By Andy Bochman
In the final moments of Blade Runner, Rutger Hauer's character, close to death, tells Harrison Ford: "I've seen things you people wouldn't believe."
Over the course of the next several posts I'm going to go through some of my sanitized field notes and let you see things you may or may not believe, some good, some not so good. Nothing quite as cosmic as what Hauer relates in his final moments, but probably should be interesting if you're in or work with the industry.
Let's start off the series on a positive note with the formation of Security Advisory Boards. Investor Owned Utilities (IOUs) typically have a number of boards: executive, safety, governance, audit & compliance, etc. However, you can dig through annual reports and review the investor information sections on company websites for a long time and you likely won't find much if anything relating to cybersecurity risk strategies, concerns or activities.
Yet in visits to utilities over the past two years I came upon half a dozen or so that had either assembled a representative group of various executives and functional leads to talk about cybersecurity from an enterprise-wide perspective, or were getting ready to do so. Members tended to include the CIO, the head of cybersecurity, the head of physical security, leadership from different functional areas and one or two more senior executives.
Some of the potential benefits include improved flow of communications between different parts of the company, more business input into security policy and planning, and better understanding across senior management about current security status, emerging requirements, and new threat types.
Perhaps some of these utilities made this move according to their own logic. Others, possibly, noticed a recommendation for standing up security governance boards in DOE's 2012 ES-C2M2, which you can download HERE.
My hunch is the percentage of utilities with security focused boards of any kind is in the single digits, maybe the low single digits. Nevertheless I am heartened by what seems to be a nascent trend. For utility CEOs or boards who want to respond to regulator calls for more oversight and activity on cyber, this is one inexpensive, non-disruptive way they to begin.
Andy Bochman is Principal at Bochman Advisors LLC which focuses on increasing cybersecurity awareness in utilities and the federal and state organizations that regulate them. A contributor to industry and national security working groups on energy security and cybersecurity, Andy lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy Blogs.
You might also be interested in ...
First look at cybersecurity incentive ideas, companion to NIST's Framework efforts