Main image of article Defending Utilities as a Security Engineer
Thanks to the rise of the Internet of Things, every part of the electrical grid—from the power plants producing electricity to the appliances consuming it—has the opportunity to “smarten up” with sensors linked to Big Data applications. As the grid upgrades its technology, though, it also becomes more vulnerable to unexpected bugs and malicious cyber-threats. Systems and security engineers are the first line of defense against this new generation of potential problems. These engineers are responsible for securing the network perimeter of the utility, as well as supporting day-to-day data-security operations. They also participate in the planning, design, installation and maintenance of security-related systems, in order to ensure the confidentiality, integrity and availability of the underlying data. If that wasn’t enough, many tech pros in these roles must monitor compliance with security policy, which means reporting and coordinating the investigation of security incidents. Dan Frein is a Chicago-based Principal at West Monroe Partners’ Security & Infrastructure practice for the energy and utilities industry. His areas of expertise include network design and implementation, as well as security assessment work. He describes his role as “keeping the lights on, figuratively and literally.” Repelling attackers requires a properly configured monitoring system, he added. “This can be measured by several metrics, one of which is by the numbers of alerts that come in. The fewer the better, if it’s accurate.” Although the org chart may vary by city and the size of the utility, system and security engineers generally report directly to a manager who may or may not be technically focused. If the utility is large enough to have multiple engineering teams, the engineer will spend a good deal of time interacting with other teams and their respective managers, and maybe even municipal representatives. Software platforms commonly used by these engineers include Microsoft Windows for servers and workstations, VMware ESXi or Microsoft Hyper-V for virtualization technology, and Microsoft SQL or Oracle for database systems. Out in the field, software systems for electric, water, gas, and wastewater can vary even more. “Some of these systems and protocols are 30+ years old,” he said, “so that type of knowledge is generally learned on the job or brought to the job from previous utility experience—not learned in an academic setting.” Engineers often find themselves provisioning new servers for new software applications. “Requirements are gathered or determined with the requestor and also perhaps with the software application vendor, the virtual machine is provisioned, the operating system (e.g. Microsoft Windows Server) is installed,” Frein said, “and depending on the size of the utility, the same engineer may be responsible for setting up the software application and associated pre-requisites, say, a database too. It’s not uncommon for engineers to wear multiple hats or maintain multiple skill-sets, especially in smaller utilities.” Report-writing is another big part of utility-related jobs, making strong technical-writing skills a necessity (along with the ability to translate jargon for outside stakeholders). Engineers may have to explain situations to non-technical people, including the duration and impact of an outage or a security breach. The ability to effectively communicate, Frein added, “separates a good engineer from a great one.” It’s also not outside the realm of possibility, according to Frein, that an engineer may have to handle a Freedom of Information Act (FOIA) request: “The engineer might have to gather technical information pertaining to their functional area to be included in the request response; an example might be how customer information is stored and protected.” As infrastructure gets “smarter,” systems and security engineers become increasingly critical. Those who succeed in the role will be able to keep up with rapidly evolving technologies, unforeseen vulnerabilities, and escalating threats.