EnergyTech Insights (Part 2): Cybersecurity Risk Management in the Energy Services World

Over the last several years, and especially since the Energy Transfer Partners pipeline attack in March 2018, utilities and regulators across the country have argued the case for mandating cybersecurity protocols for energy services companies (ESCO) and distributed energy resource suppliers (DERS), collectively energy services entities (ESE).  The argument from this side seems clear: as big data continues to drive the need for interconnectivity and sharing confidential utilities and grid data across organizations, minimum standards for data protection must begin to expand into third-party service providers that access and use that data.

ESEs, conversely, reject the proposition that regulators, both state and federal, should enact mandatory requirements on them.  It is seen as an overreach, enforcing protocols on organizations that are outside the bounds of the types of entities originally intended to be regulated.  While this argument has merit in principle, the fact is the reliability of the grid is critically reliant on the safety and integrity of the data in use therein; and with the ever-expanding nature of the usage and flow of grid data, the calls for regulation will only grow louder.

While the debate continues, some ESEs have taken a proactive approach to managing cybersecurity risk.  Some have engaged in independent examinations such as SOC 1, SOC 2, and other common attestations.  Others have begun to consider engaging in a SOC for Cybersecurity examination.  This examination is based on a cybersecurity risk management framework developed by the AICPA, with the intent to allow organizations to communicate relevant information about their cybersecurity risk management processes, while also providing the flexibility to align the framework with a controls framework suitable for the organization’s needs.  This could include controls frameworks such as NIST 800-53, ISO 27001, controls criteria related to the AICPA Trust Services Categories, as well as industry specific standards such as Critical Infrastructure Protection (CIP) Standards developed by the North American Electric Reliability Corporation (NERC).  For more information on the SOC for Cybersecurity examination, check out our whitepaper.

As we’ve previously discussed, cybersecurity, data privacy, and regulatory compliance risks are the primary inhibitors of utilities’ transition to cloud-based operations.  While ESEs are not exactly positioned to remove or reduce the need for utilities to comply with codified regulation, formalizing a risk and controls framework tailored to the needs of its customers may present a solution not only to the problems identified by utilities with regards to cybersecurity and data protection, but also to ESEs looking to proactively look for ways to address the growing concerns of cybersecurity in their industry.

About the Author

Grayson Taylor

Grayson Taylor is a Senior Manager at Schellman & Company, LLC, with over 12 years of experience in attestation and compliance services. Grayson has managed hundreds of projects and examinations for Global 1000, Fortune 500, and regional companies over the course of his career. Grayson leads Schellman’s Houston practice with a focus on SOC 1, SOC 2, ISO 27001, HIPAA, and special projects related to the energy sector. As a senior manager, Grayson is also responsible for strategic initiatives, business development, and human capital development at Schellman.

More Content by Grayson Taylor
Previous Video
SOC for Supply Chain
SOC for Supply Chain

Next Article
Cue Internal Audit – Stage Right
Cue Internal Audit – Stage Right

The secret to a flawless, stress-free SOC examination experience? Utilizing your company's internal audit t...