by David Locke and Marty Uczen
Looking back at analyst predictions within the energy and utilities industry for 2013, one trend promises to gain significant attention going forward – Information Technology (IT) and Operational Technology (OT) convergence. As energy and utility companies continue to modernize their communications infrastructure, the boundaries between IT & OT continue to blur. In fact, this convergence is not only becoming necessary, it has the potential to create tremendous value for these energy and utility companies. However, it does not come without its share of risk, namely security.
As the notion of convergence of OT, IT and advanced communication technology usually seem to take the limelight, let us first look at the critical thread through it all – Security. Airtight cybersecurity is likely on most CIOs’ Christmas list this year and happens to be IDC’s Prediction 7 – Utility CIOs’ security practices in 2013 and beyond will center on risk management.
Governance risk and compliance strategies are usually top of mind for energy and utility CIOs. North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC-CIP) compliance always makes the list but sound security risk management has continuously appealed to CIOs as it has at its core, the idea of spending money on security where actually needed, based on your threat exposure. We are talking about evidence-based risk management.
Service providers with network, security and data assets are in a position to take this concept to the next level and beyond with automated intelligence cultivation and feed systems. As almost every client asks, “If you can see an attack and have all this intelligence, why can’t you just stop it before it hits my network?” Solutions like this are possible that will block or ‘actuate’ communications with known bad actors by IP address, by behavior and other factors.
Threat intelligence is available today from sources such as the Verizon Enterprise Risk and Incident Sharing (VERIS) community, the federal government, and many private firms. Service providers with a global public IP backbone, databases of reports from internal investigative response teams and managed security services logs have the potential to offer next-generation early warning security services. By combining strands of threat intelligence from all of these sources into a real-time machine-readable format, new security indicator databases are possible. Asset-based service providers can use the intelligence within these real-time databases and selectively deploy custom defenses against specific types of attacks, activism, and espionage – in line with the customer’s industry. For example, for the operational network of a utility customer, actuation logic can be applied for targeted threat actors associated with Supervisory Control and Data Acquisition (SCADA) attacks.
In April, Gartner identified IT and OT Convergence as one of the Top 10 technology trends for the Energy and Utilities Sector in 2013. Arguably, communications technology should be added to what is getting to be known as the “three-legged stool” of convergence. Perhaps the addition of a fourth leg needs consideration – that of the people and process aspects. As an analogy, the converging of IT, OT, and communications has the utility industry facing a situation similar to what the telecom industry faced when enterprises moved to Voice over IP technologies. Enterprises had siloed data and voice networks as well as siloed network and voice organizations. It wasn’t until the organizational control became consolidated that the voice and data networks began to merge more rapidly.
Internal conflicts rage at many utilities over where the demarcation lines (make that battle lines) should be drawn between IT and OT. OT groups tend to focus purely on the electrical grid and IT does not have competencies in operations around telecommunications. Energy modernization services providers like Verizon can help energy and utility companies with their plans to integrate the goals and objectives, challenges and requirements, of all three groups (IT, OT, Comms) and help craft the necessary governance to ensure consistency and standards to drive efficiencies. In the end, that is what it’s all about – better business outcomes.
For more information on Verizon’s solutions for energy and utility companies, click here.