Amp Up!Security controls tailored to Utilities
The utility industry has a unique set of cybersecurity challenges. First, until very recently there hasn’t been mandatory statute requiring utilities to accredit their systems to a given standard. Second, the statutes that have been implemented are specific to the electric power industry, and focus mainly on physical security controls; information security has historically been less of a focal point of operational security goals. And third, we are in the midst of an information management revolution, with a new set of information access paradigms that include cloud-hosted systems, mobile devices, wireless system access, and IoT devices.
Unique Risks and Threats
When it comes to cybersecurity, the utility space is in an interesting and somewhat unique position:
- IMPACT. Utilities are a key part of the nation’s critical infrastructure. As such, any loss in confidentiality, integrity, and (perhaps most importantly) availability can have incredibly serious effects, ranging from minor inconvenience to catastrophic economic effect – and potentially even loss of human life.
- VALUE. Utility systems have a massive customer-facing element, and store key personally identifiable information (PII) on a large base of users. Utilities are obligated to protect these data according to FTC Red Flags regulations that apply to covered accounts.
- THREAT. As a high-value target, utilities are exposed to a higher-than-normal threat level from adversaries seeking to compromise utility networks. These can include cyberthieves, looking to steal account information from subscribers, and even nation-state actors seeking to damage United States critical infrastructure.
A Utility-Centric Approach
Aerstone has adapted the Center for Internet Security’s CIS Controls to the utility space. Some CIS Controls were eliminated due to their low impact in utility environments; others were combined in order to simplify and accelerate the approach of securing the utility enterprise. It should be noted that this approach is meant to be the first step in a comprehensive and long-term focus on cybersecurity. After each of the twelve Amp Up! security controls have been implemented, a more detailed standards-based assessment approach should be considered, based either on ISO or NIST standards.
Duration: 2-4 weeks
Activities: Aerstone will assess your organization’s cybersecurity posture as a short-term fixed-priced service offering. We will identify gaps, and provide templates for cybersecurity policy.
Output: A roadmap for cybersecurity compliance, at the policy and technical levels.
Duration: 4-16 weeks
Activities: Aerstone will work with your organization to close any Amp Up! gaps identified, including development of policy documents, systems configuration, and hardware/software implementation.
Output: An enterprise that meets a minimum level of cybersecurity posture.
Activities: Aerstone will work with your organization to ensure that your cybersecurity posture continues to strengthen, in accordance with more detailed cybersecurity standards.
Output: An enterprise that meets the highest level of cybersecurity posture.
Our Experience Sets Us Apart
Aerstone is an NSA-certified vulnerability assessor, and a service-disabled veteran-owned small business.
We approach each engagement with the highest levels of professionalism, determination, and creativity, honed by years of working with
security professionals across the military, intelligence community, civilian government, and private industry.
Contact our sales team at firstname.lastname@example.org for more information.