Controlling Cybersecurity Risk

The Human Factor

BY MARTIN ROSENBERG
Editor-in-chief, EnergyBiz

Cybersecurity is a growing risk to utilities. Patricia L. Kampling, chairman, president and CEO of Alliant Energy, assesses the risk and responds to it below.

EnergyBiz: How do you view cybersecurity risk?


Patricia Kampling

Kampling: Those of us with a background in finance tend to think of risk management in fairly conventional terms: mitigate, accept, avoid and transfer risks according to your priorities. This approach works for many types of risk. But when it comes to cybersecurity in today�s utility industry, the nature of current threats is changing the way we think about assessing, managing and living with risk. In the utility industry in the past, when we thought about security, we tended to think about compliance, which meant taking the steps necessary to meet regulatory requirements. However, the nature of today�s cybersecurity threats � threats that could attack, damage, or gain unauthorized access to networks, facilities, data or programs � means the costs of not being prepared far outweigh the cost of doing more than what�s required.

EnergyBiz: Describe the threat.

Kampling: As an industry, we are facing an unprecedented volume of attacks. In 2012, more than 40 percent of cyber-attacks were aimed at the energy industry. Other threats target personally identifiable information or key physical assets. And there�s been a dramatic increase in the frequency and complexity of these attacks. Risk arises not just from enemies but potentially from business partners as well. As an industry, we have third-party vendors that support key systems, host private data for employees or customers, or fulfill our supply chain orders for hardware and software. These organizations must be included in protection efforts. Social media in particular creates another avenue for malware attacks to appear disguised as messages from a friend or colleague. This means our cybersecurity responsibilities are significant: they include safety and reliability, privacy and data integrity, business continuity and reputation management. A compromise can affect our company�s stock price, provide a launching point for regulatory investigations and fines, and reduce revenue.

EnergyBiz: How well are utilities working with the federal government?

Kampling: Coordination with the federal government�s security personnel has improved in recent years. Even just a few years ago, information we received from the federal government regarding threats to security tended to be dated and vague. Today, federal agencies give us real-time, specific, actionable information. We are now in a position to develop a robust response because the information is quickly and easily funneled to all appropriate security departments in the company.

EnergyBiz: What policies are working for your organization?

Kampling: Looking across our many security efforts, we�ve also seen the role the human component plays in mitigating these risks every day. One of our lessons learned is that employees are both our greatest asset and greatest risk, and going forward we are rolling out extensive employee training efforts to develop an awareness and culture around each individual�s important role in ensuring cybersecurity. As long as our business is based on technology and human activity, cybersecurity risks will continue to be a high probability with a potentially high impact. The good news is that with the right internal coordination and reporting structure in place, we can remain vigilant and adaptable in the face of this ever-changing threat.

These and related issues will be addressed in depth at the EnergyBiz Leadership Forum March 3-4, in Washington. The theme: Securing Power - Stategies for a New Era.

To subscribe or visit go to: http://www.energycentral.com