With the large number of cyber attacks worldwide, Seán McGurk, global managing principal for Verizon’s Investigative Response, emphasizes three key things that should guide how energy and utility companies set out to protect their assets adequately.
- New Rules: According to McGurk, a significant area of concern is uncertainty around new rules that will emerge and understanding how the proposed legislation will impact the industry.
“At a time of increasing complexity it is essential for energy and utility companies to engage in the process in order to help shape the outcome,” said McGurk.
In February 2013, an Executive Order (EO) on Cyber security and a Presidential Policy Directive (PPD) on Critical Infrastructure was signed in the U.S. to strengthen the security of critical infrastructure against evolving threats through an updated and overarching framework.
“By leveraging this opportunity, asset owners and operators may provide direct input in order to guide the process and ensure the vital interests of the utilities community are considered. This can be achieved in collaboration with the federal, state, local, tribal and territorial representatives,” McGurk added.
- Resiliency: While many in the intelligence community stress the growing importance of enhancing existing security measures, McGurk encourages a holistic stance particularly as grid modernization becomes even more prolific.
“Our responsibility is to not only equip utilities so that they can thwart the most sophisticated cyber campaigns in an ever-evolving landscape, but also provide them with the tools that help them to recover efficiently in order to restore functionality and services to their customers as quickly as possible following a breach,” McGurk continued.
- Risk: When it comes to risk management, McGurk points out that threat actors or a specific series of events are often times the primary focus rather than the overall risk to the systems. He says that understanding the vulnerabilities and potential consequences will better prepare a defensive posture for utilities.
“Historically, many companies have focused primarily on defending the perimeter. Instead, a more acceptable operational posture is to maintain a more robust defensive strategy by looking at the concentric layers of security in depth,” said McGurk.
According to Verizon’s 2013 Data Breach Investigations Report, more than twenty percent of network intrusions involved the manufacturing, transportation and utilities industries, with the same percentage affecting information and professional services firms. Of all cyber attacks, 38 percent impacted larger organizations and represented 27 different countries.
For more information on Verizon’s security solutions, click here.