Improving Company Dynamics to Achieve Overall Cyber Resilience
Interview with Cam Henderson, VP Information Technology, Chief Information Officer with Portland General Electric., on key topics to be discussed at the upcoming marcus evans 2nd Annual Utility Cyber Security Conference, January 14-16, 2014 in Atlanta, GA.
Today's cyber threats are persistent, well organized and sophisticated. They disguise themselves within the IT ecosystem in a manner that is hard to distinguish from legitimate activity. The electric utility industry takes cyber security threats very seriously, as they can cause disruption in the flow of power and other programs. Utility companies employ various strategies to protect the integrity of its computerized systems, but cyber security threats still exist. This is no longer a theoretical threat, but instead a likely inevitable one. The industry recognizes that a new approach is necessary to deal with intensifying cyber threats.
What have you found to be the key challenges in ensuring organizational effectiveness for cyber security efforts? How have you met these challenges?
Consistency across the company is really important. In the past we've had people in our company think that security policies only apply to IT, assuming other lines of business were free to go and do whatever they wanted to in that area. Therefore, in order to be more effective, we're trying to help establish a consistent view of security - this is a policy across the company. In order to accomplish those objectives we've created an Executive Security Committee, this includes our CEO, CFO, Senior Vice President of T&D, Senior Vice President of Power Supply and Operations and me. This committee meets every six weeks to review security issues in the company. We also have a security steering committee consisting of mid-level managers from each line of business. These managers are responsible for making policy recommendations and then implementing those policies on a consistent basis across the company.
Given your years of experience in information technology, what do you see as the most vital component of grid security?
Comprising a security team that understands the industry and the threats that are impacting the industry is key. We want people to have a broad understanding of security so they know what the emerging issues are and have the professional contacts, both in the government as well as in the industry, to see the "what's what" and recognize what others are facing. Finally, it's about having vendors who are sensitive to our security needs and are looking out for our protection as well.
What communication models (or tools) have proven to be successful when working amongst various departmental groups?
The first thing is having common training across the entire company. We require everyone who has computer access to take a security training class once a year. This has proven to be very helpful, because everyone in the company has the same basis for security. Not only will we have the same training company-wide, but those individuals on the security steering committee (and the executives that make up the Executive Security Committee) have in-depth training available to them several times a year. We bring in people from vendors, other utilities and government agencies so people are aware of what is going on. This has facilitated better communication throughout the company about what is happening in this area. We also are establishing common metrics across all lines of business to ensure visibility when an incident occurs.
Why should utilities consider modernizing organization structures? What's the sense of urgency and importance?
In the past, most utilities managed generation, transmission and distribution groups separately - however, we are now finding that security issues can be affecting everyone across the company. Therefore, you can't manage these groups individually anymore. This means our approach across the organization has to change. The CIP standards are a driving force, because CIP standards apply to various groups across the entire organization. If we're going to manage our CIP requirements effectively we need an enterprise-wide view of our assets, as well as our policies. The threats to our infrastructure are also across organizational lines. We continue hearing people say, "It's not a matter of if it will happen, but rather when it will happen." We all need to be doing what we can to exercise due diligence to prepare for these sophisticated threats, in order to coordinate response across the entire organization efficiently. New standards are calling for us to take a new look at how we manage security and employ new strategies from an enterprise perspective.
What do you see as key components for an efficient cyber security organization?
I mentioned training before and that's a KEY component. Standardized technology, vendors and tools, wherever possible, are important as well. Having a security team that has a strong knowledge of the industry and security issues is also imperative. Finally, having an executive group that takes responsibility in ensuring proactive measures are implemented enables organizations to be efficient, effective and secure.
About Cam Henderson
VP Information Technology, Chief Information Officer with Portland General Electric
As Vice President of Portland General Electric's Information Technology Department, Cam Henderson is responsible for the infrastructure, operations and system development of all information systems. This includes developing a strategic plan for information technology and implementing enhanced project management and methodology. Henderson's CPA credentials and extensive business operations experience has helped establish a strong reputation for information technology throughout PGE.
For more information, please contact Michelle Thomas, Marketing Coordinator, Media & PR, marcus evans at 312-540-3000 ext 6491 or firstname.lastname@example.org
About marcus evans
Marcus evans conferences annually produce over 2,000 high quality events designed to provide key strategic business information, best practice and networking opportunities for senior industry decision-makers. Our global reach is utilized to attract over 30,000 speakers annually; ensuring niche focused subject matter presented directly by practitioners and a diversity of information to assist our clients in adopting best practice in all business disciplines.