Summary of the Article

Traditional evolution of electricity grid to smart grid is highly experienced across the world. The use of smart grid has enabled the integration of the old electricity grid with technological components which support information and communication technologies (Zheng, 2013). This has made it possible for power providers to be able to monitor, control and manage their electricity utility remotely hence providing an efficient and available power system that meets their customer’s demands (Hardy, 2018). In essence a smart grid power system consist of many devices and components connected together in its quite complex network. These interconnectivity of network devices and components that are accessible remotely brings about many security issues as well as vulnerabilities to smart grids just the same way it is in relation to any ICT system (Aloul, 2016).

Therefore in this report, a review of the article on “Cyber Security Governance and Management for Smart Grids in Brazilian Energy Utilities” is done and a summary given on its proposed constructs, framework, methodology, findings and assertions on governing and management of cyber risks to organizations implementing smart grids. The report also provide an organization of their choice by giving its background, industry, cyber spaces and cyber risk information. The report further looks at the model on cyber security governance and management used in the article and relate it to the chosen organization. A discussion of various implications the policies and processes of this model to the chosen organization is also provided with an in-depth explanation how this model fits to the given organization. The explanation on whether this model is consistent or not with COBIT 5, COSO and ISO31000 is also given. Finally the report proposes a model for cyber security governance and management for PowerGen Technologies Limited and give a comprehensive conclusion of the report in general.

This article’s research was based on analysis of the current situation of the Brazilian energy utility in relation to cyber security for smart grids (Pardini, 2017). The researchers proposed the use of two constructs which consisted of cyber security governance and management. Under these two construct, nine dimensions were defined, five for cyber security governance and four for cyber security management. The cyber security governance research dimensions included:

• Legal and regulatory basis (normative dimension)
• Interactionist relational
• Transparency and inspection
• Executive board
• The rights of the shareholders

• Cyber security strategic planning
• Risk management
• Asset management
• Human resources management

Based on the two constructs and the nine dimensions that represented specific variables, statistic techniques and Delphi method were developed for the purpose of validating and assessing the research instruments for analyzing the energy utilities in Brazil. A theoretical-empirical model was applied for the governance and management of cyber security which was later subjected to tests by academic experts and professionals from Brazilian energy sector. The research methodology used in this research involved use of google docs questionnaires for data collections. The questionnaire were structured using the topic variables which were retrieved from the literature and related to the nine dimensions given. The research was carried out in two rounds since the answers provided in the first round by the google docs lacked in terms of expert consensus and therefore it was used as a basis for the formation of second questionnaire to be used in round two of the research. The data obtained was analyzed using Survey Monkey tool and the expert’s results calculated.

• Lack of participation from board of directors

Findings and Assertions

The Brazilian energy utilities board of directors do not participate in making operational decisions on cyber security and therefore the shareholders and executives cyber security processes and planning remain isolated and are  not regarded as part of corporate governance and  management processes. This makes it hard to implement an effective cyber security framework.

• No long-term cyber security planning

Another observation that was made during the research is that, there are no long-term planning and focused on cyber security processes due to cyber security operations being dealt with using the lowest levels of organizations since they are treated as isolated actions.

• Lack of knowledge on representation of governance dimensions

It was also observed that even the Brazilian energy experts do not understand the representations of dimensions of governance the way they greatly understand the cyber security operational management.

• Management dimension was best evaluated by experts

In relevance to smart grids, the dimensions that had the best expert evaluation was on management which consisted of critical asset management while the right of the shareholders on governance dimension was the worst evaluated. This was as a result of inadequate knowledge on what the governance dimension constituted of and what role this arm ought to play in enhancing cyber security for smart grids.

A thorough evaluation of the proposed model in this article provides a proper guideline in fighting cybercrime targeted to smart grid platforms. The model addresses the main issues that are very important to Brazilian utilities companies in relation to cyber security since it gives a clear insight on how such organizations should approach cyber security starting from the top management to the junior staffs and customers. If adapted by Brazil utility companies, this model will help to reduce smart grid attacks since it addresses all the governance and management dimensions concerned with the companies cyber security.

This model’s structure satisfies all the international standard for risk management framework such as COBIT 5, COSO, among others. This is because, the model recognizes the role of every stakeholder in the Brazilian utility sector. The model’s approach on integration of cyber security strategies as part of the utilities business strategy by taking into consideration the importance of recognizing major governance dimensions as well as management dimensions gives it an international standard that can be adapted by any utility company in curbing cyber threats on smart grids.

The model provides quality guidelines in which other organizations outside energy utility companies can follow in formulating proper ways of fighting cyber-attacks on their information system as this threat cuts across every industry where ICT is incorporated. The structure of many organizations are similar to the one given for Brazil utility companies. This makes this model appropriate also for other industries since cyber-crime is a global problem. Considering that each organization has a governance body and a management team that runs the company’s business operations, this model breaks down such structure into various dimensions and gives an opportunity for every stakeholder to contribute in the fight against cyber-crime irrespective of what position one holds. The model also represent an international framework that shows the general approach to cyber-attacks not only to smart grid systems but also can apply to other information systems in other organizations.

Evaluation of the Proposed Model

Based on the results obtained in this research, it was therefore concluded that there was no strategic plans for detecting, identifying, analyzing and responding to operational cyber security threats and vulnerabilities in Brazilian energy utilities sector (Pardini, 2017).

This is a Kenyan-based leading energy utility company whose target market include the East and Central Africa. The company is involved in designing, supplying, installation, testing and commissioning of energy infrastructure such as power generation, transmission, distribution and telecommunication (Technologies, 2018). This company has partnered with the Kenya Power which is the body mandated in distributing electricity in Kenya (it is the national grid) and Rural Electrification Authority which is mandated in reaching out to remote places where the national grid cannot reach and many other partners across the Africa region.

PowerGen Technologies Company is structured into two divisions, that is, Technical division and finance and Administration division. The technical division comprises of the following departments:

• Department of Research and Business Development
• Department of Design and Engineering
• Department of Electrical Power Projects Construction
• Department of Telecommunications
• Department of Civil Engineering

• Finance department
• Accounting department
• Human Resources department
• Internal Audit and Standards department
• Administration department

All these departments work together in ensuring that the company provides quality services to its customers in the energy sector.

This company provides various power related services such as:

• Power distribution and transmission.
• Telecommunication infrastructure services- including underground and overhead fiber networks.
• Automation and remote control of MV networks.
• Integration of Substation Automation Systems.
• Operation and Maintenance of the power grid and road networks

Due to change in technology, the company currently manages all its power grids remotely by monitoring their power systems located in remote places in Africa as well as monitoring their customers energy consumption using Smart Meters, Although this approach has improved the company’s service delivery and management operations, there are several security threats that the company is facing on the smart power grid system (Tudelft, 2017).

This company operates within the three cyber environment which include: Interorganizational environment, general environment and global international environment since it operates within and outside Kenya (Technologies, 2018). This therefore means that the company experience cyber risks within the three levels of cyber space in which it operates in hence its cyber environment model is similar to that of the Brazilian Energy utility (Pardini, 2017) as shown below.

Synthesis of the Proposed Model to PowerGen Technologies on Cyber Risk Governance and Management

The proposed model for this article consist of governance, management and normative models addressing cyber security issues. This is putting into consideration that cyber security purpose is to protect the organizational data, power system and communication networks from intentional and attacks as well as recovery risks of smart grid infrastructures after an attack (Morehouse, 2010). The cyber security concept consists of security policies, tools and equipment, guidelines and safeguards, approaches to risk managements, actions involved, training, code of conduct and technologies used to protect cyber space and the organizational information assets. The proposed model relies heavily at governance and management constructs as its backbone with the governance aspect of it focusing on system controllers and regulators while the management construct defining the responsibilities of these controllers and regulators in relation to communication (these responsibilities are influenced by the executive).

The cyber security governance in this model looks at some of the things organizations should do in different ways or add to their current actions in order to achieve proper information security (OkinoOtuoze, 2018). It involves analysis of the organizational cyber security readiness based on risk prevention, extent of the cyber security strategy, integration of strategy, strategy adaptation and how quickly is the decision making process in countering cyber-attacks from all the stakeholders (Shapsough, 2016).

The theoretical- methodology model proposed in this article, provides a means for organizations to reflect on the responsibilities of every stakeholder in enhancing the cyber security of the smart grid hence it will act as a point of reference to PowerGen Technologies as it analyses its cyber security mechanisms in terms of its governance and management point of view. This model recommends equal treatment of each stakeholder, involvement and of each person and how each should relate in curbing cyber risks. The model also defines the dimension of the executive board responsibilities on governing of cyber security for implementation of smart grids.  

Having cyber security strategies integrated within other organizations strategy, mission and risk management as a policy, will enhance commitment between utility companies such as PowerGen Technologies with its partners, customers and suppliers by sharing knowledge of the threats and vulnerabilities that may affect the organizational smart power grid. This policy will ensure that stakeholders at PowerGen are involved in the process of ensuring that the company’s infrastructure is well secured from cyber-attacks (Conovalu, 2015). This policy will help both the technical departments and the finance and administration departments and their customers to put in place strategies that will put into considerations security mechanism that would protect the company smart grid from numerous attacks as it is currently experienced.

Highlighting different dimensions cutting across the governance and management of cyber security will ensure that the respective persons put in place processes or actions that will help mitigate and respond to cyber-attacks. This approach will improve PowerGen Technologies readiness to deal with any attacks on their power systems which include hacking of their smart meters, virus attack on their smart grid servers and network, among others (Conovalu, 2015). The dimensions will provide an effective framework to the company which will act as a guideline to making quality decisions on formulating their cyber security mechanisms.

The management and governing setup of the PowerGen Technologies Company in Kenya is more or less similar to the Brazilian Energy Utilities analyzed in the given article. The company operates within the national, international and organizational cyber environment and it experiences the same threats as those experienced by these utilities. This therefore means that the proposed cyber security model will be great importance to PowerGen as it gives a clear recommendation on what such companies should do to overcome smart grid cyber-attacks.  Looking at the organizational structure of PowerGen Technologies where the company is divided into technical part (Management) and Administration part (Governance), these divisions fits well to the proposed model as this model. This is because the model has defined various cyber security dimensions based on the two divisions hence accommodating all the actions involved in decision making and operations across the entire PowerGen organizational structure.

This model will give PowerGen Technologies Company an understanding of how to structure quality cyber security policies and responsibilities. With this model, the company will be able to define each person’s mandate starting with the board of directors to its customers and suppliers in ensuring that the company’s smart grid is safeguarded against malicious attacks. The model will enhance the security of company’s smart grid infrastructure since there will be proper governing policies that will provide support to the management team in ensuring that the grid system is well secured.

COBIT 5 risk management framework that provides organizations with proper way of realizing the value of using IT by helping them realize its benefit and reduces the risks and resources involved. This framework enhances proper management and governing of IT resources by identifying areas of functional responsibilities and IT interest of all the stakeholders (PwC, 2016). This framework consist of the following principles:

The principles defines how organizations ought to structure their risk management strategies. Based on these principles, it is therefore clear that the proposed model satisfies the requirements of COBIT 5 framework as it defines the governance and management construct as well as the responsibilities of each stakeholder in the energy utility sector. The model also suggest the integration of cyber security strategies to the organizational plans hence enabling a holistic approach and having a single integrated system form curbing cyber-attacks on smart grids.

This standard recognizes the need to consider organizations culture and capabilities of each stakeholder in the organization. This framework recognizes that it is people who defines the business strategy, objectives and implement the risk management practices. This risk management framework recognizes that each person has a unique way of identifying, assessing and responding to risk. Therefore the risk management practices should from downwards through various business divisions, units and operations from the top-most level. Based on this concept therefore, it is evident that the proposed model on the article is consistent with this framework since it aims at involving all the stakeholders from both the governing to the management level in curbing the cyber-attacks on smart grid power systems.

This framework states that risk management should be coordinated actions that provide guideline and control in regard to risks (Tophoff, 2018). This concept goes hand in hand with the proposed model which considers the effort of every person in the energy utility companies in helping to improve cyber security for smart grid systems.

Brazilian Dimensions	COSO	COBIT5	ISO3100
Legal and regulatory basis (normative dimension)	√	√	x
Interactionist relational	√	√	√
Transparency and inspection	√	√	√
Executive board	√	√	√
The rights of the shareholders	√	√	√
Cyber security strategic planning	√	√
Risk management	√	√	√
Human resources management	√	√	√
Asset management	√	√	√

From the above table showing how the dimensions relate with the three international standards, it is evident that most of these dimensions meets the international standard for risk management framework. The models recognizes the importance of every dimension in establishing effective cyber security mechanism for the smart grid model. Therefore, these frameworks recognizes that organizational risk can arise in all of its operations and across all the stages within the organization and therefore it is the responsibility of every stakeholder to work towards protecting the organization from such threats.

Considering the structural organization of PowerGen Technologies Company and the Brazilian energy utilities company analyzed in this article, there are many similarities between the two and therefore the same model proposed in the article will perfectly work for PowerGen Technologies. This is because the decision making approach for this model highlights all the governance and management dimensions that ought to be considered even in coming up with the cyber security strategies. This approach and the nine models cutting across the two constructs used for this model correspond to the setup of the PowerGen Technologies Limited and thus making it a perfect model for this company. This is because the company comprises of two management level similar to the ones used in the article’s model which include; technical and administration departments and therefore its decision making pattern follows a similar approach as the Brazilian utility companies model.

In addition to this, the following recommendations will really help PowerGen to improve their smart grid cyber security (Team, 2017).

• The company should have a cultivating culture of cyber security amongst all the stakeholders within the organization.
• PowerGen Technologies should try and embrace a private-public partnership approach to operate the company’s energy asset and infrastructure. These will enhance cyber security expertise hence reducing the cyber security risks.
• Compliance with international security standards. This will ensure that the cyber security framework developed for PowerGen Technologies are of good quality and effective in mitigating the cyber-attacks currently experienced.

The company should identify the ability of each stakeholder both in the technical and administration level as well as their partners in formulating proper policies and processes that considers the contribution of every person in order to ensure a collective fight against cybercrimes on their smart grid. The executive should formulate proper laws that are recognizable internationally which ought to be followed by everyone within this organization as this will help the executive provide leadership on the implementation of the cyber security strategy. This model complies with all the international risk management standards and addresses cyber security issues both at governance and management level as illustrated in the diagram above.

Conclusion

In conclusion, cyber security is a very critical aspect of managing the operations of smart grid systems in order to meet the needs of the customer. This therefore means that organizations should formulate proper cyber security models that involve every stakeholder in the organization as proposed in the article. The cyber security risk management model should comply with international standards such as COBIT 5. COSO and ISO31000. The model should define the responsibilities of each stakeholder based on the smart grid cyber security governance and management dimensions.

References

Aloul, F. A., 2016. Smart Grid Security: Threats, Vulnerabilities and Solutions. International Journal of Smart Grid and Clean Energy, 20 October.pp. 3-11.

Conovalu, S., 2015. Cybersecurity Strategies for Smart Grids. Journal of Computers, 25 May.pp. 303-306.

Hardy, M. W. a. M., 2018. New technologies such as smart grids, big data and business intelligence enable a more efficient use of resources in the energy industry. Recharging the energy industry with smart grids, big data and I0T, 6 November.pp. 1-6.

Morehouse, F. a., 2010. “Smart Grid Security: Threats, Vulnerabilities and Solutions”. Smart Grid Awareness, pp. 1-4.

OkinoOtuoze, A., 2018. Smart grids security challenges: Classification by sources of threats. Journal of Electrical Systems and Information Technology, 7 February.pp. 3-16.

Pardini, D. J., 2017. CYBER SECURITY GOVERNANCE AND MANAGEMENT FOR SMART GRIDS IN BRAZILIAN ENERGY UTILITIES. JISTEM – Journal of Information Systems and Technology Management, 14(3), pp. 1-15.

PwC, 2016. Enterprise Risk Management: Aligning Risk with Strategy and Performance. June, 1(1), pp. 27-30.

Shapsough, S., 2016. Smart grid cyber security: Challenges and solutions. 2015 International Conference on Smart Grid and Clean Energy Technologies (ICSGCE), 19 April.pp. 3-12.

Team, S. E., 2017. Smart devices, smart grids, and cyber security. [Online]
Available at: https://www.synopsys.com/blogs/software-security/smart-devices-smart-grid-cyber-security/
[Accessed 26 August 2018].

Technologies, P., 2018. powergentechnologies.co.ke. [Online]
Available at: https://www.powergentechnologies.co.ke/index.php
[Accessed 26 August 2018].

Tophoff, V., 2018. Revised ISO 31000 Risk Management Standard: Still a Good Reference but Not Substantially Improved. A journal of Risk Management & Internal Control, 14 March.pp. 1-5.

Tudelft, 2017. Challenges and solutions Smart Grid Cyber Security at PowerWeb event. 2 June.pp. 1-3.

Zheng, J., 2013. Smart Meters in Smart Grid: An Overview. 2013 IEEE Green Technologies Conference (GreenTech), 5 April.pp. 1-2.