CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | December 20158CIOReviewopinionin myBy Scott Self, CIO, Tennessee Valley Authority In an unassuming room anywhere in the world, a shadowy figure faces a computer screen. He isn't armed with a gun or a bomb, because he doesn't need one; he is a criminal who does his work with a keyboard and mouse. And if he is able, he can use his skills to hack into a power company's entire system--not just computers, but electric power infrastructure--and create harm.Although this sounds like something out of a movie, this keeps security personnel in the utility industry awake at night. Connectivity has enabled smart grids, distributed generation, rapid load shift management and ability to spot issues that were unimaginable 20 years ago.However, this interconnectivity also creates vulnerabilities. As technology becomes increasingly interconnected, so do the risks. "Cyber security is a top concern for our nation's utilities," said Scott Self, CIO, Tennessee Valley Authority. "Utility IT professionals understand that, and they must be on the cybersecurity front lines in order to protect the nation's power grid." The media has written a lot recently about concerns over utility cybersecurity, raising fears. But, what the public may not realize is that cybersecurity for the utility industry is highly regulated and compliance is not an option. For example, all utilities in the United States must comply with the standards set forth by the North American Electric Reliability Corporation, the Critical Infrastructure Protection Standards, among others. Utilities recognize that today the cybersecurity game has changed. According to the ICS-CERT Monitor Newsletter, a publication of the U.S. Department of Homeland Security, 32 percent of the 245 reported cyber incidents that happened in 2014 occurred in the energy sector. In the past, cybercriminals looked to exploit information for financial gain or to attack a company's reputation. In addition to protect customer and employee personal information, utilities must be concerned about cyberespionage and protecting critical systems and infrastructure.Why utilities are considered cyber targets? Unlike other industries, utilities are one of the few businesses, where the cyber and physical worlds intersect. For example, a utility's network supports many important physical assets within energy delivery systems--generating facilities, substations, switch yards, power lines and oil or gas pipelines. Protecting these systems keeps utility IT professionals laser-focused on security every day. Therefore, the "new normal" in utility industry is to use advanced technology to secure both physical and cyber assets equally. As the largest public power utility in the United States, Tennessee Valley Authority serves nine million people across seven states with a 99.999 percent reliability rating. Any interruption in power could result in serious health and safety risks and threaten hardship across the entire Tennessee Valley. TVA fully understands the environment and takes cybersecurity extremely seriously. "We recognize that there is no single solution to cybersecurity. Protecting the TVA network from multiple threat vectors takes extensive planning, flawless execution and constant diligence," said Philip Propes, TVA's Chief Information Security Officer, adding that TVA's goal is to blend cyber- security and physical-security for predictive modeling and analysis. Managing cyber threats requires TVA to go beyond the compliance standard through robust, layered security protocols. A strong cybersecurity strategy and culture is key along with tactics such as:· Risk-based multi-tiered threat analysis · Highly skilled cybersecurity professionals · 24/7 enterprise-wide monitoring control center · Strong network security and authentication · Predictive analytics and analysis · Resilient systems"TVA believes in a defense-in-depth security approach that has proper segmentation, monitoring and redundancies that will allow us to address a wide-range of cyber-scenarios," said Self. While there are many facets to the TVA security program, the company is sharing some of their best practices. Meeting the Cybersecurity Challenge
< Page 7 | Page 9 >