CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | December 20159CIOReviewClear Organizational Security Structure"While each utility may manage their cybersecurity differently, we found that a mix of centralized and decentralized security functions works best for our business," said Self. Monitoring, incident response, forensics and intelligence are more efficient when they are centralized. On the other hand, functions such as server maintenance, patching and antivirus updates work better as decentralized functions. The key takeaway is that utilities must understand and implement security processes that work best for their organization. Information Security TrainingAnother best practice TVA follows is maintaining an aware and well-trained workforce. TVA's cybersecurity team works directly with their HR department to help develop a strong information security culture. This security culture is supported by clear information security policies as well as training developed by the cybersecurity team. "Information security is not a spectator sport. Everyone at all levels of TVA is engaged and understands that they are part of the security solution," said Self. Each year TVA employees and contractors receive mandatory annual training on recognizing and reporting perceived cyber threats. Additional training may be required for some employees' roles within the organization. This training is especially important now, because while the number of emails containing spam has fallen recently, the amount of malware discovered has spiked, almost doubling from 29.2 million in April 2015 to 57.9 million in June 2015. "Our goal at TVA is to educate our workforce to prevent them from falling victim to phishing attacks and clicking on malicious links that download malware or spyware," Self explained. Employees are encouraged to report cybersecurity issues through TVA's "See Something, Say Something" philosophy. In addition, TVA's information security policy addresses the use of hardware, such as prohibiting employees from plugging in unapproved USB devices into company computers. Preparation and DrillingConstant drilling is another lesson learned at TVA. According to a 2015 survey released by Lieberman Software, 63 percent of companies run cybersecurity drills. Drills keep recovery plans updated and build relationships within organizations. "The first time you meet your business partners should not be on the day you tell them that there is a problem," said Self.In addition to coordinating national drills like GRIDEX ­ the utility industry's crisis response to simulated coordinated cybersecurity and physical security threats ­ TVA conducts internal "red-team exercises" in which TVA teams probe computer systems to test reactions and the remediation processes. These exercises provide a safe environment that allows TVA's cybersecurity specialists to be prepared to aggressively respond in the event an attacker gets through countermeasures. Lessons learned are incorporated back into TVA's processes, creating a cycle of continuous improvement. Outreach, Educate, Share TVA works with the cybersecurity teams from a variety of local, state and federal government agencies to share information. As a government agency, TVA is in a unique position to collect and share information to others in the utility industry. TVA regularly meets with governmental peers and local power company customers to stay informed about emerging issues and to support organizations who need assistance solving problems. While TVA cannot reveal details of its security program, there are many actions TVA is taking, to protect its power grid and the people who depend on it. Scott Self explained, "Growing our knowledge in cybersecurity is vital to our industry. As an industry, we need to work together to reduce vulnerabilities and put safeguards in place to ensure the security of our generating and transmission systems.""As technology changes, so must cybersecurity. We will stay ahead of the curve and maintain our focus to move beyond security compliance to proactively address emerging issues." In addition to protect customer and employee personal information, utilities must be concerned about cyberespionage and protecting critical systems and infrastructureScott Self
< Page 8 | Page 10 >