Sivarama Krishnan, Executive Director IT Risks & Controls, PwC India, speaks on the vulnerabilities that exist in the current IT security layer in power companies and the components of a robust threat-protection system.
How does a company ensure that its SCADA systems are up-to-date and secure from cyber-attacks? How do you secure your Programmable Logic Controllers (PLCs)?
There are three aspects of securing SCADA and PLCs. These include: (1) regular threat and vulnerability assessments including penetration testing, (2) architecture and code reviews and (3) security audits and reviews of third party solutions. The three form a triad of exercises that need to be performed frequently to ensure system level security. Interestingly, organisations are weaving these aspects into their overall information security strategy. User organisations are also incorporating security into the design and development life cycle for SCADA systems and PLCs.
How can you objectively measure the current risk level as far as cyber-threats are concerned in an organisation?
Several organisations have put in place the equivalent of Value at Risk models to objectively and regularly assess their risk exposure. Risks from cyber-threats are also integrated into these models. These multi-variate models take cognisance of the impact of cyber-threats in terms of down times, slowing of systems, loss of critical data etc. on an organisation´s hard assets-the technology infrastructure and data. Some smarter models also integrate softer (hard to quantify) yet potent risks such as reputation loss, business disruption, etc., to measure the risk levels from cyber-threats.
Is there a need for a cyber-security cell in an organisation? How can you ensure that members of the cell are in regular touch with top management, ensuring that senior executives (across functions) are aware of the cell´s risk perceptions?
Cyber-security cells are a norm in progressive organisations across industries. Cyber-security cells as a best practice have CXO sponsorship. Reporting of the cell also dovetails into the CIO/CTO/CISO roles within the organisation.
How important is the need for regular security audits across all infrastructure in an organisation? How can these be conducted?
Security audits are just like other control posture reviews and audits. It is important that these be conducted fairly regularly to provide assurance of the efficacy of the security systems and processes in meeting threat challenges. A combination of approaches needs to be undertaken for security audits. These include threat and vulnerability assessments, system reviews, application security reviews including code level reviews, process and policy reviews, etc. A combination or all of these will be essential to assess security requirements of the organisation.
What measures can a company put in place to ensure that there are no repeats of a cyber-attack?
The key to cyber-attack management is root causing. Effective root causing and closure of recommendations are key to ensuring that there are no repeats. This together with vigilantism at the senior management level ensures that the organisation is prepared to meet the known knowns effectively.
A few large US utilities have Chief Information Security Officers, have Indian companies put in place such a function?
Indian utilities in most cases have a CIO doubling up as a CISO. This is a key risk as the reviewee is the reviewer here, hence the ability to have an independent view of the security posture gets compromised.
How can a company take steps to ensure that it has eliminated unnecessary interconnectivity between sensitive data and insecure networks?
Data classification and categorisation holds the key here. Once an organisation classifies its data, the securing of the data becomes significantly easy. There are solutions available that help organisations secure classified data appropriately.
How can end-users be regularly trained to ensure that they can deal with various cyber-attacks?
Cyber-security has to become coded into the cultural DNA of an organization. It is critical that the top management makes security part of the leadership agenda and use every possible forum to communicate the importance of the same. Policies, processes and regular training have no substitutes.
What are the elements of a robust incidence response plan?
There are four key elements of an incidence response plan: (1) An empowered cyber-security team, (2) A process for incidence classification and escalation, (3) Root causing and permanent closure of any gaps, (4) Regular review for failures and repeats.
(With inputs from Ravi Nawal, Associate Director).