Dominion Energy is resolved to make sure this never happens to us – or to you:
Two days before Christmas, 2015, hackers wormed their way into the Ukrainian power grid. That afternoon an operator in the control center of a western Ukrainian power company watched the pointer on his computer monitor begin moving, seemingly of its own volition. It clicked on a box to take a substation offline, and clicked again on a dialogue box to confirm the decision. Then it turned off another substation, and another.
Soon more than 230,000 residents found themselves without power in the dead of a cold Ukranian winter. It was the first successful cyberattack on an electric grid.
To stretch beyond simply complying with security regulations. We have one goal: to protect the critical infrastructure that our customers rely on for their health and safety, that our country relies on for national security and that our economy relies on to drive business operations and growth. If the energy grid goes down, people can lose their livelihoods. That’s why we have an exhaustive system of rigorous security protocols, overseen by experts who work directly in protecting against cyberattacks.
How We Performed:
We deploy technical controls using a defense-in-depth approach, continuously strengthening our defenses to identify and prevent external attacks as well as insider threats. We revise the cybersecurity strategic plan at least annually, with status updates and performance metrics provided to the board of directors and senior management team. Employees have completed Information Protection and Phishing training. The company has participated in cyber exercises with the National Guard, conducted vulnerability scans and conducted penetration tests with more planned before the end of the year. NERC CIP Cyber Vulnerability Assessments are underway.
|Employees will complete annual training to educate them in their role as the first defense in cybersecurity. In addition, internal and third party-led exercises to evaluate cybersecurity defenses will be performed. We will conduct four cybersecurity drills in 2018. These are conducted with both internal resources and external parties, including other utilities, regulatory agencies and law enforcement. We will conduct four Independent Vulnerability Scans in 2018. These scans are conducted by third parties to identify any public facing cyber vulnerabilities. We will conduct six Penetration Tests in 2018. These tests are targeted testing of vulnerabilities of our external and internal systems. We target enterprise and industrial control systems, with remediation of any issues found as a high priority. We will conduct North American Electric Reliability Critical Infrastructure Protection (NERC CIP) program Cyber Vulnerability Assessments at 65 locations in 2018. We aim to remain in the top quartile of BitSight assessments, a third-party organization that conducts external cyber assessment and scoring of major companies. We revise the cybersecurity strategic plan and prioritize cybersecurity investments based on these external assessments, threat intelligence and our assessment of risk.||We revised the cyber security strategic plan and prioritize cyber security investments based on these external assessments, threat intelligence and our assessment of risk. Employees have completed Information Protection and Phishing training. The company has participated in National Guard cyber exercises, completed vulnerability scans, penetration tests and NERC CIP Cyber Vulnerability assessments.|
Where We’re Headed:
We will continue to enhance cybersecurity for systems that generate and move energy. We will heighten user awareness training with a focus on current and emerging threats. We will augment programs to monitor and detect malicious activities in the organization.
In 2019 we plan to conduct four cybersecurity drills, four independent vulnerability scans and eight penetration tests, and plan to perform NERC CIP Cyber Vulnerability Assessments at multiple locations.
We prioritize cybersecurity investments based on three primary components:
We partner with information-sharing organizations in the energy sector — as well as local, state and federal agencies — to gain insight into and actionable intelligence about cyber threats.
We deploy technical controls using a defense-in-depth approach, continuously strengthening our defenses to identify and prevent external attacks as well as insider threats. We realize that our people provide the first and last line of defense. That’s why we continue to educate and train our users to help identify threats and malicious activities.
We use internal and external vulnerability assessments, penetration tests, drills and simulations to search continuously for gaps and opportunities for improvement. Both Dominion Energy and third parties that specialize in security services perform the assessments. We conduct drills with other utilities, regulatory agencies and law enforcement, and perform vulnerability scans to identify public-facing cyber vulnerabilities. Whether through annual tabletop exercises or actual restoration operations, we validate recovery procedures and system resiliency to ensure we can return critical systems to normal operating levels in a timely manner.
The threat landscape is constantly changing. As we deploy more intelligent devices to modernize the grid and improve reliability and efficiency, our risk profile changes.
We have implemented additional monitoring and protections to help make sure that sensitive data, such as customer personal information, remains secure. We have deployed solutions to further strengthen perimeter defenses, secure critical system-to-system communications against unauthorized access and increase the resiliency of business operations. We continue to improve awareness training to help our users better identify malicious emails. We performed multiple assessments and penetration tests, remediating critical findings and closing any gaps we identify.
For example: In 2019 we will conduct four cybersecurity drills, four independent vulnerability scans and eight penetration tests, and will perform North American Electric Reliability Corporation critical-infrastructure protection Cyber Vulnerability Assessments at multiple locations.
Our nation’s way of life depends upon energy. Protecting critical infrastructure and maintaining industry-leading security posture will remain a top priority.