How utilities should organize cybersecurity training



Public services are also the target of less sophisticated attacks. Ransomware remains a major threat. In the wake of the recent attacks, Duke Energy CEO Lynn Good told Bloomberg, “The industry understands that we are a target.

Despite growing awareness of the growing need to improve cybersecurity in the energy sector, McKinsey notes that there are still inconsistencies in the ability of utilities to secure funding to invest in cybersecurity controls. “In many states, regulators do not have the dedicated talent to review budgets for cybersecurity programs, which are factored into a utility’s billing rates to customers,” says McKinsey. “In addition, some municipalities offer energy services independent of a major utility. This may alleviate customer concerns with existing energy players in the market, but many of these municipalities remain under-prepared or understaffed to ensure the deployment of enough cybersecurity controls to reduce risk. “

Established frameworks exist to help combat cyber threats

In a CDW Tech Talk webcast in July, CDW Field Information Security Solutions Architect Tyler McChristian noted that IT security concerns have increased this year due to an increase in attacks. highly publicized during the first half of 2021.

For organizations re-examining their security strategies, McChristian said, “The first thing I always say is to be proactive. It might not necessarily be another set of security tools. I encourage organizations to look at their security posture from a technical or political perspective. Starting with something like a penetration test or aligning with a security framework is going to really help you, as an organization, assess where you are today, where you might need to improve, and what is the best way forward.

He recommended two common frameworks that companies can use as best practices. According to McChristian, the CIS controls of the Center for Internet Security and the cybersecurity framework of the National Institute of Standards and Technology are great starting points for any organization.

In addition, the Cybersecurity and Infrastructure Security Agency has developed its own cybersecurity framework to help organizations better manage cybersecurity risks and improve cyber resilience.

MORE ENERGY AND PUBLIC SERVICE SECURITY: Discover the benefits of IAM for the industry.

Federal agencies set cybersecurity performance targets

As instructed to do in President Biden’s July 28 note on cybersecurity and the country’s critical infrastructure control systems, the Department of Homeland Security has developed preliminary cybersecurity performance targets for the control system. intersectoral as well as sector-specific objectives.

As part of this process, CISA and NIST identified nine categories of recommended cybersecurity practices and used these categories as the basis for preliminary cybersecurity performance targets for the control system.

In September, CISA announced that it had defined the following definition for its training and awareness objective: “Train staff to have the fundamental knowledge and skills necessary to recognize the cybersecurity risks of control systems and understand their roles and responsibilities in within the framework of established cybersecurity policies, procedures and practices. . “

Objectives of cybersecurity training and awareness

The objective sets basic objectives for training, including ensuring that operators and administrators of the control system understand the concepts, terminology, activities and threat environment associated with the implementation of the practices. recommended for cybersecurity. CISA will recognize an organization for achieving this goal if it requires regular cybersecurity awareness training for all employees and role-based training for control system operators and administrators.

Control system operators and staff should also be able to recognize indicators of potential compromise and know what steps to take to ensure the success of a cybersecurity investigation. According to the CISA, this goal has been successfully implemented if “the organization has dedicated resources and funds to enable control system operators to attend technical trainings and conferences on the latest indicators of compromise. potential and best intervention practices ”.

Organizations can demonstrate their implementation of enhanced training goals by demonstrating that they offer online or instructor-led training in control systems security to ensure a comprehensive understanding of their roles and responsibilities. Such training is available from several IT companies, such as Mimecast, and organizations such as the American Public Power Association.


Leave A Reply

Your email address will not be published.