IEEE Power & Energy Magazine - September/October 2016 - 56
humiliated by their active or passive complicity in the housing crisis of 2008, the rating agencies have vowed to get it
right around the impact of cybersecurity risk in the critical infrastructure sector. As these agencies rationalize the
"industrial destruction" motive of hostile nation-states and
terrorist hackers, it is expected they will appropriately come
to the conclusion that a catastrophic attack on a utility is now
reasonably fathomable and increasingly likely. Given the
dearth of regulatory effectiveness and lack of understanding
by key industry officials, the risk concern seems quite pragmatic. If rating agencies follow through, the sector might
expect to see bond rating reductions and higher interest
rates that will increase their cost of capital. One agency has
even suggested that it would consider downgrading insurance companies that accumulate too much cyber risk in their
policy portfolios.
Implications for the Utility of the Future:
Resilience as the Rational Objective
Few utilities currently have processes and skills to develop
cyber defenses capable of stopping motivated, sophisticated
nation-state attacks. If it is therefore assumed, as many experts
suggest, that a successful cyber breach is inevitable, a more
rational objective for utilities is to become cyber resilient,
rather than attempt to become completely cyber preventive.
The distinction is enormous. The likelihood of becoming
100% cyber resistant and impermeable is intuitively impossible. Instead, many businesses can intelligently balance
their security approach between prevention/preparedness
and response/recovery. Preparedness implies readiness for
the inevitable system compromise. Response speaks to a
coordinated, regularly exercised, and stress-tested plan for
post-incident action by well-structured enterprise-wide crossfunctional teams. Recovery speaks to equipment recovery (in
the event of physical damage), operational recovery (through
a strong business continuity plan), reputation and customer
trust recovery, and financial recovery.
In the end, cyber-penetrated utilities will be no different than banks, retailers, and public entities that suffer high
profile breaches. Utilities need to transition from reliance
on a simple compliance approach, assuaging their boards
about their preparedness, to a risk-based concerted program
focused on the remediation of the realistic cyber vulnerability that exists in the 21st century.
The goal should be to mitigate as much risk as possible,
minimize impact, and prepare enterprise-wide to respond to
what the plan should assume is the inevitability of disruptive cyberevents, not only to the IT network, but also the OT
network and ICS field devices. Consequently, responsible
and vigilant companies must consider leading with carefully structured, well-communicated, active management
and mitigation plans as a core component of their mission
assurance programs to maintain a truly protected electric
infrastructure and meet their obligations as a trusted provider of electricity.
56
ieee power & energy magazine
Conclusions
ICS-related cybersecurity should be a key component of
every electric utility's enterprise-wide security/risk management program that integrates IT, asset management, risk
management, business continuity management, security,
emergency response, and environmental health and safety. A
holistic cyberprogram should develop and implement a comprehensive and systematic framework designed to align the
business strategy, operating processes, and key performance
indicators with the goal of operating at peak security while
being poised and prepared to expeditiously respond and
recover from any intrusion. The stakes are significant and
boards of directors and executive leadership should make
this a strategic imperative. The cybersecurity program must
set clear expectations and bring the organization together
around a cohesive set of guiding principles.
Our nation's electric utilities have provided safe and
reliable power for customers across U.S. regions for many
years. With new vulnerabilities now recognized and energy
sector cyberevents documented, now is the time for utilities
to be proactive about cybersecurity, so they can continue to
deliver on their commitment to provide customers safe and
reliable electricity.
For Further Reading
K. Zetter. (2016, Mar. 3). Inside the cunning, unprecedented
hack of Ukraine's power grid. Wired. [Online]. Available: http://
www.wired.com/2016/03/inside-cunning-unprecedentedhack-ukraines-power-grid/
K. J. Higgins. (2016, Mar. 18). Lessons from the Ukraine
electric grid hack. Inform. Week. [Online]. Available: http://
www.darkreading.com/vulnerabilities-threats/lessonsfrom-the-ukraine-electric-gridº-hack/d/d-id/1324743
J. Weiss, Protecting Industrial Control Systems from
Electronic Threats. New York: Momentum Press, 2010.
K. Zetter. (2016, Jan. 20). Everything we know about
Ukraine's power plant hack. Wired. [Online]. Available:
http://www.wired.com/2016/01/everything-we-know-aboutukraines-power-plant-hack/
RMS and Cambridge Centre for Risk Studies, "Managing cyber insurance accumulation risk," Centre for Risk
Studies, Univ. Cambridge Judge Business School, and Risk
Management Solutions Inc., Cambridge, UK, Feb. 2016.
Biographies
Ellen Smith is with FTI Consulting, Boston, Massachusetts.
Scott Corzine is with FTI Consulting, New York.
Donald Racey is with FTI Consulting, Pittsburgh, Pennsylvania.
Patrick Dunne is with FTI Consulting, Boston, Massachusetts.
Colin Hassett is with FTI Consulting, Boston, Massachusetts.
Joe Weiss is with Applied Control Solutions, LLC.
p&e
september/october 2016
�
http://http://
http://www.wired.com/2016/03/inside-cunning
http://http://
http://www.darkreading.com/vulnerabilities-threats/lessons
http://www.wired.com/2016/01/everything-we-know-about
Table of Contents for the Digital Edition of IEEE Power & Energy Magazine - September/October 2016
IEEE Power & Energy Magazine - September/October 2016 - Cover1
IEEE Power & Energy Magazine - September/October 2016 - Cover2
IEEE Power & Energy Magazine - September/October 2016 - 1
IEEE Power & Energy Magazine - September/October 2016 - 2
IEEE Power & Energy Magazine - September/October 2016 - 3
IEEE Power & Energy Magazine - September/October 2016 - 4
IEEE Power & Energy Magazine - September/October 2016 - 5
IEEE Power & Energy Magazine - September/October 2016 - 6
IEEE Power & Energy Magazine - September/October 2016 - 7
IEEE Power & Energy Magazine - September/October 2016 - 8
IEEE Power & Energy Magazine - September/October 2016 - 9
IEEE Power & Energy Magazine - September/October 2016 - 10
IEEE Power & Energy Magazine - September/October 2016 - 11
IEEE Power & Energy Magazine - September/October 2016 - 12
IEEE Power & Energy Magazine - September/October 2016 - 13
IEEE Power & Energy Magazine - September/October 2016 - 14
IEEE Power & Energy Magazine - September/October 2016 - 15
IEEE Power & Energy Magazine - September/October 2016 - 16
IEEE Power & Energy Magazine - September/October 2016 - 17
IEEE Power & Energy Magazine - September/October 2016 - 18
IEEE Power & Energy Magazine - September/October 2016 - 19
IEEE Power & Energy Magazine - September/October 2016 - 20
IEEE Power & Energy Magazine - September/October 2016 - 21
IEEE Power & Energy Magazine - September/October 2016 - 22
IEEE Power & Energy Magazine - September/October 2016 - 23
IEEE Power & Energy Magazine - September/October 2016 - 24
IEEE Power & Energy Magazine - September/October 2016 - 25
IEEE Power & Energy Magazine - September/October 2016 - 26
IEEE Power & Energy Magazine - September/October 2016 - 27
IEEE Power & Energy Magazine - September/October 2016 - 28
IEEE Power & Energy Magazine - September/October 2016 - 29
IEEE Power & Energy Magazine - September/October 2016 - 30
IEEE Power & Energy Magazine - September/October 2016 - 31
IEEE Power & Energy Magazine - September/October 2016 - 32
IEEE Power & Energy Magazine - September/October 2016 - 33
IEEE Power & Energy Magazine - September/October 2016 - 34
IEEE Power & Energy Magazine - September/October 2016 - 35
IEEE Power & Energy Magazine - September/October 2016 - 36
IEEE Power & Energy Magazine - September/October 2016 - 37
IEEE Power & Energy Magazine - September/October 2016 - 38
IEEE Power & Energy Magazine - September/October 2016 - 39
IEEE Power & Energy Magazine - September/October 2016 - 40
IEEE Power & Energy Magazine - September/October 2016 - 41
IEEE Power & Energy Magazine - September/October 2016 - 42
IEEE Power & Energy Magazine - September/October 2016 - 43
IEEE Power & Energy Magazine - September/October 2016 - 44
IEEE Power & Energy Magazine - September/October 2016 - 45
IEEE Power & Energy Magazine - September/October 2016 - 46
IEEE Power & Energy Magazine - September/October 2016 - 47
IEEE Power & Energy Magazine - September/October 2016 - 48
IEEE Power & Energy Magazine - September/October 2016 - 49
IEEE Power & Energy Magazine - September/October 2016 - 50
IEEE Power & Energy Magazine - September/October 2016 - 51
IEEE Power & Energy Magazine - September/October 2016 - 52
IEEE Power & Energy Magazine - September/October 2016 - 53
IEEE Power & Energy Magazine - September/October 2016 - 54
IEEE Power & Energy Magazine - September/October 2016 - 55
IEEE Power & Energy Magazine - September/October 2016 - 56
IEEE Power & Energy Magazine - September/October 2016 - 57
IEEE Power & Energy Magazine - September/October 2016 - 58
IEEE Power & Energy Magazine - September/October 2016 - 59
IEEE Power & Energy Magazine - September/October 2016 - 60
IEEE Power & Energy Magazine - September/October 2016 - 61
IEEE Power & Energy Magazine - September/October 2016 - 62
IEEE Power & Energy Magazine - September/October 2016 - 63
IEEE Power & Energy Magazine - September/October 2016 - 64
IEEE Power & Energy Magazine - September/October 2016 - 65
IEEE Power & Energy Magazine - September/October 2016 - 66
IEEE Power & Energy Magazine - September/October 2016 - 67
IEEE Power & Energy Magazine - September/October 2016 - 68
IEEE Power & Energy Magazine - September/October 2016 - 69
IEEE Power & Energy Magazine - September/October 2016 - 70
IEEE Power & Energy Magazine - September/October 2016 - 71
IEEE Power & Energy Magazine - September/October 2016 - 72
IEEE Power & Energy Magazine - September/October 2016 - 73
IEEE Power & Energy Magazine - September/October 2016 - 74
IEEE Power & Energy Magazine - September/October 2016 - 75
IEEE Power & Energy Magazine - September/October 2016 - 76
IEEE Power & Energy Magazine - September/October 2016 - 77
IEEE Power & Energy Magazine - September/October 2016 - 78
IEEE Power & Energy Magazine - September/October 2016 - 79
IEEE Power & Energy Magazine - September/October 2016 - 80
IEEE Power & Energy Magazine - September/October 2016 - 81
IEEE Power & Energy Magazine - September/October 2016 - 82
IEEE Power & Energy Magazine - September/October 2016 - 83
IEEE Power & Energy Magazine - September/October 2016 - 84
IEEE Power & Energy Magazine - September/October 2016 - 85
IEEE Power & Energy Magazine - September/October 2016 - 86
IEEE Power & Energy Magazine - September/October 2016 - 87
IEEE Power & Energy Magazine - September/October 2016 - 88
IEEE Power & Energy Magazine - September/October 2016 - 89
IEEE Power & Energy Magazine - September/October 2016 - 90
IEEE Power & Energy Magazine - September/October 2016 - 91
IEEE Power & Energy Magazine - September/October 2016 - 92
IEEE Power & Energy Magazine - September/October 2016 - Cover3
IEEE Power & Energy Magazine - September/October 2016 - Cover4
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091020
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070820
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050620
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030420
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010220
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091019
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070819
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050619
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030419
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010219
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091018
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070818
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050618
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030418
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010218
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091017
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070817
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050617
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030417
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010217
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091016
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070816
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050616
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030416
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010216
https://www.nxtbook.com/nxtbooks/ieee/powerenergy_010216
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091015
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070815
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050615
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030415
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010215
https://www.nxtbook.com/nxtbooks/pes/powerenergy_111214
https://www.nxtbook.com/nxtbooks/pes/powerenergy_091014
https://www.nxtbook.com/nxtbooks/pes/powerenergy_070814
https://www.nxtbook.com/nxtbooks/pes/powerenergy_050614
https://www.nxtbook.com/nxtbooks/pes/powerenergy_030414
https://www.nxtbook.com/nxtbooks/pes/powerenergy_010214
https://www.nxtbookmedia.com