemented. Considering the
risk environment, cybersecurity should
always be consulted early in the design
or pre-implementation phases of a project-whether
it's for a rollout of smart
meters and other intelligent grid digital
assets, or within traditional power plants
or renewable installations, for example.
Aligning to a zero-trust architecture
(ZTA) equips organizations to achieve
this by default, because the key principles
mandate that your assets connect
to other resources only with a business
reason and authorization. Amid a proliferation
of connected devices and cloud
technology, ZTA is oriented around what
devices and components do, more than
where they come from, and " zero trust "
means that verification is required for
each connection. This replaces outdated
strategies focused on securing a perimeter
around a network and scrutinizing
those outside that perimeter, as a trusted
device in the wrong hands can still
inflict serious damage, and the bounds
of the perimeter can be hard to define. In
May, the Biden administration issued an
executive order on cybersecurity explicitly
stating that the federal government
is moving toward adopting ZTA, and the
Department of Energy is likely to endorse
ZTA in its sector-specific cybersecurity
initiative, still under development.
While technology developments have
opened up new potential for attacks, they
also offer new methods for bolstering
defenses. Monitoring and recognizing
malignant activity with this environment
of connected devices and cloud access
goes beyond what is humanly possible
to track. Therefore, security teams need
visibility at an automated scale-relying
on artificial intelligence, for example, to
identify and surface anomalies, prioritized
by risk.
Sophisticated P&U companies are
also building or leasing lab time to test
their hardware, software, and communication
protocols and networks before
committing to large deployments-an
ahead-of-the-curve approach for embedDecember
2021 | POWER
2. This graphic shows the percentage of responses received from personnel in the human
resources (HR), business line, and product development/research and development (R&D) departments
of companies that participated in the EY Global Information Security Survey 2021
when asked to describe the relationship between the security team and other functions of their
companies. Courtesy: Ernst & Young Global Limited
ding security by design. This exercise
could include mocking up the current
grid, bringing potential new devices into
the existing environment, and testing for
unexpected vulnerabilities and potential
issues related to performance.
Leading individual P&U companies,
device manufacturers, consultancies,
and some industry groups have also
created OT " honeypots. " The basic idea
is to create a mockup of a device or set
of devices, let them be " visible " to the
internet, and then collect and analyze
data related to how and how quickly
the device is identified and what threats
surface. The organizations can then use
that information to determine where and
how to evolve defenses.
Getting More Internal and External
Help
Cybersecurity leaders wishing to pursue
such strategies may find themselves
crashing against internal roadblocks: without
strong ties to the business, their functions
are easily cast as an inhibitor rather
than an enabler. Just 46% of P&U respondents
in the EY survey are confident
in the security team's ability to speak the
same language as peers in the business,
and only 31% believe they are seen as
supporters of innovation (Figure 2).
Compared to other sectors, P&U
faces a unique challenge in that investments
are driven by an expectation of
a rate of return over time, and cybersecurity
is labeled an operating expense.
Amid tight budgets, boards are prioritizing
functions where there is a clear
route from investment to added value.
Therefore, they can be more receptive
toward buying tools to save money-but
not optimizing or maintaining them. Security
leaders should make the case that
investing wisely and getting the most
out of their tools enables the business
to make smarter decisions on risk. Most
of us don't think twice about getting on
a plane and flying through the air at 500
www.powermag.com
miles per hour at 36,000 feet, because
the security protocols in place make us
feel protected. Similarly, the business
can accelerate its plans and reach new
heights if its cybersecurity protections
instill the right level of confidence.
It's also worthwhile to look outside
your organization, including at public-private
partnerships and collaboration opportunities.
Executives may fear that when
they have conversations with regulators,
or other parts of the government that may
interact with regulators, that they're going
to legislate what must be done. This risks
adding to what is perceived as an already
significant compliance burden. However,
because these risks are to our nation's
critical infrastructure, and not just to one
company's equipment, P&U organizations
cannot always effectively mitigate risks
independently. The way for these discussions
to be most impactful and focused
is strong engagement between industry
and regulators.
While the battle against digital threats
continues to grow more intense and
complex, P&U companies are making
progress. Increasingly, there are new
tools and more resources to draw on,
and more business leaders are becoming
attuned to the risks they face. To further
equip the business with confidence,
cybersecurity leaders must continue to
engage on increasing organizations' security
IQ, making the case to be involved
early and proactively, and continuing to
build security and resiliency capabilities
enabled by intelligent automation. ■
-Dillon Dieffenbach is a principal at
Ernst & Young LLP and serves as the
EY Americas Energy and Resources
Cybersecurity Leader. He has more than
20 years of experience helping companies
manage cybersecurity and technology
risks across the enterprise. The views
expressed are those of the author and
do not necessarily reflect the views of
Ernst & Young LLP or any other member
firm of the global EY organization.
29
http://www.powermag.com

POWER December 2021

Table of Contents for the Digital Edition of POWER December 2021

POWER December 2021 - Cover1
POWER December 2021 - Cover2
POWER December 2021 - 1
POWER December 2021 - 2
POWER December 2021 - 3
POWER December 2021 - 4
POWER December 2021 - 5
POWER December 2021 - 6
POWER December 2021 - 7
POWER December 2021 - 8
POWER December 2021 - 9
POWER December 2021 - 10
POWER December 2021 - 11
POWER December 2021 - 12
POWER December 2021 - 13
POWER December 2021 - 14
POWER December 2021 - 15
POWER December 2021 - 16
POWER December 2021 - 17
POWER December 2021 - 18
POWER December 2021 - 19
POWER December 2021 - 20
POWER December 2021 - SCover1
POWER December 2021 - SCover2
POWER December 2021 - S1
POWER December 2021 - S2
POWER December 2021 - S3
POWER December 2021 - S4
POWER December 2021 - S5
POWER December 2021 - S6
POWER December 2021 - S7
POWER December 2021 - S8
POWER December 2021 - S9
POWER December 2021 - S10
POWER December 2021 - S11
POWER December 2021 - S12
POWER December 2021 - S13
POWER December 2021 - S14
POWER December 2021 - S15
POWER December 2021 - S16
POWER December 2021 - SCover3
POWER December 2021 - SCover4
POWER December 2021 - 21
POWER December 2021 - 22
POWER December 2021 - 23
POWER December 2021 - 24
POWER December 2021 - 25
POWER December 2021 - 26
POWER December 2021 - 27
POWER December 2021 - 28
POWER December 2021 - 29
POWER December 2021 - 30
POWER December 2021 - 31
POWER December 2021 - 32
POWER December 2021 - 33
POWER December 2021 - 34
POWER December 2021 - 35
POWER December 2021 - 36
POWER December 2021 - 37
POWER December 2021 - 38
POWER December 2021 - 39
POWER December 2021 - 40
POWER December 2021 - Cover3
POWER December 2021 - Cover4
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-april-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-April-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-march-2022
https://www.nxtbook.com/accessintelligence/POWER/power-february-2022
https://www.nxtbook.com/accessintelligence/POWER/power-january-2022
https://www.nxtbook.com/accessintelligence/POWER/power-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-top-plants-supp-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-november-2021
https://www.nxtbook.com/accessintelligence/POWER/power-october-2021
https://www.nxtbook.com/accessintelligence/POWER/power-september-2021
https://www.nxtbook.com/accessintelligence/POWER/power-august-2021
https://www.nxtbook.com/accessintelligence/POWER/power-july-2021
https://www.nxtbook.com/accessintelligence/POWER/power-june-2021
https://www.nxtbook.com/accessintelligence/POWER/power-may-2021
https://www.nxtbook.com/accessintelligence/POWER/power-april-2021
https://www.nxtbook.com/accessintelligence/POWER/power-march-2021
https://www.nxtbook.com/accessintelligence/POWER/power-february-2021
https://www.nxtbook.com/accessintelligence/POWER/power-january-2021
https://www.nxtbook.com/accessintelligence/POWER/power-december-2020
https://www.nxtbook.com/accessintelligence/POWER/power-november-2020
https://www.nxtbook.com/accessintelligence/POWER/power-october-2020
https://www.nxtbook.com/accessintelligence/POWER/power-september-2020
https://www.nxtbook.com/accessintelligence/POWER/power-august-2020
https://www.nxtbook.com/accessintelligence/POWER/power-july-2020
https://www.nxtbook.com/accessintelligence/POWER/power-june-2020
https://www.nxtbook.com/accessintelligence/POWER/power-may-2020
https://www.nxtbook.com/accessintelligence/POWER/power-april-2020
https://www.nxtbook.com/accessintelligence/POWER/power-march-2020
https://www.nxtbook.com/accessintelligence/POWER/power-february-2020
https://www.nxtbook.com/accessintelligence/POWER/power-january-2020
https://www.nxtbook.com/accessintelligence/POWER/power-december-2019
https://www.nxtbook.com/accessintelligence/POWER/power-november-2019
https://www.nxtbook.com/accessintelligence/POWER/power-october-2019
https://www.nxtbook.com/accessintelligence/POWER/power-september-2019
https://www.nxtbook.com/accessintelligence/POWER/power-august-2019
https://www.nxtbook.com/accessintelligence/POWER/power-july-2019
https://www.nxtbook.com/accessintelligence/POWER/power-june-2019
https://www.nxtbook.com/accessintelligence/POWER/power-may-2019
https://www.nxtbook.com/accessintelligence/POWER/power-april-2019
https://www.nxtbook.com/accessintelligence/POWER/power-march-2019
https://www.nxtbook.com/accessintelligence/POWER/power-february-2019
https://www.nxtbook.com/accessintelligence/POWER/power-january-2019
https://www.nxtbook.com/accessintelligence/POWER/power-december-2018
https://www.nxtbook.com/accessintelligence/POWER/power-november-2018
https://www.nxtbook.com/accessintelligence/POWER/power-october-2018
https://www.nxtbook.com/accessintelligence/POWER/power-september-2018
https://www.nxtbook.com/accessintelligence/POWER/power-august-2018
https://www.nxtbook.com/accessintelligence/POWER/power-july-2018
https://www.nxtbook.com/accessintelligence/POWER/power-june-2018
https://www.nxtbook.com/accessintelligence/POWER/power-may-2018
https://www.nxtbook.com/accessintelligence/POWER/power-april-2018
https://www.nxtbook.com/accessintelligence/POWER/power-march-2018
https://www.nxtbook.com/accessintelligence/POWER/power-february-2018
https://www.nxtbook.com/accessintelligence/POWER/power-january-2018
https://www.nxtbook.com/accessintelligence/POWER/power-december-2017
https://www.nxtbook.com/accessintelligence/POWER/power-november-2017
https://www.nxtbook.com/accessintelligence/POWER/power-october-2017
https://www.nxtbook.com/accessintelligence/POWER/power-september-2017
https://www.nxtbook.com/accessintelligence/POWER/power-august-2017
https://www.nxtbook.com/accessintelligence/POWER/power-july-2017
https://www.nxtbook.com/accessintelligence/POWER/power-june-2017
https://www.nxtbook.com/accessintelligence/POWER/power-may-2017
https://www.nxtbook.com/accessintelligence/POWER/power-april-2017
https://www.nxtbook.com/accessintelligence/POWER/power-march-2017
https://www.nxtbook.com/accessintelligence/POWER/power-february-2017
https://www.nxtbook.com/accessintelligence/POWER/power-january-2017
https://www.nxtbook.com/accessintelligence/POWER/power-december-2016
https://www.nxtbook.com/accessintelligence/POWER/power-november-2016
https://www.nxtbook.com/accessintelligence/POWER/power-october-2016
https://www.nxtbook.com/accessintelligence/POWER/power-september-2016
https://www.nxtbook.com/accessintelligence/POWER/power-august-2016
https://www.nxtbook.com/accessintelligence/POWER/power-july-2016
https://www.nxtbook.com/accessintelligence/POWER/power-june-2016
https://www.nxtbook.com/accessintelligence/POWER/power-may-2016
https://www.nxtbook.com/accessintelligence/POWER/power-april-2016
https://www.nxtbook.com/accessintelligence/POWER/power-march-2016
https://www.nxtbook.com/accessintelligence/POWER/power-february-2016
https://www.nxtbook.com/accessintelligence/POWER/power-january-2016
https://www.nxtbook.com/accessintelligence/POWER/power-december-2015
https://www.nxtbook.com/accessintelligence/POWER/power-november-2015
https://www.nxtbook.com/accessintelligence/POWER/power-october-2015
https://www.nxtbook.com/accessintelligence/POWER/power-september-2015
https://www.nxtbook.com/accessintelligence/POWER/power-august-2015
https://www.nxtbook.com/accessintelligence/POWER/power-july-2015
https://www.nxtbook.com/accessintelligence/POWER/power-june-2015
https://www.nxtbook.com/accessintelligence/POWER/power-may-2015
https://www.nxtbook.com/accessintelligence/POWER/power-april-2015
https://www.nxtbook.com/accessintelligence/POWER/power-march-2015
https://www.nxtbook.com/accessintelligence/POWER/power-february-2015
https://www.nxtbook.com/accessintelligence/POWER/power-january-2015
https://www.nxtbook.com/accessintelligence/POWER/power-december-2014
https://www.nxtbook.com/accessintelligence/POWER/power-november-2014
https://www.nxtbook.com/accessintelligence/POWER/power-october-2014
https://www.nxtbook.com/accessintelligence/POWER/power-september-2014
https://www.nxtbook.com/accessintelligence/POWER/power-august-2014
https://www.nxtbook.com/accessintelligence/POWER/power-july-2014
https://www.nxtbook.com/accessintelligence/POWER/power-june-2014
https://www.nxtbook.com/accessintelligence/POWER/power-may-2014
https://www.nxtbook.com/accessintelligence/POWER/power-april-2014
https://www.nxtbook.com/accessintelligence/POWER/power-march-2014
https://www.nxtbook.com/accessintelligence/POWER/power-february-2014
https://www.nxtbook.com/accessintelligence/POWER/power-january-2014
https://www.nxtbook.com/accessintelligence/POWER/power-december-2013
https://www.nxtbook.com/accessintelligence/POWER/power-november-2013
https://www.nxtbook.com/accessintelligence/POWER/power-october-2013
https://www.nxtbook.com/accessintelligence/POWER/power-september-2013
https://www.nxtbook.com/accessintelligence/POWER/power-august-2013
https://www.nxtbook.com/accessintelligence/POWER/power-july-2013
https://www.nxtbook.com/accessintelligence/POWER/power-june-2013
https://www.nxtbook.com/accessintelligence/POWER/power-may-2013
https://www.nxtbook.com/accessintelligence/POWER/power-april-2013
https://www.nxtbook.com/accessintelligence/POWER/power-march-2013
https://www.nxtbook.com/accessintelligence/POWER/power-february-2013
https://www.nxtbook.com/accessintelligence/POWER/power-january-2013
https://www.nxtbook.com/accessintelligence/POWER/power-december-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2012
https://www.nxtbook.com/accessintelligence/POWER/power-october-2012
https://www.nxtbook.com/accessintelligence/POWER/power-september-2012
https://www.nxtbook.com/accessintelligence/POWER/power-august-2012
https://www.nxtbook.com/accessintelligence/POWER/power-july-2012
https://www.nxtbook.com/accessintelligence/POWER/power-june-2012
https://www.nxtbook.com/accessintelligence/POWER/power-may-2012
https://www.nxtbook.com/accessintelligence/POWER/power-april-2012
https://www.nxtbook.com/accessintelligence/POWER/power-march-2012
https://www.nxtbook.com/accessintelligence/POWER/power-february-2012
https://www.nxtbook.com/accessintelligence/POWER/power-january-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2011
https://www.nxtbook.com/accessintelligence/POWER/power-october-2011
https://www.nxtbook.com/accessintelligence/POWER/power-september-2011
https://www.nxtbook.com/accessintelligence/POWER/power-august-2011
https://www.nxtbook.com/accessintelligence/POWER/power-july-2011
https://www.nxtbook.com/accessintelligence/POWER/power-june-2011
https://www.nxtbook.com/accessintelligence/POWER/power-may-2011
https://www.nxtbook.com/accessintelligence/POWER/power-april-2011
https://www.nxtbook.com/accessintelligence/POWER/power-march-2011
https://www.nxtbook.com/accessintelligence/POWER/power-february-2011
https://www.nxtbook.com/accessintelligence/POWER/power-january-2011
https://www.nxtbook.com/accessintelligence/POWER/power-december-2010
https://www.nxtbook.com/accessintelligence/POWER/power-november-2010
https://www.nxtbook.com/accessintelligence/POWER/power-october-2010
https://www.nxtbook.com/accessintelligence/POWER/power-september-2010
https://www.nxtbook.com/accessintelligence/POWER/power-august-2010
https://www.nxtbook.com/accessintelligence/POWER/power-july-2010
https://www.nxtbook.com/accessintelligence/POWER/power-june-2010
https://www.nxtbook.com/accessintelligence/POWER/power-may-2010
https://www.nxtbookmedia.com