Cybersecurity: A framework for
Ever-Green Energy shares how it developed its cybersecurity program –
and lessons learned.
Tom Thomalla Jr., Senior Information Technology Manager, Ever-Green Energy
manage and audit their cybersecurity
programs. This includes deciding who
is responsible for responding to issues,
including major security breaches, if and
when they arise. From the beginning, the
support of organizational leadership is essential to ensure that proper investments
can be made and that the protocols will
be followed throughout the organization.
This consistency is critical to the success
of a cybersecurity program.
THE SUPPORT OF ORGANIZATIONAL
LEADERSHIP IS ESSENTIAL TO ENSURE THAT
PROPER INVESTMENTS CAN BE MADE AND
Policies and procedures are often
thought of together, or even treated interchangeably, but they are different. A
policy dictates that you must do something, and a procedure explains how to do
it. In the context of district energy operations, for example, a policy might dictate
delivering 42 degree F chilled water; a
procedure would explain the steps to deploy chillers to deliver that service. With
regard to cybersecurity, a policy example
would be requiring strong passwords to
combat the threat of common password
decrypting methodologies; and the corresponding procedure would provide guidance for setting passwords with specific
characters and complexity.
Once a cybersecurity program is es-
tablished, policies should not need to be
changed very frequently, whereas proce-
dures will need to be more dynamic as
threats and technology change.
With these basics in mind, and leadership support in place, development
of a cybersecurity program can begin.
First, a risk assessment should be initiated. This will look at what you have
in place (computers, servers, network
equipment, as well as physical security,
data and processes) and see how threats
may be able to leverage any vulnerabilities that may exist, while reviewing any
protection mechanisms that are in place.
Conducting a risk assessment can be an
entirely overwhelming experience, producing a long list of actions that need to
be prioritized to protect critical system
functions. Risk assessments are essential,
however, as they will help create your
cybersecurity policies and procedures.
From there, the cybersecurity program will need to be implemented, with
the expectation that not everything can
be mobilized in year one. Management
of staff time, budgets and scope is critical to success. Alongside protocol changes, it is essential to establish tools and
metrics to track and assess the program
as it evolves: Are users following procedures? Is training improving awareness
and alignment with best practices? Is the
district energy system safer?
In addition, it is important to consid-
er how security measures can benefit the
business, such as by making processes
more efficient. Showing security benefits
to the business is part of an ongoing
discussion within the security field, as
exemplified by “single sign-on” function-
Ever-Green Energy has been navigat-
ing this territory, creating and implement-
ing a cybersecurity program for its diverse
operations, including municipally owned,
private urban and medical campus dis-
trict energy systems. The lessons it has
learned in its decade or so of cybersecu-
rity development may help other system
owners and managers build evaluation
tools and set priorities for their own op-
SHAPING YOUR APPROACH
Cybersecurity can be a vast topic
with critical implications for the businesses it affects. To narrow it down for this industry, it is important to start with a look
at the essential components of cybersecurity programs serving district energy
systems: program authorization, policies
A very basic first step for system
managers is determining who within their
organizations is authorized to establish,
Courtesy Ever-Green Energy.
District Energy St. Paul, on the Mississippi River, operated and managed by Ever-Green Energy.