Cinda Daly, with Karen Mincey, Paul McClay, Cay Robertson, and Kevin Sturgill
Just looking at the group of people in this conversation, it’s pretty evident that the security practice at Tampa Electric Company is a collaborative effort. From the board room to the service desk, security is everyone’s business. And the service desk is front and center, every day.
As an organization in a highly regulated industry, Tampa Electric faces complexities and pressures that other organizations may not. As a guardian of the grid, those complexities and pressures are compounded. Yet Tampa Electric’s “culture of security” and practical approaches to security could apply anywhere.
Cinda Daly: What is your organization’s “culture of security”? How is it instilled and nurtured?
Paul McClay: As a public utility, we have a strong culture of safely delivering reliable service to our customers. We must have a secure network and secure control systems to deliver reliable service. As a part of that, we need to consider the issues of preparedness, compliance, and security. Preparedness relates to major events that can impact the grid; compliance and security relate to industry regulations that govern the grid. We carry this focus forward as threats to the infrastructure emerge, and we reinforce it through training and security awareness.
We’re also very active in the industry from an information-sharing perspective. We leverage our relationships with industry peers, law enforcement, and regulators to improve our situational awareness and our ability to respond to incidents. We look at data and infrastructure security in the same way we look at our company’s response to significant weather events, and we’ve taken steps across our environment to be better prepared for cyberthreats.
Daly: Who’s “in charge” of data security?
Karen Mincey: Organizationally, Paul is the director of information security and support, and that role reports directly to the CIO.
Daly: Paul, loaded question here: Does the buck start and stop with you?
McClay: I have overall responsibility for the program and the controls we have in place, but everybody is responsible for data security; it doesn’t start or stop with any one individual. You must have the people and the processes along with the technical controls to be effective. Each team member plays a role when it comes to that. Also, team members in various areas of the business own that information. So, with regard to privacy and intellectual-property concerns, these people are also responsible for protecting that data.
Daly: How are the ultimate stakeholders—the other C-suite executives—involved in strategy development and compliance?
Mincey: Our executive team and board of directors are very engaged. When we started seeing a lot more about the various threats out there today, we put together a cyber- and physical-security team to brief the executive team on a regular basis. We conduct security education for the board twice a year. Our board members also stay abreast of current security issues/topics and request briefings on what we’re doing to address those situations.
Daly: You have a highly integrated IT services team. How do you share and distribute security governance and access management responsibilities?
McClay: We’re talking about Tampa Electric today, but as a part of TECO Energy, which has multiple companies, we support and enforce a centralized process that cuts across all entities. Our group in information security deals at the policy level, managing the standards and procedures that support that policy and handling network security and incident response from a cybersecurity perspective. As such, we’re very dependent upon the service desk and access administration functions because they’re forward-facing: they’re what the business partner “sees.” People and processes are the way we do business, but people are only human. We keep security practices at the forefront, so that when you get “that” email, you think twice. It’s an ongoing process.
Daly: Two years ago, you moved access management responsibilities over to the service desk. What drove that reorganization, and what impact have you experienced since that transition took place?
Cay Robertson: The access administration team is the first line of response for access-related issues, just as the service desk is for technical issues. It just made sense to roll them together into the same organization.
Daly: What do you count on the frontline to do?
Kevin Sturgill: The service desk realizes that it’s the first line of defense in cyberwarfare, and it’s very proactive in identifying policy violations and potential threats. When someone asks for something that doesn’t adhere to policy and security practices, it doesn’t matter whether the person making the request is an analyst or a vice president: the service desk will not violate the policy for anyone. The team understands how important it is to the organization, and we celebrate that sense of responsibility and recognize them for bringing issues forward. They know we have their backs, all the way to Karen’s office.
Mincey: Our leadership team routinely interacts with the service desk (password resets, for example), and they understand the importance of security and why agents enforce certain policies. The executives are not at all offended; in fact, they often compliment the team’s efforts.
Daly: How much time does your service desk spend on security-related issues?
Robertson: Password resets represent the majority of what the service desk handles, even though most of that is automated. We also spend a lot of time releasing quarantined emails (approximately 200 tickets each month).
The quarantine list comes across three times a day. We stop every email that has an attachment that could be malware (among other things), and we question each one before we release it: Is it legitimate? Is someone expecting it? When someone calls to inquire about why an email wasn’t delivered, we go through the same verification process.
McClay: We have a pretty aggressive email filtering practice. When someone receives a notification that an email he thinks he needs has been quarantined, it’s up to the service desk to help him understand why it was stopped and determine whether it’s something he really needs. It’s a huge responsibility, because if the email is released and it is malware, it becomes a major issue for us.
Daly: Have you deployed any new tools or rolled out any new practices to mitigate risk and make secure practices easier to manage? What impact has this had on your support services?
McClay: We have the same tools most organizations have: firewalls, encryption tools, virus detection/protection, identity management, etc. However, while we have the best tools, the best solutions come back to the human factor. Does our team have the best behaviors? The best processes? We work on that continuously.
Daly: Most security breaches—and the highest risks, like hacking, malpractice, and human error—come from the inside. How do you balance the need for easy access with secure access?
McClay: Access is primarily based on what our team members need to know to fulfill their job responsibilities. In other words, we don’t give them much more than what they need to do their jobs. We’ve also isolated the most sensitive systems from the corporate network so they aren’t visible or accessible to people that don’t need them.
A large part of the balance is simply keeping up with process and personnel changes as people are promoted, move to other areas of the business, or leave the company. The access administration team has a very detailed process and works closely with HR to ensure that we know about personnel actions as soon as they occur so we can terminate access to the network in a timely manner. We’re also working on a user provisioning tool and the processes for supporting it in a way that ties back to our HR infrastructure in the ERP system.
Robertson: As part of the Lean evaluation, we examined our access removal and employee onboarding processes. We discovered some redundancies, as well as several manual processes that we were able to automate to avoid some of the human errors that occur. It’s a work in progress, and we talk regularly about how we can refine that process.
Daly: Human error can spring from a lack of understanding, awareness, or training. You talk about everyone being responsible for security and about providing training for the frontline to the board room. Overall, how do you train on security best practices?
McClay: We have a security awareness program, and we do a number of things through that program, including publishing articles on security topics, issuing informative emails from our service desk, and creating awareness posters several times a year.
A good example of this program at work is awareness about spear phishing, one of the most visible threats today. Tools that detect phishing are pretty good at detection because hundreds of people in an organization, millions globally, may get phishing emails. But spear phishing is more difficult. If Kevin, for example, gets a fraudulent email that appears to come from a trusted source, he may not be suspicious. When he opens the email, he might bring malware onto his system. Internally, we spear phish our team members to see how they would respond so we can test the effectiveness of the communication.
From the regulatory channel, there are very specific, required training programs for our team members, and we conduct annual refreshers on those topics. We also conduct biannual training on our code of ethics, which includes information security awareness.
Robertson: Routine security and compliance audits have revealed that human error occurs across the board. We developed a human performance training program for the access administration, security, and IT teams to explore the conditions that lead to human error. We built more awareness around what to look for, how to focus on the process at hand, and how to deal with the situation. During the course, we retrained these teams on policies and procedures and gave them techniques to help them avoid human error.
Daly: Mobile devices are part of your reality, with engineers and line crews out in the field 24×7. What are your security policies regarding mobile devices?
McClay: We treat all mobile devices the same way across the board, whether it’s a device sitting in a field service truck or a laptop sitting at someone’s desk. We bring the devices into the network with very secure authentication and encryption. Personal devices don’t get access to the company network. They may get access to email or some company data, but if they do, those devices pass through our mobile device management solution. Company-owned devices are treated the same way; they go through the same web-browsing and email-filtering system and standard security controls as any other devices that access the company network.
Daly: Protecting the grid is a risk unique to the utilities industry. What role does your service desk play in mitigating that risk?
McClay: The service desk provides support for some of the systems that manage the grid, while the access administration function handles user provisioning for those systems. They’re the main point of contact, and as such they must be aware of threats like social engineering, malware, and spear phishing. We greatly value the people at the service desk who help avert crises and increase our employees’ awareness of risks.
For more than twenty-five years, Cinda Daly has managed teams, written dozens of industry articles and thousands of pages of technical documentation, developed training courses, conducted sales and service training, and consulted in the technical support and customer service space. As HDI’s director of content, she is responsible for HDI’s virtual events, research, and electronic publications.