Making Security, Risk, and Privacy Management a Positive Part of a Utility’s Brand
The following excerpts provide good examples of the great value to be found in utility efforts to educate customers about the positive value associated with their internal Security, Risk, and Data Privacy related efforts.
In the first section of American Electric Power’s report on Corporate Sustainability, the following four subsections appear under the “About AEP” heading:
- Cyber & Physical Security
- Managing Risk
- Business Continuity & Resiliency
- Data Privacy
Portions of these four sections are excerpted below, which show how utilities optimizing their internal processes to address these new challenges can represent an improvement in their corporate culture and can be a source of greater brand strength for the utility, rather than these efforts being seen merely as responses to address problem areas.
Cyber and Physical Security
New threats and security risks for the electric power grid are constantly emerging as we continue to connect the Internet of Things (IoT), including sensors, routers and smart devices that are essential to a modern grid and 24/7 business transactions. Increased connectivity creates new entry points for potential attackers and poses new challenges for grid security. It is up to each utility to be prepared to contain and minimize the consequences of cyber and physical security incidents.
AEP classifies all of its bulk electric system facilities based on their criticality to determine the level of security needed. This approach allows us to design security controls for new infrastructure from the start.
The growth of smart energy devices, which are increasingly decentralized and interconnected, create more entry points for bad actors who want to cause harm. Increased distributed energy resources (DER) are an example of a growing resource type that will open more opportunity for increased exposure to the grid. As a result, we will need mechanisms to secure company software and physical assets to protect the bulk electric system (BES) from attacks.
AEP learns from and takes actions based on real-world scenarios affecting global companies such as Sony’s ransomware attack, Target’s third-party risk, the Equifax data breach and the attack on Ukraine’s electric grid. Our Defense in Depth approach to cyber and physical security allows us to deal with threats in real time. These strategies include: monitoring, alerting and emergency response; forensic analysis; disaster recovery; and criminal activity reporting. Through rapid notification and response when attacks and disasters are underway, we can delay cyberattacks and avoid or mitigate the damage before the full effect of the threat is realized.
Mitigating these risks requires a coordinated approach to monitoring, response and employee education, the use of cyber tools and physical protection systems, as well as critical partnerships with the public sector, peer utilities and other industries.
Managing Risk
Today’s era of disruption from distributed energy resources, digital technologies, and the electrification of other sectors require a consistent and data-driven Enterprise Risk Management (ERM) framework. Having a comprehensive implementation plan helps us to identify risks, address critical gaps and develop a culture that recognizes risk and is empowered to take appropriate action. AEP’s ERM process looks at all risks, actual and perceived, across all aspects of operations through an integrated risk management framework. This is the process we use to identify risks, assess the risks and controls, plan mitigation strategies and monitor the risks. This process informs and prioritizes asset replacement strategies, and enables us to make risk-based investment management decisions.
AEP’s risk framework has four major categories:
- Strategic – These are risks that affect our long-term or overall business goals and ability to achieve them.
- Financial – Potential risks that affect our financing needs, financial standing, and/or reporting requirements.
- Operational – Those risks that affect our ability to operate the power grid.
- Regulatory – Risks that affect our legal and compliance requirements.
From a governance perspective, these risks are reported from the appropriate business units or operating companies into the ERM process. The Chief Risk Officer reports a summary view of risks to the Risk Executive Committee, which is composed of senior leaders, to illustrate risk ranking and remediation dates and, ultimately, gain consensus on an action plan. This summary is then reported to the Audit Committee of the Board of Directors. The catalogue of risks is assigned to a specific Board committee or the full Board. At the end of the year, the Committee Chair and Lead Director review it to ensure the appropriate discussions have occurred.
Business Continuity and Resilience
Business continuity is about being prepared – having plans in place to respond to an unexpected event, such as a cyberattack or natural disaster. Business continuity plans mitigate risk to acceptable levels and allow the business to continue functioning regardless of circumstance.
AEP’s business continuity program is a partnership between our Enterprise Business Continuity & Resilience (EBCR) team, business units, operating companies, corporate functions, the Crisis Response team and the Infrastructure & Business Continuity (IBC) team. The IBC, EBCR and Crisis Response teams provide support, project management, expertise and tools to help business units develop robust plans to minimize business disruptions by decreasing response time, limiting financial impacts and maintaining customer confidence during a business interruption.
Business continuity planning helps us be prepared when an event happens that disrupts our operations. The threat of a cyber or physical attack or workplace-related incident is a risk for AEP, as are many other events that could interrupt business operations in one or all of our facilities. We continue to mature our business continuity practices by further aligning resilience functions with operational risk management through an annual assessment and refinement process that includes:
- Business impact analysis
- Exercises and drills to test plans
- Regular Business Continuity Plan review and updates
- Resilience assessments
- Semi-annual executive crisis management exercises
- Roadmap to increase maturity of the business continuity program
Data Privacy & Protection
AEP collects a lot of personal data from customers, employees and business partners. When they share information with us, they expect that we are taking every step possible to protect it. We take that responsibility seriously. AEP’s PII (personally identifiable information) Data Protection Program seeks to protect and secure the personal data we hold related to customers, employees and contractors.
This includes several protective measures such as blocking outbound emails containing unencrypted PII, monitoring employee access to PII, encrypting PII data when the data is “at rest” (not being used actively), and implementing a PII asset certification process. Every year we ask data owners to confirm that the PII in their possession is necessary for business and that it is properly protected. Removing unnecessary or duplicate information is an important step in protecting our customers and others, and for reducing the risk of a loss of PII data.
We launched a Personal Data Portal, which allows PII to be securely transferred into AEP. This includes information that was previously transmitted via email or telephone. In 2017, we also created a management position dedicated to data protection and privacy. This position sits within the Enterprise Security organization to strengthen our commitment to protecting both AEP’s sensitive corporate data and the privacy of our customers, employees and business partners.
While AEP collects significant amounts of data, we take appropriate steps to protect the privacy of all the data we collect.
The full About AEP section of the AEP Sustainability Report is at this link