Cybersecurity in a Fractured World
This is the fifth in a series of articles and interviews on the subject of improving cyberresilience—the ability of companies, organizations, and institutions to prepare for, respond to, and recover from cyberattacks. The series grows out of Boston Consulting Group’s work with the World Economic Forum on this topic. BCG spoke with Rosa Kariger, the chief information security officer for Iberdrola, a global energy organization, about ways to promote more effective governance of cyberrisk in the electricity ecosystem.
Rosa Kariger is the chief information security officer (CISO) of Iberdrola, a Spanish multinational electricity company and leader in green energy. She is responsible for cybersecurity governance, intelligence, and oversight for the IT and operational-technology environments in all countries where Iberdrola operates—mainly Brazil, Mexico, Spain, the UK, and the US. Since joining Iberdrola in 1997, Kariger has held several positions, including internal consultant and global risk manager. Before being appointed CISO in February 2016, she was Iberdrola’s deputy chief risk officer. With more than 20 years of experience in the electricity sector, Kariger is member of several international expert groups for cybersecurity in the electric industry and is the cochair of the World Economic Forum’s Systems of Cyber Resilience: Electricity.
We have been seeing numerous news stories about cyberattacks on the power grid. What are your primary concerns with respect to cyberresilience and the grid?
The new market participants and technologies in the electricity ecosystem—for example, electric vehicles, and prosumers, or consumers with small generators—are introducing a new set of cyberrisks that need to be properly addressed. And not just by individual companies or asset owners. The participants in the ecosystem are highly interdependent, and the electricity system itself has always been complex and highly interconnected, such that if one participant is compromised, there can be a cascading effect on the rest of the system. This complexity and interdependence have been amplified by the digitization of the grid and the increased interconnectivity of industrial-control systems. Furthermore, we have to consider that these new technologies are expected to coexist with legacy systems that were not designed to face digital threats.
It is important that all participants within the ecosystem—small and large companies, traditional incumbents, and new players—properly address the cyberrisks within their own infrastructure. But they must also understand their interdependencies and be aware of the risk each participant poses to the rest. Collaboration is critical to ensure a resilient grid.
In many cases, monitoring for and controlling cyber risk is delegated to the IT department. How does an organization ensure that its board understands cyberrisk as a business risk that must be addressed strategically?
Back in 2015, Iberdrola’s board of directors approved a cybersecurity risk policy that focused on promoting deep cultural change throughout the group. The goal of the policy was to ensure that cybersecurity was understood as a business risk—and everyone’s responsibility. I have learned that understanding two key factors can help boards come to this conclusion: that digitization is happening not just in the IT department but also in operational-technology areas and that the source of cyberrisk is not always the technology itself but, in many cases, the way that the technology is used.
Would you explain what you mean when you say that digitization is happening not just in the IT department but also in operational-technology areas?
As businesses innovate, they must be aware of the cyberrisks posed by any technologies that they adopt anywhere in the organization. It is not enough for individual business areas to simply delegate responsibility for the security of this technology to IT. Maybe they can delegate responsibility for some of the controls, but I sincerely doubt that an engineer would want an IT professional overly involved in the actual operations of industrial-control systems.
And what does it mean to say that the source of cyberrisk is not always the technology itself but, in many cases, the way that technology is used?
From a security perspective, people and business processes—not just technology itself—are key. A poorly designed process—or poor training and awareness of employees’ and contractors’ activities—can override the strongest technical-security measures. The solution is not only to provide traditional generic cybersecurity training but also to instill in personnel a deep understanding of how cyberrisks can affect the specific business processes they are engaged in.
One important aspect of improving governance around cyberresilience is improving the board’s understanding of it. What are your thoughts on communicating the complexities of a technical topic like cybersecurity to executives who may not have deep technical knowledge?
In my opinion, the board does not need an understanding of complex technical topics to be aware of how cyberrisks can affect the company’s strategy or goals. Instead, board members need to understand the potential sources of risk and how those risks might impact the business. They should then be able to ensure that the strategy in place to manage these risks is aligned with the company’s risk appetite. It is part of the CISO’s role to translate the technical challenges into business language and propose the right approach for managing the risks. Once board members are aware of the risks and the proposed solutions for managing them, it is especially important that they promote a governance and oversight model that ensures a holistic approach to cyberresilience, assigns clear accountability for managing cyberrisk throughout the organization, and provides proper resourcing and funding to get the job done.
Many boards and senior leaders look for metrics that quantify and measure the effectiveness of a cybersecurity program. Can you describe any of the cyberrisk metrics or KPIs that Iberdrola has adopted?
Iberdrola is using several types of metrics to monitor the progress and effectiveness of the cybersecurity measures we have implemented and the evolution of cyberrisks. We carry this out at different levels, using a pyramid approach.
This starts with periodic maturity self-assessments of cybersecurity capabilities and key controls across the entire group, including all countries, businesses, and corporate areas. This helps us track our maturity at a high level so that we can make sure that our medium- and long-term strategies correctly prioritize the areas that require more attention.
At a tactical level, we continuously monitor select technical metrics and associated registered events. These metrics help us evaluate the extent to which cybersecurity initiatives have been deployed, as well as their effectiveness in reducing cyberrisk.
It is also important to have metrics that measure business risk. We do this by assessing the potential impact on the business of likely cyberrisks, factoring in the likelihood of certain threats, given the effectiveness of our existing cybersecurity controls. We obtain these metrics by applying a common global cyberrisk methodology that helps the group and individual business units assess the risks associated with the technology they use to support their critical processes.
As you have noted, in the electricity industry, the consequences related to a cyberattack on one organization can cascade and affect numerous other businesses, industries, organizations, and citizens. The implementation of new technologies—the Internet of Things, artificial intelligence—has increased the level of interdependence and complexity in this ecosystem. How do you ensure cyberresilience when it might not be completely in your control? How important is it for leaders to engage on cyberresilience not just within their own companies but also throughout the ecosystem?
The various organizations in our industry—generators, transmission system operators, and distribution system operators—have always collaborated with one another and with national intelligence and law enforcement agencies to protect critical infrastructure against environmental events and physical attacks. These existing interdependencies have been amplified by digital technologies and by new participants that are increasingly relevant to the grid’s cyberresilience. That is why collaboration is so critical now.
Boards must promote collaboration with the public sector, third parties, technology providers—even with those in other industries, such as telecommunications. Moreover, I think that our industry should leverage existing collaboration protocols, updating them to include new strategies that can address emerging digital threats. Only by combining our efforts in the management of both physical and digital threats can we holistically advance the resilience of the grid.
Iberdrola is continually innovating and devising new ways to leverage technology in the energy space—especially green technologies. What is Iberdrola’s perspective on maintaining a security focus while innovating and integrating new technologies?
At Iberdrola, we recognize that digital transformation requires a systematic approach to cyberrisk management. The key is to implement a process that embeds cybersecurity by design in every new project. This means that the responsible business unit performs a cyberrisk assessment at the initial stages of its projects to understand the risk—and the controls required to manage that risk. This assessment can be guided or supported, but not owned, by a team of cybersecurity experts. Then it is the responsibility of the business areas to implement and follow the necessary technical and process controls for management of cyberrisk throughout the project life cycle. The team is also responsible for passing on the security requirements to relevant third-party suppliers and for validating that, before the new technology goes live, necessary controls have been implemented.
We have designated specific cybersecurity experts in each business unit who are responsible for supporting and supervising this process. The combination of cybersecurity and business knowledge they provide is key to ensuring that the technology and processes we adopt are secure and aligned with our business goals.