Boards everywhere are asking what they should be doing about cybersecurity. Ensuring the adequacy of a company's cybersecurity program is a critical part of a director's risk oversight responsibilities, yet most board members may not be as familiar with the components of a cybersecurity program as they are with operational and financial issues.
Driving awareness of cybersecurity and physical security threats and linking them to risk, governance and compliance is critical to providing the directors the information necessary to fulfill those duties. The vulnerabilities that threat actors can exploit are being attacked in an increasingly sophisticated manner and represent a significant strategic threat to the security of our nation, its economy and the welfare of its businesses. The specifics are constantly changing, so the board should be alerted to how a company keeps up with the changes.
Board members can't be expected to understand all the technical nuances of cyber and physical security, just like any other part of the business operations, but they should know the basics: what the vulnerabilities are, what measures are in place to minimize the potential for a breach or attack, and what response and recovery plans are in place should an attack be successfully executed. As most cybersecurity experts continually reinforce, a cybersecurity breach is not a matter of “if” but “when.”
Assessing the risks
While complete assurance can never be provided in this arena, companies should take all reasonable and appropriate steps to safeguard the enterprise, customers and stakeholders. Each company should have a cybersecurity plan that protects their infrastructure and data. The first important step is to understand the critical assets that need to be protected. Most organizations have limited resiliency and can't protect all assets 100 percent. Boards should ask the question: How has the company determined what the most critical assets are? Then they need to ask what is the risk profile the organization needs to have operating in cyberspace and how do we mitigate against those risks. Look at it from a business project perspective and ask what are the companies' key projects and focus spending on the areas that are most important to the organization.
Pepco Holdings Inc. (PHI), an electric utility holding company, faces daily intentional and unintentional cyber, physical and human threats to our critical infrastructure. To address these threats, our company invests an extensive amount of time, resources and capital to secure our critical assets to provide the greatest level of assurance and reliability to our customers. This plan includes education and awareness, policies and procedures that address security and protection of systems and data, and the development of solutions with security in mind. Within this framework, cybersecurity risk mitigation is not just about the deployment of technology but an approach that addresses matters of people and processes as well.
It is important that companies see security as a journey rather than a destination. Hacker tools and techniques are constantly evolving; so too must the defenses that companies put in place. PHI, like most companies, relies on multiple layers of defense, breaking our program into four logical categories of activities:
⢠Preparedness, focused on user awareness and information gathering.
⢠Prevention, focused primarily on matters of technical design and system monitoring.
⢠Response, focused on the identification of and response to threats.
⢠Recovery, focused on the steps taken in the immediate aftermath of a successful attack. For example, PHI takes an all-hazards approach to emergency preparedness. It deals with emergencies and crises that may impact communities and the environment by using the same set of management arrangements, including both natural and man-made hazards.
While security threats are incorporated into PHI's Incident Command Structure, there are complexities to a cyber attack that are recognized and factored into response planning. No silver bullet exists; multiple layers of protection are required, from preparedness and prevention to response and recovery.
The security of the electric system infrastructure is and remains of great significance to the industry. As technology capabilities grow, potential threats grow as well, therefore the industry as a whole is placing increased emphasis on cybersecurity. As with any crisis that affects a company, the company must have a plan to address that crisis.
Cybersecurity plans are crucial to the continued operation of many of our systems, including the infrastructure used to deliver electricity to our customers. As with any hazard, PHI plans for and prepares to respond to a cybersecurity event. The planning process is designed to first mitigate the risk where possible, then, through situational awareness detect a potential event as soon as possible and respond in a manner that prevents further damage and reduces the impact of the event.
Participating in voluntary government- and industry-led initiatives to improve coordination with the government and to identify and test for vulnerabilities is also critical. The partnership between the government and affected industries is vital to ensure preparation and readiness, to work together to protect against cyber threats.
Tabletop exercise for the board
Recently, along with my fellow board members, I had the opportunity to participate in a cybersecurity tabletop exercise. The exercise was an audit of PHI's response process, a crucial piece of a cybersecurity plan. The objective of the exercise was to demonstrate the company's emergency response logistics, including the involvement and role of the board of directors.
To demonstrate the complexities of incident response we walked through the events that would take place within the first 24 hours of a security event, consisting of a confidential briefing of the PHI CEO by the FBI to the briefing of the board in leading up to and the aftermath of a catastrophic event. The benefits of the exercise were clear to board members:
⢠Board members gained a clear understanding of how the process will work and who is responsible for what. Utilities deal with weather events on a regular basis so they tend to have a strong Incident Command Structure (ICS) in place. PHI's ICS was developed to standardize its response approach to large-scale incidents. The ICS is a standardized, on-scene, all-hazard incident management concept, which allows responders to adopt an integrated organizational structure to match the complexities and demands of incidents. PHI's ICS is designed to:
— Meet the needs of incidents of any kind or size;
— Allow personnel from a variety of agencies to meld rapidly into a common management structure;
— Provide logistical and administrative support to operational staff;
— Be cost effective by avoiding duplication of efforts.
This structure helps ensure full utilization of resources. Because a cyber response is different, PHI formed a dedicated cyber response team that has been integrated within the ICS and is activated only during cyber events. The team is composed of subject matter experts from multiple functions across the organization. The structure is intended to drive better situational awareness during a cyber event through intentional collaboration between groups that typically work separately.
⢠In the event of an incident, the board now understands the process and knows who is essential to the situation and can answer questions. Typically, during crisis events, boards tend to dig in and ask a lot of questions. The cyber tabletop exercise gave the board an opportunity to learn how the process will work. More time during a crisis can then be focused on the crisis at hand. This should result in board members having a clear understanding of what their role would be during a cyber event and how much notification or involvement they would have in the process. We could fulfill our duties — duty of care, duty of loyalty — without needing to be involved in the gritty details.
⢠The event gave the board members a feel for how an incident might lead up to a full-blown event. We now have a better understanding of how federal agencies would interact with the company during an event, how we would initially react to an incident, and how it would escalate.
⢠As with all exercises, we had the opportunity to learn and improve upon the drill. We identified items during the exercise that require board follow-up. Importantly, coordination with federal agencies and differences in regulatory reporting requirements regarding disclosures of a cyber incident should be worked out ahead of time. An active emergency response is not the best time to resolve issues.
The plan is sound
A tabletop exercise can provide a board an increased level of confidence that a company's plan for responses and recovery is sound.
Board members benefit from understanding how cyber events are similar to and differ from weather events or other crises. It's important that the company's strategic direction must be coordinated to respond at a tactical level — for example, a dedicated cyber response team that has been integrated within the ICS. The structure ensures that customers, community leaders and employees have access to timely, accurate and consistent information to help ease the inconvenience and disruption caused by a crisis or other major events affecting the company. It encompasses multiple tactics, with an understanding that it is as relevant and important to provide information during a major event as it is to maintain and restore the company's electrical service.
With so much at stake — financial loss, infrastructure and operational disruption, legal liability, and harm to corporate reputation — the question for directors is not whether to become involved in cybersecurity risk management but how to appropriately oversee their company's initiatives.
Given the heightened awareness of these rapidly evolving risks, directors must take seriously their responsibility to ensure that management has implemented effective risk management protocols and has an effective cybersecurity program that includes identification of critical assets, preparedness, prevention, response and recovery. Participation in a cyber tabletop exercise is one method for the board to gain an understanding of your company's readiness to respond to an incident, as well as the board's role during a crisis.