Information Security for the Power Industry
If you think of Information Technology as a mature field, then Information Security could be considered as a middle-aged discipline. While the need for Information Security has always existed, significant time passed before confidentiality, integrity, and availability became operating imperatives.
In its early years, IT had simple functions: process payroll, print invoices, maintain customer listings, etc. This sufficed when the business systems were isolated and physical access was required to gain logical access to the IT environment. As telecommunications matured and businesses realized the synergies, which could be gained by enabling business partners to access, update, and/or retrieve information in these systems, the security landscape began to change. However, business IT organizations did not yet see the risk. In the 1983 movie, “War Games”, the idea that a main frame system could be remotely accessed by an unauthorized person began to resonate with business and IT leaders. However, the threat was not perceived as significant enough to change the approach to IT solutions and design.
“The business should also be aware that Information Security is a necessary process area for any initiatives that involve technology assets, information, or data”
This era and inability to understand the threat and risk resulted in numerous technologies being developed and implemented without the protections a modern and mature Information Security function would require today. Because these legacy systems continue to have longevity and are still in use today, many Information Security controls have been bolted on after the fact. This results in challenges with access, functionality, and the continuous discussion about business need versus information security risks.
Today’s World, Tomorrow’s Interconnected Strategy
Understanding the current landscape and the threats that face the energy industry is critical for today’s organizational leaders. Today, many businesses are investing significant capital dollars into upgrading and modernizing many of the controls mechanisms and controls software. A comprehensive strategy that includes Information Security control points and configurations will enable the industry to move to a more proactive posture.
Skepticism brought about by decades of a build first and secure second approach stands in the way. I challenge our industry leaders to forget the past and think about the future. As an example, the Forrester Group in 2010 released a vision for a 21st century network model which was referred to as a Zero Trust Network Architecture (ZTNA). The goal of this architecture is to change the view and approach to IT networking by fundamentally changing the concept of trust.
Traditionally, an employee is logically trusted via authentication and authorization for network access. This authorization should not be carte blanc, rather with a ZTNA environment the employee can be afforded access to basic services such as email and internet access. If an employee requires sensitive systems access (e.g. controls system, ERP) they must be explicitly authorized with such access. But this authorization goes one step further; these staff members must be originating their request from an environment that has been explicitly authorized on a specific device, which also has explicit authorization. This means the user, the location, and the technology platform (e.g. mobile device, laptop, external pc) being used must match defined criteria before access is granted. This type of architecture allows for the use of Bring Your Own Device (BYOD) technology. It also gives the ability to segment customers, business partners, and other entities from each other while ensuring continuity of service.
This is just one example of innovative new approaches to address the challenge the legacy IT model of technology first and security second has created. This is not the only model, nor it is the only viable solution for every organization, rather this concept is a thought provocateur.
What is one thing we can do today to improve our current situation? The insider threat is the greatest single threat that any organization faces. One major reason is good people often make poor decisions. Someone opens an email attachment, clicks a malicious link, installs free software from the internet or engages in some other innocuous activity that results in malware being introduced. It is human nature and this is the most difficult threat vector to secure.
The solution is Information Security awareness. A comprehensive Information Security awareness program is something, which can be implemented quickly to target all organizational technology users. The key is repetition and consistency for all employees from the C-suite through field services. The materials will have a different focus dependent upon the audience, but the message must teach the staff of how to avoid the common pitfalls and prevent them from becoming a victim.
As we look to the future, an idea presented by Eugene Roman, the Chief Technology Officer from Canadian Tire Company, is the idea of a holonistic security model. The word holon originates from Arthur Koestler in his book The Ghost in the Machine (1967, p. 48). Arthur coined the term holon and states “holons are autonomous, self-reliant units that possess a degree of independence and handle contingencies without asking higher authorities for instructions.”
A holonistic security IT environment is an autonomous environment where the security technologies are proactively exchanging information with each other. When a malicious, unauthorized, or suspected inappropriate action occurs, the access is dynamically blocked. Due to community awareness, these security technologies possess, instantaneous notifications to all the other security technologies occurs resulting in the defensive posture changing to proactively blocking the source system. A holonistic security model is still a concept and is a few years out, but this type of vision and planning is what will bring organizations from the bolt-on security model to a truly pro-active defensive posture.
Internal IT Messaging
We must always support the business by being their partner and by finding innovative forward thinking solutions so that we can answer “yes” to any reasonable business proposal or request. Conversely, the business must understand that the IT and IT Security teams are valued staff who play an important role in supporting business initiatives and delivering industry leading technologies securely. Information Security should never keep the business from moving forward, but the business should also be aware that Information Security is a necessary process area for any initiatives that involve technology assets, information, or data.