utc.org

Cybersecurity-The Utilities’ View

Bob Lockhart, UTCVP, Cybersecurity, Technology & Research

utc.org

UTC – Utilities Technology Council• A global trade association

• Dedicated to serving critical infrastructure providers

• Creates a favorable business, regulatory and technological environment for its members

• Through advocacy, education, and collaboration

• Headquarters in Washington, DC

utc.org

Bob Lockhart• VP, Cybersecurity, Technology, Research• ≈40 Years in IT• 25 Years Cybersecurity• 7 Years Utility Cybersecurity• 20+ published research reports• Etc.• Etc.• Etc.

utc.org

What We’ve Seen…

utc.org

Methodology: 29 Questions Like this…

UTC Member utilities only

utc.org

Security Governance

utc.org

Reporting Level - Chief Security Officer - 2016

0

2

4

6

8

10

12

14

16

18

CEO COO CRO CIO CFO Other C‐Level

Below C‐Level(Source: Utilities Technology Council)

utc.org

Reporting Level - Chief Security Officer - 2017

0

2

4

6

8

10

12

CEO COO CRO CIO CFO Other C‐Level

Below C‐Level(Source: Utilities Technology Council)

utc.org

Board member responsible for Security?

0 5 10 15 20 25 30 35 40

No

Yes

(Source: Utilities Technology Council)

utc.org

Risk Perception

utc.org

Perception of Risk: Average responses

1

2

3

4

5

6

7

Personnel TechnicalSolutions

Regulatory SupplyChain

HostileActors

Complexity Funding

Increasin

g Pe

rcep

tion of  Risk

Current Threats

3‐5 Years Out

utc.org

Risk responses from a single utility

1

2

3

4

5

6

7Increasin

g pe

rcep

tion of risk Management

Telecoms

Operations

(Source: Utilities Technology Council)

utc.org

Security Awareness

utc.org

Security Awareness Programs - 2016

0

5

10

15

20

25

Selected employeesonly

Employee Handbooklists some duties

Awareness programbeing developed

Awareness program inplace

(Source: Utilities Technology Council)

utc.org

Security Awareness Programs - 2017

0

5

10

15

20

25

30

Selected employeesonly

Employee Handbooklists some duties

Awareness programbeing developed

Awareness program inplace

(Source: Utilities Technology Council)

utc.org

Security Budgets

utc.org

Cybersecurity Spend - % of IT Budget

0

2

4

6

8

10

12

14

16

18

<1% 1‐5% 5‐10% >10%

(Source: Utilities Technology Council)

utc.org

Does Compliance drive spending? 2016

0 5 10 15 20 25

Strongly Disagree

Somewhat Disagree

Somewhat Agree

Strongly Agree

Utility Security Spending is Driven by Compliance:Agree or Disagree?

(Source: Utilities Technology Council)

utc.org

Does Compliance drive spending? 2017

0 5 10 15 20

Strongly Disagree

Somewhat Disagree

Somewhat Agree

Strongly Agree

Utility Security Spending is Driven by Compliance:Agree or Disagree?

(Source: Utilities Technology Council)

utc.org

Supply Chain Risk

utc.org

Supply Chain Centralization - 2016

0

5

10

15

20

25

30

Decentralized Hybrid of centralized  anddecentralized

Centralized

(Source: Utilities Technology Council)

utc.org

Supply Chain Centralization - 2017

0

5

10

15

20

25

30

Decentralized Hybrid of centralized  anddecentralized

Centralized

(Source: Utilities Technology Council)

utc.org

Questions?