ISO 27001: A Powerful Utility Player for the Utilities
Information Security Is Becoming an Imperative Priority
In addition to the above NERC-specific requirements, utilities often find themselves dealing with a wide range of regulatory requirements that touch security of information across their entire operation from power generation and distribution to customer information and employee data, including Sarbanes-Oxley (SOX), Homeland Security Act, Federal Information Security Management Act (FISMA), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) among others. And while the requirements and guidelines generated by these diverse bodies are often vastly different, there are a few common security goals. All of these regulations and laws aim at protecting three key areas that make up the core of information security (the classic “CIA triad” at the center of information assurance):
CONFIDENTIALITY: A loss of confidentiality is the unauthorized disclosure of information.
INTEGRITY: A loss of integrity is the unauthorized modification or destruction of information.
AVAILABILITY: A loss of availability is the disruption of access to or use of information or an information system.
The Right Tool for Cyber Security
As utilities grapple with cyber security regulations and work to ensure the integrity and security of their legacy systems, ISO 27001:2013 has emerged to offer the best guideline to work toward compliance. ISO/IEC 27001:2013 creates the specification for an Information Security Management System. The objective of the standard itself is to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS).” ISO 27001 and its associated best practices [ISO 27002] is about Information Technology – Security
The good news, especially for utilities, is that all the NERC CIP Cyber-Security Requirements are covered under “the umbrella” of the ISO 27001 standard. Using the standard as a guideline to adopt cyber security best practices and procedures can help utilities not only meet NERC requirements but can help with SOX and other federal security requirements. Because the certification requires a process-centric approach to security, it can itself become a long-term blueprint for system and operational change. Therefore, beyond its security focus, ISO 27001 can be a powerful vehicle to help instill a systemic discipline in change management. It provides overall organizational efficiencies.
The Human Factor
Time and again, when it comes to security, human threats score much higher than those posed by technology itself in the many information security surveys conducted around the world. In the words of the GISS survey for the utility sector, people are the “weakest link”
Deloitte Touche Tohmatsu (DTT) Global Financial Services Industry (GFSI) Practice effectively summarizes the related issues: “A major focal point, people continue to be an organization’s greatest asset as well as its greatest worry. . . Those of us in the security industry know that an organization’s best defense against internal and external breaches is not technology alone. It is a culture of security within an organization – a mindset on the part of every individual so that actions in support of information security become automatic and intuitive.” Security vigilance that fights human distraction is even more important in light of the growing “social engineering” (e.g. manipulating people into performing actions or divulging confidential information). In the words of Bruce Schneier, a renown security expert and currently Chief Security Technology Officer with BT “Amateurs hack systems, professionals hack people.”
Also, across the board, there is a rising concern for the threat posed by outsourced processes. the GSIS study remarked that outsourcing processes to third parties doesn’t transfer riskāit often increases it. What is especially troubling is that in this environment of increased security risk from outsourced process is that 73 percent of the utilities don’t conduct due diligence of third parties handling private consumer information, and 49 percent have yet to establish security baselines for partners and suppliers. “An organization’s security is only as strong as its users and partners. Without third party security parameters, an organization’s partners can inadvertently become its biggest threat.”
There are several popular standards such as the Control Objectives for Information and Related Technology (Cobit), the IT Infrastructure Library (ITIL) and Statement of Auditing Standards (SAS) No. 70, which address in part information security. However, ISO 27001 is the only auditable international standard focused on information security management systems. Therefore, it provides in the area of information security an effective and controllable bridge between companies.
While there is yet no single silver bullet when it comes to information security, ISO 27001 is gaining acceptance across markets and industries, and provides a common frame of reference throughout the world. It also aligns very well with many other standards, making it the potential cornerstone of an overall security plan.
