by Graeme Pyper, Cyber Security, Thales Australia
Cyber resilience is a challenge for all organisations, but, due to its vital role as a societal backbone, it is of particular importance to the electricity ecosystem. Here, we look at the cyber resilience principles set out in the World Economic Forum’s, Advancing Cyber Resilience: Principles and Tools, and extend this to develop industry specific cyber principles for the electricity sector.
Cyber threats affect all industries but are particularly challenging to the electricity industry due to the interconnected ecosystem in which these organisations operate, and, of course, due to the fundamental nature of the product the industry delivers. The electricity grid is so significant and indispensable to our infrastructure that any large-scale impact would have pervasive financial and socio-economic consequences.
Any successful cyber-attack on the electric grid would immediately threaten both national security and economic stability due to the critical dependence of supply given to significant service providers such as hospitals, banks, financial networks, water systems, telecommunications and pipelines.
There is potential to cripple not just industries but nations. The scale and potential for damage is not lost on cyber threat actors either. Criminal groups; hacktivists with the aim of causing civil unrest; and even state-sponsored groups performing espionage activities; all understand the vulnerabilities of electricity organisations that now operate in an interconnected and interdependent environment where the consequences of a cyber-attack can easily cascade to numerous others.
The onus of combatting and managing this growing risk is on leaders. To understand, identify and build a robust and pervasive cyber resilience culture and ensure it is instilled within every person of an organisation, means that actions and the activity of knowledge transfer, defence and culture needs to commence from the top down. Board members and Chief Executives are now obligated to take it upon themselves to proactively formulate strategies and ensure cyber resilience is interwoven into the fabric of their organisation.
The new interconnected world in which organisations operate necessitates leaders to fundamentally shift their mindset in two distinct ways¹:
- There needs to be the understanding that cyber-risk is a business and ecosystem-wide risk and not simply a component that fits within the remit of IT risk. Cyber risk management decisions must be integrated into all business decisions.
- Awareness that managing cyber-risk in an interconnected environment means that leaders need to look well beyond the boundaries of their own houses and understand their broader neighbourhoods of suppliers, customers, competitors, peers and regulators, among others².
What needs to be protected in your organisation?
Knowing what needs to be protected is the first step in addressing the challenges of cyber resilience in a complex and interdependent operational universe.
Electricity organisations have interdependent relationships with numerous stakeholders that can span multiple degrees of separation within an organisation. In order to ensure that cyber security and resilience are effectively adopted within the context of business strategy, leaders have an obligation to grasp both the breadth and depth of the connections within their operational sphere.
Being able to produce a logistical map of interconnected stakeholders is also of utmost importance. The identification has to start within the core value chain, specifically, identifying the connected infrastructure, and then, expanding that sphere of reference to the surrounding business ecosystem of suppliers, customers and peers. This is then encapsulated and supported by a clear picture of what the extended ecosystem is. This extended ecosystem is known as the strategic layer and comprises policy makers, regulators, law enforcement, insurers and standards bodies.
As the digitisation of the grid increases so too does the complexity and interdependencies of the network layer i.e. the computer systems³ that interact with one another. Coming to an understanding of this layer early in the piece and getting ahead of the development will allow a better insight into obvious cyber vulnerabilities and will further highlight how this layer can be utilised as a highway to propagate cyber-attack, and further, how the effects can easily cascade across the ecosystem.
Understanding both the network layer and also working both adeptly and with agility in the strategic layer is critical in becoming cyber resilient. Cyber security and resilience cannot simply be regarded in isolation. Leaders need to recognise that a lack of security in their broader neighbourhood means that their own cyber integrity is undermined. Cooperation on cyber resilience is essential between members of a neighbourhood, ranging from oversight bodies to suppliers, customers and employees.
The ten principles for organisational cyber governance
How to secure such a complex ecosystem will be an ongoing challenge for the electricity market. The ever changing nature of technology and the shifting sands on which both the network layer and strategic layer are founded will mean collaborative and collective efforts will need to be sustained.
In 2017, to help facilitate board oversight and action in support of organisational cyber resilience, the World Economic Forum⁴ , in collaboration with leading academics, developed 10 overarching principles for organisational cyber governance. The principles were put in place to assist boards in promoting cyber resilience as a key component of their overall organisational strategy.
Here are the key cyber resilience principles, which act as a precursor to the seven⁶ additional principles that are specific to the electricity industry:
Principle 1 – Responsibility for cyber resilience
The board as a whole needs to take ultimate responsibility for the oversight of cyber risk and resilience. This primary oversight may be delegated to an existing committee or new, dedicated committee.
Principle 2 – Command of the subject
Board members need to receive cyber resilience training upon joining the board and are regularly updated on threats and trends – with advice from independent external experts when requested.
Principle 3 – Accountable Officer
The board ensures that one corporate office is accountable for reporting on the organisations capability to manage cyber resilience and progress in completing cyber resilience goals.
Principle 4 – Integration of cyber resilience
The board ensures that management integrates cyber resilience and cyber risk assessment into overall business strategy and enterprise wide risk management, as well as budgeting decisions and resource allocation.
Principle 5 – Risk appetite
The board annually defines and quantifies business risk tolerance relative to cyber resilience and ensures that it is consistent with corporate strategy and risk appetite.
Principle 6 – Risk assessment and reporting
The board holds management accountable for reporting a quantified and understandable assessment of cyber risks, threats and events as a standing agenda item during its meetings.
Principle 7 – Resilience plans
The board ensures that management supports the officer for cyber resilience by creation, implementation, testing and ongoing cyber resilience plans, which are harmonized across the business.
Principle 8 – Community
The board encourages management to collaborate with stakeholders, as relevant and appropriate, in order to ensure systemic cyber resilience.
Principle 9 – Review
The board ensures that a formal, independent cyber resilience review of the organisation is carried out annually.
Principle 10 – Effectiveness
The board periodically reviews its own performance on implementation of these principles and seeks independent advice for continuous improvement.
Principles specific to the electricity industry
In addition to the ten general principles, seven industry specific principles have been developed to guide boards in the electricity industry to advance systemic cyber resilience. These principles are tailored to consider the specificity of the industry, its dependants and interdependence and inherently, its dynamic nature.
Principle E11 – Cyber resilience governance
The board requires management to implement comprehensive cybersecurity governance, which governs information technology (IT), operational technology (OT), physical security and digital transformation, ensures interoperability within the organisation and drives alignment across the ecosystem.
Principle E12 – Resilience by design
The board promotes a security-by-design/resilience-by-design culture and requires management to implement such a culture and document progress.
Principle E13 – Going beyond compliance
The board ensures that cyber resilience posture and efforts extend beyond compliance, towards a holistic risk management approach, and are supported by adequate funding and resourcing.
Principle E14 – Systemic risk assessment and prioritisation
The board holds management accountable for understanding the organisations interdependencies within the ecosystem, reporting on systemic cyber risks posed by the
ecosystem (especially the supply chain), and planning and prioritising cyber resilience efforts accordingly.
Principle E15 – Corporate responsibility for cyber resilience
The board encourages management to consider what cyber risks the organisation, its cyber culture and practices may pose to the ecosystem, and appropriately explore how such risks can be reduced.
Principle E16 – Ecosystem-wide collaboration
The board empowers management to create a culture of collaboration, set strategic objectives around information sharing and understand and mitigate cyber risks in the ecosystem.
Principle E17 – Ecosystem-wide cyber resilience plans
The board encourages management to create, implement, test and continuously improve collective cyber resilience plans and controls with other members of the ecosystem. These plans should appropriately balance preparedness and protection (e.g. defence in depth strategies) with response and recovery capabilities.
¹Boston Consulting Group Whitepaper, Building cyber resilience into the electricity ecosystem, https://www.bcg.com/publications/2019/building-cyberresilience-electricity-ecoysystem.aspx
⁴World Economic Forum Whitepaper, Cyber resilience in the electricity ecosystem: Principles and guidance for boards, https://www.weforum.org/whitepapers/cyber-resilience-in-the-electricity-ecosystem-principles-and-guidance-for-boards
Interested in learning more about how your organisation can guard itself against cyber security threats? Click here to download the Report on Cyber Threats to Operational Technologies in the Energy Sector.