While the electricity industry thoroughly addressed security risks in order to protect critical infrastructure and ensure continuity and quality of power supply, the new era of automation brings additional cyber risks. according to a new report by the World Economic Forum (WEF).
“With increased automation and digitization, electricity companies are exposed to new cybersecurity risks that are testing the resilience of the power infrastructure,” Rosa Kariger, global chief information security officer, Iberdrola, and co-chair of WEF’s Systems of Cyber Resilience: Electricity Working Group, said. “In this new context, business leaders and regulators struggle to identify the best countermeasures to mitigate these risks and must embrace a collaborative and risk-informed approach to adapt and ensure a resilient ecosystem.”
The report contains a roadmap to resilience for both boards and those directly responsible for managing and mitigation such risks.
For the latter, the effective exercise of oversight of enterprise cyber risk and resilience is key. The report said that the cyber-resilience officer should implement the following actions to ensure effective oversight of cyber risks and resilience by the board:
- Schedule regular reports on the state of the organization’s cyber risk and resilience, ideally every quarter.
- Work with the heads of other business units to facilitate the reporting and mitigation of cyber risks and metrics within their respective areas.
- Provide visibility of the cyber risks related to the company’s critical assets by highlighting the potential consequences and mitigation actions.
- Suggested metrics for effective oversight can include:
Frequency of cyber-risk and cyber-resilience reporting to the board.
- Number of open vs. closed actions arising from cyber-risk and resilience reviews with the board.
- Number of major cybersecurity incidents within the industry, affecting the company, with quantified impact, e.g. financial, operational, reputational, compliance.
- Status of business units’ strategic cyber-risk reporting (number of risks accepted, denied, mitigated).
- Percentage of business units that report cyber risk.
- External cyber-risk ratings compared to industry average and competitors.
Corporate officers accountable for cyber resilience should implement the following actions to ensure an effective governance model by the board, said the report. This should include the following parameters:
- Present the cyber-resilience organizational structure to the board, covering corporate IT, OT and IoT environments as well as integration with each business unit.
- Provide regular quarterly updates on the cyber-resilience strategy implementation and budget in close collaboration with different business functions and unit leaders.
- Ensure communication with experts and contact points from different business areas.
- Promote a cyber-hygiene culture by communicating best practices regularly through training, communication awareness and tests across the organization and, in particular, targeting high-risk groups, e.g. board, C-suite, IT, engineering, HR and finance.
- Integrate or launch collaboration meetings and working groups with different stakeholders in the ecosystem to align and share experiences in order to report trends to the board.
Suggested metrics can include:
- Percentage of employees who have completed cybersecurity awareness education programmes on cyber-hygiene practices, with a focus on high-risk groups, e.g. board, C-suite, IT, engineering, HR and finance.
- Number of full-time equivalents (FTEs) responsible for cybersecurity/cyber experts in the different business areas.
- Number of cyber meetings/committees with involvement in the businesses.
- Number of outstanding and closed critical actions resulting from reviews of the cybersecurity framework relating to executive management accountability and responsibility.
Read the report Cyber resilience in the electricity eco-system