From compliance to risk management: Defending against emerging cyber threats at power and utility companies

December 2011
  • Print-friendly version
From compliance to risk management: Defending against emerging cyber threats at power and utility companies

At a glance

Current standards at power and utility companies are not sufficient to protect against cyber threats such as new malware that poses risk to operational IT systems. A risk management framework allows companies to address cyber risks and avoid a reactive over-reliance on compliance. A risk-based approach will enable power and utility companies to improve the security of operational systems.

The American electric power industry has changed over the past two decades. One area not keeping pace with this change is the mitigation of cyber security risks in operational IT environments, especially within control systems infrastructure.

To help protect the integrity and reliability of the power system, companies have long separated their operational IT from commercial and administrative IT. The prevailing mindset is oriented to regulatory compliance rather than risk management. As consumer markets drive more real-time data and its associated interconnectivity, and cyber threats become ever more sophisticated, traditional approaches to cyber security in operational IT are becoming badly outdated.

This whitepaper examines how power and utilities companies can keep their critical electric power assets secure by shifting toward a thorough risk-based approach and away from compliance driven security.