“Cloud.” Ten years ago, this term was primarily used to describe a day in which one would get a mediocre tan or have their view of mountains obstructed. Today, it is often used to describe a technology trend that is changing the way IT departments operate. As more technology providers pivot towards cloud-based solutions, the utilities industry, typically a late adopter, is working towards catching up to this latest technology trend.
When evaluating a cloud transformation, utility companies must balance many competing priorities – the requirements of being an infrastructure provider, financial pressures, regulatory requirements, and the need to protect critical assets and customer data.
After a utility determines if its business drivers align with cloud, the focus should shift to the role data and cybersecurity will play in the cloud transformation. This step is critical in the cloud transformation journey for utilities as a recent report found that 85% of utilities surveyed listed cybersecurity as a worry with the cloud, with 81% listing privacy as an additional concern.
Data and cybersecurity must play a key role in the decision-making process for utilities as they must comply with state and federal regulations (e.g., FERC, NERC, CIP) and protect customer data. Below are three tips for a utility to consider to ensure their cloud transformation is cyber safe and compliant, with data protection top of mind.
Data and cybersecurity must play a key role in the decision-making process for utilities as they must comply with state and federal regulations and protect customer data.
Make Data-Driven Decisions
When approaching cybersecurity in the cloud it is important for utilities to review the application portfolio and determine the sensitivity of the data within each application. The data should be classified based on factors such as regulatory and operational impacts. For example, when reviewing an Advance Metering System (AMS) it is likely the data should be noted as having Personal Identifiable Information (PII). Once a utility understands the data within the environment and where it resides, this should drive the decision as to which applications are cloud candidates.
It is important to remember when determining cloud candidacy that the term “cloud” can take a variety of different forms such as Private Cloud, Public Cloud, and Hybrid Cloud.
Based on the utility’s risk profile, regulatory requirements, and existing cybersecurity posture, AMS may be determined not to be a candidate for Public Cloud. However, it could still be a candidate for Hybrid or Private Cloud.
The results of the data classification efforts should not only drive an application’s cloud candidacy but also the platform.
Integrate Cybersecurity into the Roadmap
As part of a cloud transformation, new tools, processes, and controls must be established to enable the new operating model. Many of these must be implemented before the first application is migrated to the cloud.
- Tools: Invest in a cloud security tool, such as a Cloud Access Security Broker (CASB) which helps companies manage and protect data flow into a cloud environment and enforce cybersecurity policies. Additionally, evaluate how the current Identity and Access Management (IAM) solution can be extended to the cloud.
- Processes: Develop processes to ensure new applications are deployed based on the classification of their data.
- Controls: Establish a cloud policy and evaluate if other risk management policies need to be revised to accommodate cloud ways of working.
It is important to re-evaluate the overall cloud roadmap from a cybersecurity perspective and incorporate data protection measures that align with the company’s risk profile.
Source for Cybersecurity
When sourcing for a Cloud Service Provider (CSP), in addition to functional and technical requirements, cybersecurity requirements should be taken into consideration throughout the Request for Proposal (RFP) and procurement process. Some strategies to including this are:
- Research: Prior to the sourcing process, evaluate which providers are considered market leaders in cloud security. Additionally, review prior data breaches by the CSP and how they were remediated.
- Scorecard: When creating a scorecard to evaluate CSPs against, include cybersecurity as a point which bidders are evaluated on.
- Info Session: In addition to the standard RFP bidder demonstration, conduct a deep-dive info session around cybersecurity. This will allow the utility’s cybersecurity SMEs to ask detailed questions and get a better understanding of the CSPs cybersecurity practices.
The cloud business drivers are going to look different company-to-company. However, the common thread Sendero has seen in the utilities industry is a hyper-focus on cybersecurity and data protection and ensuring that any application or piece of information that is moved to the cloud is protected and compliant with regulations. By having a defined cloud strategy that integrates data protection, cybersecurity, and a sourcing process with cybersecurity top of mind, it can serve as a strong foundation for a cloud transformation. This helps drive and further illuminate the value proposition for cloud while keeping cyber safety top of mind.