Rocking the Boat: Why Challenging the Status Quo is Essential for Protection

For those tasked with securing and protecting utility assets, the most formidable adversaries aren’t always external. While threat actors, cybercrime and infrastructure sabotage are real and constant threats, internal biases and resistance to change are some of the most challenging security obstacles. If not overcome, three specific challenges – complacency, misconceptions and parochialism – will render futile any attempt to enhance security.

Pervasive complacency, entrenched misconceptions and long-standing parochialism create security challenges that no firewall or physical barrier can remedy. They coalesce into a form of resistance that blinds decision-makers to the need for enhanced security and allows embedded vulnerabilities to go unchecked.

This internal resistance leads to poorly considered, quick-fix, one-size-fits-all solutions. It also leads to panicked, knee-jerk reactions and perception-driven fortification overkill when a critical incident does occur. The only way to clear these obstacles is to challenge the status quo – which is easier said than done.

Establishing a sustainable security stance requires identifying, confronting and dismantling all three internal obstacles. This means dismantling traditions, changing long-held beliefs and overcoming mental rigidity. In other words, you must rock the boat and shake things up right down to the core. It isn’t easy to do, nor is it fun, and it won’t make you popular with your colleagues. But as a utility security professional, your job is to enhance protection, not win popularity contests.

How do we accomplish such a monumental task? It is not easy, but it is doable, so let’s get started.

Vigilance’s Silent Assassin
Complacency and desire to maintain the status quo lie at the core of institutionalized resistance.

Complacency is vigilance’s silent assassin. “If it ain’t broke, don’t fix it” is an industrywide mantra among utility personnel, permeating the ranks of executive leadership, filtering down to operational staff, and even affecting those entrusted with safety and security. Clinging to well-worn routines cultivates a security posture that is both weak and static, leaving the organization ill-equipped to respond to today’s evolving threat landscape.

“That’s how we’ve always done it” cultivates the illusion that a utility is protected by the presence of an ancient chain-link fence, a few lights in the parking lot and the remnants of a half-dozen faded signs, along with a smattering of unmonitored security cameras and maybe a few stagnant security practices that have long-since lost their effectiveness.

The Quietest Threat
Complacency is the quietest threat, making it the most dangerous of the three. The problem stems from the fact that security threats are mostly intangible dangers that can be easily overlooked. A complacent utility can go years or even decades without facing a critical incident, inevitably leading to a false sense of security. The “it hasn’t happened yet” mindset becomes the norm, security budgets are slashed or disappear altogether, and protection protocols become relaxed and optional.

If everything continues to go smoothly, the mindset shifts to “things like that just don’t happen to us.” At this stage, security protocols are all but forgotten. Employees regularly cut corners on procedures, and protection protocols become optional and rarely used. Ironically, when a critical incident finally happens, the employees voicing these views are the ones most stunned by the incident and most vocal in demanding to know why preventive steps weren’t taken.

Overcoming complacency will be a challenge. The key is to adopt an approach that emphasizes acceptance and buy-in from all internal stakeholders. Focus on accomplishing incremental changes. Remember, every 1-degree directional shift puts you on a different trajectory.

Debunking Misconceptions
Misconceptions about security stem from a lack of understanding, overreliance on outdated techniques or years of accumulated misinformation. Misconceptions hinder progress; if not addressed, they will stifle innovation and advancement. To accomplish meaningful change, you will need to dispel widespread myths and clarify the facts behind security strategies. The list of misconceptions is long, but here are four you are likely to encounter.

Misconception 1: Security is solely an information technology (IT) problem. This overlooks the fact that every utility has four distinct security domains; cyber/data is just one of them. Digital attackers seldom distinguish between IT and operational technology (OT). A network breach can be devastating, but it can also serve as a gateway to control system attacks. For example, although they are separate systems, a phishing attack on a staff member could provide an attacker with the necessary information to launch an attack on the OT network. Other times, threat actors focus solely on the OT system. Thus, both the IT and OT technical staff must be engaged in security.

We haven’t even touched on the other three security domains (i.e., facilities, infrastructure and personnel). Achieving a strong security posture requires a holistic, 360-degree defense that can only be achieved through a collaborative, all-hands-on-deck approach.

Misconception 2: Compliance equals security. For utilities subject to the North American Electric Reliability Corp.’s Critical Infrastructure Protection regulatory requirements, it is important to understand that meeting the minimum NERC standards does not necessarily constitute a comprehensive security strategy. Each compliance standard has a specific purpose and focus. A robust security stance is proactive, inclusive and continually evolving to protect against emerging threats on all fronts; it is not merely ticking off boxes and filing obligatory regulatory reports.

Misconception 3: Advanced technology is a silver bullet. While new technologies such as AI-driven monitoring, advanced threat detection systems and zero-trust architecture are powerful tools, they are not all-encompassing, singular solutions to security threats.

Relying solely on technology creates a false sense of security. However, no matter how sophisticated, relying exclusively on technology will inevitably create vulnerabilities that can be exploited.

Technologies are only as effective as the people who manage and operate them and the policies that govern their use. They also become obsolete at an astonishing speed. It is important to recognize that for every new technological advancement, an entire industry emerges to devise methods to counteract it. A strong security posture will embrace technology as a tool and a resource rather than relying on it as a silver bullet that defeats every threat.

Misconception 4: Law enforcement provides all the security protection we need. The widely held belief that law enforcement is an end-all solution to any security incident – one that will always arrive in the nick of time to save the day – is a myth. Unfortunately, it is perpetuated by law enforcement, popular culture and politicians. Although it is easy and comfortable to believe this myth is true, the simple fact is that law enforcement and security are not the same thing. This distinction has been proven time and again, with lethal results, yet it remains one of the most insidious myths we continue to face.

For many, it’s easier to hand off security to “the professionals” than it is to take on the responsibility of ensuring that the utility is protected. I will reiterate that law enforcement and security are not the same domains. Yes, there is overlap, and yes, there are security professionals within the ranks of law enforcement. But assuming every member of law enforcement is a security specialist is akin to believing every member of the U.S. Air Force is a pilot – it’s just not true. And as recent tragedies have proven, trusting in this myth can have lethal consequences.

So, how do we dispel it? First, understand that you cannot delegate your organization’s security to a third party, not even law enforcement. They are a valuable resource to integrate into a comprehensive security strategy, but you should never cede the ultimate responsibility for security to anyone outside the organization. That must always remain in-house.

Breaking Down Parochialism
Parochialism is characterized by an insular, narrow-minded focus on a single department or subsector, creating operational silos within an organization. The “it’s not my problem” mindset, stemming from parochial thinking, fosters a culture of isolationism that inhibits the collaboration needed to protect a complex, interconnected system.

In many utilities, the operational landscape is marked by the isolation of IT, OT, physical security and corporate administration, with each functioning as a separate entity with distinct priorities, territories and budgets. This creates a fractured security environment that threat actors can easily identify and exploit. Experienced aggressors can easily spot and manipulate the unprotected weak seams and communication gaps created by departmental silos.

To overcome parochialism, security must be redefined as a corporate-wide effort – one that must be continually refreshed and adapted. Disparate security activities should be consolidated into a comprehensive, manageable strategy that integrates and supports diverse efforts across all security domains. In other words, break down the silos. Here are three suggestions for overcoming parochialism to get things moving.

1. Foster cross-departmental collaboration. Create joint security task groups with representatives from IT, OT, physical security, operations, human resources and executive management. These groups can share threat intelligence, coordinate incident response protocols and ensure security is integrated into all aspects of the utility’s business. Establish a standing risk assessment and response team made up of members from every department who can quickly assemble to evaluate emerging threats and respond to ongoing incidents.

2. Promote an “all in the same boat” attitude. Ensure that every employee, regardless of job description or responsibilities, understands their role in contributing to the utility’s security framework. Ensure they see the connection between their daily tasks and the broader security landscape. Develop a comprehensive training plan to enhance security skills and foster a culture of vigilance and responsibility. Effective ongoing training helps ensure employees understand the significant impact of their actions on the organization’s overall safety and security.

3. Leverage industry partnerships. Look beyond the boundaries of your own organization. Actively engage in Information Sharing and Analysis Centers and other industry peer networks. Sharing information about threats, vulnerabilities and best practices with others in your sector can help build a strong collective defense.

Conclusion
In an increasingly hostile world, a static security posture is a ticking time bomb. Rocking the boat isn’t about creating unnecessary chaos; it’s about actively adapting and evolving to stay one step ahead of those who wish to do harm. Embracing this challenge is the only way to ensure long-term protection.

Challenging the status quo is also the basis for a more resilient and reliable utility. To accomplish this, you will have to overcome real issues of complacency, misconception and parochialism.

So, be warned: you’ll need a truckload of stamina and courage. Achieving real change means pushing people out of their comfort zones and shifting long-held paradigms and beliefs. Some people will inevitably be upset, and you’ll face anger and resentment along the way. But with persistence, patience and thoughtfulness, these issues can be overcome. Good luck, and now, get at it.

About the Author: Jim Willis, M.Sc., CMAS, CHS-V, is the president of InDev Tactical, a security training and consulting firm. He is a utility engineer, credentialed homeland security specialist and anti-terrorism expert. To discuss utility-focused security training or consulting assistance, contact Jim at 703-623-6819 or jim.willis@indevtactical.net.