Security and Resilience (Cyber and Physical)

Strong cybersecurity needs strong governance and policy

Sponsored Advertising Feature

Winner of the prestigious Malcolm Baldrige National Quality award in 2017, Fort Collins, Colorado is recognized as a city intent on innovation and its utilities’ cybersecurity program is no exception, thanks to an effort that started three years ago.

At the time, the City was working on a multi-year improvement program to win the Baldrige Presidential honor — achieved by only two other cities since Congress created the award 30 years ago.

The City’s public power utility realized that its cybersecurity program could be further matured. While it had trained personnel and installed important hardware and software, it realized there were opportunities for improvement related to governance and policy.

“We were finding that a lot of good work was happening, but that it could be better coordinated and prioritized,” said Jen Barna, cybersecurity analyst for Fort Collins Utilities, which provides electric, water, wastewater and stormwater services to approximately 75,000 residential and commercial customers.

Fort Collins Utilities already had various cybersecurity practices in place for supervisory control and data acquisition in both the Light and Power and Water utilities, as well as other areas of Utilities and the City. But Utilities wanted to step it up, Barna said. Doing so required balancing “security decisions with business/operational needs and being conscientious of our limited resources.”

“We have a culture of doing the right thing because it’s the right thing to do, but when it comes to cybersecurity, many people don’t know what the right thing is. We needed policies to help set expectations and provide accountability. We also wanted to improve our cybersecurity governance, so we could be more strategic with available resources,” said Barna.

To improve policies and procedures, Utilities decided to seek outside assistance. In 2016, it issued a competitive request for proposals, which resulted in hiring the cybersecurity services and engineering consulting firm AESI-US.

Governance and policy improvements are more difficult to describe than software or hardware installations, but they are crucial to cybersecurity. People often don’t know how to behave when threatened, Barna said. Having policies and procedures in place gives them instruction. She provided a relevant example from the non-cyber world. 

“When you see a pill on the sidewalk, it’s obvious you don’t want to eat it. However, when people see a random USB drive in a conference room, it is not obvious to many of them that they shouldn’t plug it into their computer. Awareness plays a big role in educating people about proper behavior but having written policies and procedures ensures that we’re all playing by the same rule book and accountable for our actions,” she said.

Steps to better policies

AESI got started by assessing cyber risks faced by Utilities then mapped findings to frameworks created by the National Institute of Standards and Technology and Baldrige Cybersecurity Excellence.

The operational risk assessment helped uncover vulnerabilities and weaknesses within Utilities’ cyber program. AESI identified the most important attack vectors, first mapping the systems and environments Utilities needed to protect, then uncovering possible sources of attack — both from outside and within the organization.

AESI also developed a five-year cybersecurity plan for implementing security controls and security management practices.

“We hired AESI to do a risk assessment for Utilities and use the NIST cybersecurity framework to do a gap analysis to see where we were and what our opportunities for improvement were,” Barna said. “Then AESI helped us develop a roadmap for maturation.”

Focus on privacy

The energy industry tends to worry — understandably — about hackers disrupting operations and causing power outages. But that’s only one kind of mayhem they are apt to create. Several recent high-profile breaches — Equifax, British Airways, T-Mobile — made clear that thievery is another prime motivator, particularly of personal information, such as social security numbers or credit card information.

“When we say cybersecurity, it's really cybersecurity and privacy,” explained Doug Westlund, AESI senior vice president.

Utilities like Fort Collins can be particularly vulnerable to privacy breaches, so AESI took the opportunity to improve its privacy protocols. According to Westlund, customer privacy requires vigilant cybersecurity on both the front and back end of operations.

“Privacy is really kind of the elephant in the room. Many will think that, ‘I've implemented the firewall, I'm okay.’ But your people are within the confines of that firewall with authorized access to all your systems,” Westlund said.

He added: “And if those users go in there and unknowingly compromise the system, that firewall isn't doing anything for you really in terms of protecting personally identifiable information or sensitive information within the Utilities or City — or information about your customers.”

Educate employees

Whether a utility is warding off an attack on operations or protecting privacy, employees play a key role. So Fort Collins Utilities is intent on keeping them informed as it institutes policy and governance changes. It has created a formal cybersecurity team for employees to contact with their questions or concerns.

In addition, the IT department is developing a program to educate employees about how their actions can lead to a breach. However, Barna emphasized, the changes are not meant to penalize anybody but to let employees know how important cybersecurity is to them and Utilities’ customers.

The new educational campaign has had an impact. “More people are coming to my office and asking questions, looking for guidance and they’re not shy about that — that’s great!” Barna said.

Integration with other City departments

Now the City of Fort Collins has employed AESI to initiate a Citywide extension of what it’s done for Utilities.

“Our cybersecurity program needed to be integrated with the culture and the goals of the City and Utilities. And the City Council had identified cybersecurity as a strategic goal for the City,” Barna noted.

She added: “We are looking for as many latches as we can so that the cybersecurity program is well-integrated at the start and doesn’t seem like a bolt-on. The City stood to benefit from Utilities’ cybersecurity system improvements since the systems are integrated. Governance improvements are being applied Citywide.”

Governance deals with linkage of cyber programs throughout the top rungs of an organization. “The CEO equivalent in a city is the city manager. Right from the city manager through the executive team and then to the operational teams, you need governance,” said Westlund.

Creating a governance overlay is crucial for several reasons. At the operations level, it determines what’s done. At the executive level, it fosters support and wards off the tendency for organizational leaders to ignore cybersecurity as merely a job for tech support.

“Governance started as sponsored by the Utilities department, but by the time we concluded, it became a value for the entire City,” Westlund noted. “So, really what Fort Collins and their IT staff have done with our help is to expand this program from the Utilities to a Citywide cyber practice program. And I think that's a real success story.”

Lessons learned

What advice do Barna and Westlund have for other public power utilities looking at their cyber governance, policy and procedures?

Barna says navigate carefully when soliciting outside contractors. It’s important to provide enough detail in an RFP so that contractors can scope the job accurately. But, at the same time, giving out too much information in a public forum opens the utility to exactly what it is trying to avoid — cyber exposure.

Barna also advised that utilities take baby steps and avoid trying to complete too much of a plan too fast.

“A cybersecurity framework gap analysis may reveal an overwhelming number of opportunities for improvement. Work on a few fundamental tasks that provide the most bang for the buck. Maybe pick five to start,” Barna said.

The bottom line for utilities such as Fort Collins Utilities is continued focus, according to Westlund. 

“Don’t think that after you install the right hardware and software that you are protected from attack,” he said.

He said, “Effective cybersecurity protection comes from a three-legged stool: proper governance, people practices and technology.”

For more information about AESI, visit the company’s website.