Why cybersecurity is critical for utility energy efficiency programs
Utilities’ highly interconnected digital infrastructure enables real-time visibility into energy consumption trends and supports sophisticated tools for energy management. In addition, utilities have expanded their use of smart meters and new cloud-based customer relationship management platforms to enhance energy efficiency program implementation. These offerings and technologies deliver a wide range of benefits for both the utility and their customers, but also require careful diligence with cybersecurity and data management.
For utility energy efficiency programs, cybersecurity and data governance is more important – and more complex – than ever before due to the amount of customer information being collected and utilized through the programs. As caretakers for sensitive customer data, utilities and energy efficiency program implementers are increasingly being targeted in cybersecurity attacks. By developing a comprehensive cybersecurity and data governance plan, utility energy efficiency programs can build a framework for processes, data handling, and communications that will significantly reduce cyber-related risks. Further, the utilization of automated detection technologies within a broader cybersecurity plan can help utilities identify security breaches or cyber threats and quickly address the issue.
Key considerations for developing a cybersecurity and data governance plan within an energy efficiency program include:
Establishing a unique set of policies and procedures for the energy efficiency portfolio
After assessing the state of the portfolio security environment – including risks and vulnerabilities that affect the security infrastructure – utilities can determine the best methods to patch vulnerabilities and concentrate resources on the most critical data assets (e.g. data classification, security baselines, and system handling).
Appointing a knowledgeable team member to oversee cybersecurity efforts
It is important to assign a central point of contact who will execute the cybersecurity plan and ensure that policies are being applied consistently. This team member will also work closely with other areas of the utility to confirm required changes in policies and implement recommendations.
Providing regular risk assessments and audits on cybersecurity plan and processes
Risk assessments and audits confirm that the cybersecurity mechanisms are in compliance with relevant policies and procedures contained in the cybersecurity and data governance plan. These assessments and audits will help to identify vulnerability gaps and ensure industry standards are applied.
Training employees at all levels across the energy efficiency program
Employee training is necessary to spread and encourage a security-aware culture as well as to make sure that all employees know how to use the cybersecurity systems and available tools. Effective training helps to reduce the likelihood of a successful attack by empowering employees with the knowledge on how to prevent cybersecurity attacks.
Incorporating measures to ensure the security of vendors, third parties and subcontractors
The creation and maintenance of a secure environment requires a commitment from all those linked to the energy efficiency program – including program staff, third-party vendors, and subcontractors. Energy efficiency programs can safeguard against cybersecurity risks by developing clear policies for adherence, making data governance conditions explicit within all contracts, and establishing strict operational guidelines for each program vendor or supplier.
Enforcing data protection policies and use encryption to safeguard information
Personally identifiable information (PII) can be protected by utilities and energy efficiency implementers by developing documented data protection procedures and leveraging advanced encryption with all data transfers. Additional data safeguards include access controls, multi-factor authentication and identification, and data destruction plans.
Sharing information with all stakeholders
Cybersecurity and data governance plans must be communicated to all the appropriate stakeholders. These stakeholders – which include utility personnel as well as vendor representatives – must remain aware of the potential impact of cybersecurity threats and cognizant of their own role in data protection. In addition, there must be full transparency on cybersecurity issues that arise to ensure proper mitigation and resolution.
As one of the largest contractors for the United States government, Leidos is very aware of the need for a high level of security in our daily work. The emphasis on strong security practices extends to our work for utilities as well – including data management, communications, and software platforms. Contact the Leidos team to learn more about our energy efficiency program services and how we maintain industry-leading cybersecurity and data governance processes within our operations.