utc.org
Cybersecurity-The Utilities’ View
Bob Lockhart, UTCVP, Cybersecurity, Technology & Research
utc.org
UTC – Utilities Technology Council• A global trade association
• Dedicated to serving critical infrastructure providers
• Creates a favorable business, regulatory and technological environment for its members
• Through advocacy, education, and collaboration
• Headquarters in Washington, DC
utc.org
Bob Lockhart• VP, Cybersecurity, Technology, Research• ≈40 Years in IT• 25 Years Cybersecurity• 7 Years Utility Cybersecurity• 20+ published research reports• Etc.• Etc.• Etc.
utc.org
What We’ve Seen…
utc.org
Methodology: 29 Questions Like this…
UTC Member utilities only
utc.org
Security Governance
utc.org
Reporting Level - Chief Security Officer - 2016
0
2
4
6
8
10
12
14
16
18
CEO COO CRO CIO CFO Other C‐Level
Below C‐Level(Source: Utilities Technology Council)
utc.org
Reporting Level - Chief Security Officer - 2017
0
2
4
6
8
10
12
CEO COO CRO CIO CFO Other C‐Level
Below C‐Level(Source: Utilities Technology Council)
utc.org
Board member responsible for Security?
0 5 10 15 20 25 30 35 40
No
Yes
(Source: Utilities Technology Council)
utc.org
Risk Perception
utc.org
Perception of Risk: Average responses
1
2
3
4
5
6
7
Personnel TechnicalSolutions
Regulatory SupplyChain
HostileActors
Complexity Funding
Increasin
g Pe
rcep
tion of Risk
Current Threats
3‐5 Years Out
utc.org
Risk responses from a single utility
1
2
3
4
5
6
7Increasin
g pe
rcep
tion of risk Management
Telecoms
Operations
(Source: Utilities Technology Council)
utc.org
Security Awareness
utc.org
Security Awareness Programs - 2016
0
5
10
15
20
25
Selected employeesonly
Employee Handbooklists some duties
Awareness programbeing developed
Awareness program inplace
(Source: Utilities Technology Council)
utc.org
Security Awareness Programs - 2017
0
5
10
15
20
25
30
Selected employeesonly
Employee Handbooklists some duties
Awareness programbeing developed
Awareness program inplace
(Source: Utilities Technology Council)
utc.org
Security Budgets
utc.org
Cybersecurity Spend - % of IT Budget
0
2
4
6
8
10
12
14
16
18
<1% 1‐5% 5‐10% >10%
(Source: Utilities Technology Council)
utc.org
Does Compliance drive spending? 2016
0 5 10 15 20 25
Strongly Disagree
Somewhat Disagree
Somewhat Agree
Strongly Agree
Utility Security Spending is Driven by Compliance:Agree or Disagree?
(Source: Utilities Technology Council)
utc.org
Does Compliance drive spending? 2017
0 5 10 15 20
Strongly Disagree
Somewhat Disagree
Somewhat Agree
Strongly Agree
Utility Security Spending is Driven by Compliance:Agree or Disagree?
(Source: Utilities Technology Council)
utc.org
Supply Chain Risk
utc.org
Supply Chain Centralization - 2016
0
5
10
15
20
25
30
Decentralized Hybrid of centralized anddecentralized
Centralized
(Source: Utilities Technology Council)
utc.org
Supply Chain Centralization - 2017
0
5
10
15
20
25
30
Decentralized Hybrid of centralized anddecentralized
Centralized
(Source: Utilities Technology Council)
utc.org
Questions?