Cybersecurity is not simply about installing firewalls and malware detection software in IT systems. It is as much about the approach taken at a holistic level within the organisation.
A common recommendation for utilities is to develop a cybersecurity operations centre to support its defence strategy and this is the approach that has been taken by the Tennessee Valley Authority (TVA) with the implementation of a state-of-the-art centre within its Chattanooga office complex.
“Cybersecurity is a hot topic these days and frequently in the national news,” says Andrea Brackett, Director of TVA’s Cybersecurity group. “In reality, it’s a challenge that we’ve seen growing for several years. For example, major breaches were announced last year by Equifax and Yahoo. The energy sector is another very popular target for cyber crime.”
TVA is the largest public power utility in the US, supplying 9m people in seven southeastern states. As such, and with its substantial nuclear portfolio, TVA is considered as a likely target for cyber attacks.
Over the past few years, TVA has heightened its cybersecurity capabilities and improved preparedness for cyber incidents that could impact the electric power grid, the company says.
The new Cybersecurity Operations Centre, which opened its doors in October 2017, is where TVA’s core cybersecurity team monitors the cyber activities taking place across the company and collaborates to share intelligence and build mitigating strategies.
“The Centre monitors systems 24/7 and closely tracks not only local and national cyber activity, but foreign threats as well, including those posed by nation states,” says Brackett.
The company says that with cyber crime on the rise, it sees tens of thousands of attempts daily and has identified and blocked hacking activities including those conducted by nation states that pose ongoing threats.
Brackett continues that TVA is in a unique position as a federal utility, with close relationships with federal intelligence community partners such as the FBI, Department of Homeland Security and Department of Energy. This allows the company to better prepare and respond to cyber threats often earlier than industry peers.
“Our comprehensive cybersecurity programme aligns with industry best-practices to predict, protect and respond to threats. As an industry we gather intelligence and collaborate with neighbouring utilities and the Electricity-Information Security Analysis Center (E-ISAC) to stay alert and informed of emerging cyber threats.”
In the US there is an array of industry and government regulations that must be adhered to, including those set forth by the Federal Information Security Management Act (FISMA) and the National American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP).
TVA’s cyber defences
TVA has what Brackett describes as an isolated and layered defence system – as a result of which the company has not experienced a power outage due to a cybersecurity attack.
She says the employees are the first line of defence against cyber threats and attributes that as the key to success of TVA’s programme.
“Not only do we have a well-trained and experienced staff, but we provide regular company-wide awareness training to all employees. We could not have a successful programme without the support of those who work with TVA’s critical systems.”
Among other things, employees learn the importance, for example of identifying and reporting suspicious emails, using only secure USB drives and not sharing their passwords with others.
“Our team may not be visibly seen but they are an integral part of supporting [our] assets for safety and reliability of power. If something does happen, we are equipped to deal with it quickly.”
Building a cybersecurity operations centre
When it comes to developing a cybersecurity operations centre, what are the considerations? According to Gartner principal research analyst Siddharth Deshpande, it is a costly and time-consuming effort that requires ongoing attention in order to be effective. As such he recommends a realistic cost-benefit analysis of various security operations models should be performed before committing to a completely in-sourced centre.
“[Those] contemplating building their own operations centre should be very cognisant of the cost and staffing implications involved in this approach,” he says, adding that there are alternatives. For example, some organisations are opting to engage a managed security service provider.
Deshpande also recommends that there should be a focus on aligning the centre’s deliverables with business objectives by developing tightly defined goals and metrics that need to be delivered and that high business value and critical security functions should be identified and kept in-house. A staff retention strategy also should be in place from the outset.