The Energy Department's Energy Sector Control Systems Working Group, just published a paper, Roadmap to Achieve Energy Delivery System Cybersecurity, aimed at boosting cybersecurity in that industry.
The paper presents five strategies to improve IT security that's appropriate for other sectors, as well. They are:
- Build a Culture of Security: In a culture of security, extensive dialogue about the meaning of security and the consequences of operating under certain levels of risk is continuing, by various means, among citizens and stakeholders.
When integrated with reliability practices, a culture of security ensures sound risk management practices are periodically reviewed and challenged to confirm that established security controls remain in place and changes in systems or emerging threats do not diminish their effectiveness.
- Assess and Monitor Risk: Risk assessment and monitoring give organizations a thorough understanding of their current security posture, enabling them to continually assess evolving cyberthreats and vulnerabilities, their risks, and responses to those risks.
- Develop and Implement New Protective Measures to Reduce Risk: New, protective measures are developed and implemented to reduce system risks to an acceptable level as security risks, including vulnerabilities and emerging threats, are identified or anticipated.
These security solutions are built into systems, and appropriate solutions are devised for legacy systems.
- Manage Incidents: Managing incidents is a critical strategy because cyberassaults can be sophisticated and dynamic and any system can become vulnerable to emerging threats as absolute security is not possible.
When proactive and protective measures fail to prevent a cyber incident, detection, remediation, recovery and restoration activities minimize the impact of an incident on a system. Post-incident analysis and forensics enable stakeholders to learn from the incident.
- Sustain Security Improvements: Sustaining aggressive and proactive systems security improvements over the long term requires a strong and enduring commitment of resources, clear incentives and close collaboration among stakeholders.
Collaboration provides the resources and incentives required for facilitating and increasing sector resilience.