Security

Why Energy and Utility Companies Must Beef Up Identity Access Management

Recent high-profile breaches have made clear that the industry must do more to ensure it knows who’s seeking network access.

Alexander Huls

Alexander Huls is a Toronto-based writer whose work has appeared in The New York Times, Popular Mechanics, Esquire, The Atlantic and elsewhere.

Security threats have always been a concern for the energy and utilities industry. That’s because the services the sector provides are responsible for some of the cornerstones of everyday life: electricity, gasoline and more. The stakes are high. The significant rise in high-profile data breaches and ransomware attacks have only made them higher.

As the industry continues to respond to the threats, in the midst of a post-pandemic shift to remote-work models, one means of improving security has become especially critical for the E&U industry. “Identity access management (IAM) is a foundational requirement for cybersecurity,” says Neil Lappage, a member of the ISACA Emerging Technology Advisory Group.

It’s also a chief source of vulnerability. “If you look at a lot of recent reports, the initial access vector for a lot of attacks is compromised credentials,” Lappage says.

Given its importance, we considered what challenges IAM can help solve, and which tools are best to do so.

The Cybersecurity Challenges Facing the Energy and Utility Sector

Those who work for the E&U industry create a unique challenge. “Employees are very much a geographically and physically distributed workforce,” says Andras Cser, vice president and principal analyst at Forrester. Beyond the office, workers can be distributed all over geographically, whether it’s a team at an oil well thousands of miles away or an electrician making fixes on an energy company’s downed power line. The need for technology to manage network access for all employees — no matter where they are, what devices they are using, what position they hold or what work is being done — can be formidable.

Click the banner below to dig deeper into identity access management guidance from CDW.

Complicating matters is the fact workforces are always in flux. That’s no different for E&U companies. Onboarding, retirement, promotions and departures will all require quick adjustments to access permissions. “It’s based on JML: joiners, movers, leavers,” says Lappage. “It continues to be a problem for people because you need to have a strong JML process within an organization for your identity access management to work well.”

The shift to remote and hybrid models of work in the wake of the pandemic has only made things harder, in an industry already heavily dispersed. More devices, IoT and cloud applications have added new endpoints for hackers to exploit. The law of averages, in other words, is not in favor of E&U companies.

Solutions to IAM Challenges for Energy and Utility Companies

Among the tools available are on-premises identity and access management services, such as CA Identity Manager, and cloud-based services, such as Okta or Centrify. There are also IAM tokens, which provide secure access by generating a passcode, producing a digital certificate or activating authentication technology. The future promises greater tools as well, with biometric security rapidly becoming more advanced. Biometrics can tackle IAM simply by recognizing physical attributes of a person — their face, voice, fingerprints or eyes — then granting access.

Some tools are, however, not technological but institutional. Organizations should have a concrete plan for how IAM is set up and implemented. A strategy that’s not fully thought out can leave E&U companies vulnerable. “Your weakest link is the system that’s not managed,” Lappage says.

MORE SECURITY: Explore key considerations when deploying video surveillance.

That’s why some companies have shifted responsibility for access management away from IT departments to human resources, which has better data — and a better overview — of employee information. When JML happens, they are the first to know. Granting them authority for IAM ensures the quick access adjustments that close vulnerabilities.

“You want to make sure that everything comes from HR and flows down to the other systems,” says Lappage. “The awareness of the enhanced role of HR inside the organization is really important to the success of an IAM project.”

There are, of course, other tools, such as zero trust and secure access service edge, that have emerged on the market to improve cybersecurity. Lappage offers a caution, however. “Identity is the backplane to all those contemporary security controls. If you don’t have really strong identity access management, people are going to struggle with implementing those contemporary types of controls.”

In other words, the best way to manage IAM within an energy or utility organization isn’t a matter of subscribing to a cybersecurity service. “There are a hundred things you’ve got to do in security, and there’s no silver bullet,” Lappage says. However, a proper IAM plan, the right tools and proper awareness of the threats can help keep companies safe.