Risks to energy sector enterprises continue to grow, with drones, terrorism and budgetary challenges looming. Compliance requirements are tightening as well, but as Everardo Trujillo, Manager of Information Security Engineering and Operations at Sempra Energy Utilities, says: “A lot of people say ‘compliance makes you secure,’ and it’s the other way around, really.”
In the July 21 webinar, Current Trends in the Protection of Energy Sector and Critical Infrastructure, Trujillo was joined by two of his critical infrastructure security peers: Karl Perman, Vice President of Services for EnergySec and former Director of Security for the North American Transmission Forum; and Josh Sandler, Manager of Security, Risk & Compliance for Duke Energy – CIP Program Management. Together, the panel of security leaders discussed major issues confronting energy sector enterprises, security trends and potential mitigation strategies.
One of the main issues the panelists discussed was budget constraints. According to Trujillo, “We’re all fighting for the same dollars (within the enterprise), and most often those dollars go to the business – keeping the lights on.”
Another area of concern is compliance. The panelists discussed the need for the entire enterprise, not just one function, to drive compliance. Perman added that successful compliance campaigns are often performance-driven – it’s not good enough just to have a policy; you must show evidence of your performance and improvement.
Sandler is working to drive a security-driven compliance program, demonstrating compliance as a byproduct of doing the right thing for security.
This also means getting outside partners onboard for the enterprise’s security success, such as adding security language in third-party vendor contracts outlining how and when vulnerabilities should be disclosed and addressed.
In mitigation, Perman recommended that critical infrastructure security leaders remain agile and practical, providing workable solutions for the enterprise and implementing cybersecurity best practices.
Sandler added that, at Duke Energy, they are continuously working to establish and reinforce a culture of security. Staff always remember to take their safety equipment – hardhats, vests and other gear – on the job, so he is working to train them so they remember their security procedures too. Encouraging a similar vigilance and muscle memory for security will help to build an enterprise-wide security culture, he says.
The webinar is currently available to watch on demand here.