Security for public utility companies comes in many forms. Whether we're talking about data security, overall cybersecurity, or physical security measures, all of these components are essential to a secure operation. Enforcing security policies for public utilities is a critical business function. The best policies in the world end up being for naught if they are not effectively enforced. The quantity of customer data possessed by public utilities is substantial, and some of that data includes sensitive information like social security numbers, payment card information, and even bank accounts numbers or banking information.
According to the U.S. Department of Homeland Security, the energy sector has become the single biggest cybercrime target in the country, and they have formed an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to respond to threats such as those. A Lloyd's of London analysis of the effects of a distributed attack on the U.S. electrical grid revealed that damages could reach as high as $1 trillion, include substantial loss of life, and result in negative effects on other utility companies like the water system and gas utilities. Add to that the fact that a cyber attack on an internet-connected device occurs approximately every 39 seconds, and you can see why security for utility providers is of such concern.
Cybersecurity Regulatory Requirements
The civil liability, reputational damage, and financial loss of a successful cyber attack are not the only issues facing the utility industry. There are a host of regulations put in place by the federal government, at the state level, and even at the county/municipal level. Fines and other penalties for violations of those regulations can add up, and there are some regulatory standards that can easily be overlooked when the focus of your enterprise is on critical infrastructure. For example, if your organization takes payments via credit card, then they are bound by the guidelines of the Payment Card Industry Data Security Standards (PCI-DSS), and while that is not a government regulation per se, it has been codified into law by several states. In addition to those state penalties, non-compliance can result in fines and other penalties from card issuers.
U.S.-based companies have to comply with the rules of any state, territory, country, or other governing body through which their infrastructure passes, they do business, or whose citizens' sensitive data comes into their possession even in a limited capacity. While the EU has regulations like GDPR and Brazil has LGDP regarding rules on the storage, use, and security of individuals' sensitive information, the U.S. has a quagmire of local regulations that can change substantially through a utility company's area of operation.
Some states are entirely unregulated while California has the CCPA and Washington has RCW 19.29A. Notably, those Washington State statutes apply specifically to utility companies. New Jersey has gone a step further and instituted extensive cybersecurity requirements for all electric, water, wastewater, and natural gas utilities through their Board of Public Utilities. This patchwork of regulations can add serious difficulty when trying to ensure that your security planning and data security policies are compliant with all applicable regulations.
Furthermore, the Federal Trade Commission has taken law enforcement action consisting of civil penalties and injunctive relief against companies that have engaged in deceptive business practices such as failing to secure customers' data after representing that they were doing so. There are also the NERC CIP standards for bulk electric system suppliers that have been set in place by the Federal Energy Regulatory Commission (FERC) to consider. With so many potential pitfalls on the regulatory front in addition to the standard threats of cyber attacks, there are many reasons why enforcing security policies for public utilities can be challenging.
Physical Security in Utility Companies
Not only do all of the above cybersecurity concerns come into play when considering risk management or security planning functions for public utilities, but physical security has also been shown to be equally important. As we mentioned above, some states leave utility cybersecurity regulations untouched, others legislate various requirements, and some include physical security measures as a part of those regulations.
Over the last several decades, there have been a number of physical attacks against critical infrastructure like transmission lines, electrical substations, and gas pipelines in both the United States and abroad that have illustrated the need to include site security measures as a part of your risk management process. Something as simple as a single person with a rifle can cause widespread power outages and major damage to electrical substations as we saw in California in 2013, Utah in 2016, and at two locations in North Carolina in 2022.
FERC has mandated a number of physical security measures that must be put in place, but those regulations only apply to the bulk electric system. Shielded transformers and other access control and monitoring features enhance the security of substations and transmission facilities, but without state and local utility companies being mandated to apply those standards to their own location, the effectiveness is limited. Widespread, major outages may be avoided, but local incidents like those listed above will continue to occur.
Cybersecurity Policy Enforcement
From a cybersecurity perspective, policy enforcement is a data security task that encompasses access control, network design features, firewall settings, software applications, and even hardware all with the goal to prevent and detect data breaches. Features like encryption, network segmentation, and externalized authorization all need defined policies to operate effectively, and ensuring that they are applied, working as intended, and being used by all staff, vendors, and other stakeholders is the function of policy enforcement.
Employee training, contract terms, and communication can be used to increase compliance. Being clear about the need for specific policies has the added benefit of improving voluntary compliance, but those methods will fall short when combating the threat of a compromised or malicious insider and some other types of data breaches. For that reason, we recommend considering the use of real-time policy enforcement and security programs that allow live monitoring functions.
Real-Time Policy Enforcement Programs
Real-time policy enforcement for public utilities is an emerging approach that can provide a much higher level of security. As the name suggests, real-time policy enforcement involves security planning that allows your team to monitor live traffic through an access control management program. You can adjust data sharing policies, automate security features and access control, and improve your control of your sensitive information all in real time.
The effect that software such as this can have on your cybersecurity posture and your agility can't be understated. Some automated programs can even be set to send alerts to your security team when policies are violated or suspicious activity is detected; this can allow you to respond to potential data breaches and other time-sensitive incidents in a much more coordinated and prompt fashion. Enforcing security policies for public utilities is a task that must take center stage in your security planning.
At Venture Lynk Risk Management, our goal is to help you manage any type of risk that you may be facing. We specialize in handling high-risk industries and can provide you with everything from operational risk management and intellectual property protection to a comprehensive vendor risk management program. Reach out today to speak with our expert staff and see how we can address any risk management concerns that you have.
