all the assessment details are attached below
Journal of Information Systems and Technology Management Journal of Information Systems and Technology Management – Jistem USP Vol. 14, No. 3, Sep/Dec., 2017 pp. 385–400 ISSN online: 1807-1775 DOI: 10.4301/S1807-17752017000300006 Published by TECSI FEA USP, Brazil – 2017 www.jistem.fea.usp.br Manuscript first received: 2016/Dec/17. Manuscript accepted: 2017/Dec/16 Address for correspondence: Daniel Jardim Pardini, Professor Titular, Programas de Doutorado e Mestrado em Administração e Sistemas de Informação e Gestão do Conhecimento, FACE, FUMEC, MG, Brasil. E-mail:
[email protected] Astrid Maria Carneiro Heinisch, Pesquisadora e Gerente de Negócios da FITec Inovações Tecnológicas, FACE, FUMEC, MG, Brasil. E-mail:
[email protected] Fernando Silva Parreiras, Professor e Coordenador do Programa de Doutorado e Mestrado em Sistemas de Informação e Gestão do Conhecimento da FACE-FUMEC, MG, Brasil. E-mail:
[email protected] *Best Paper Award - Information Management Track in SEMEAD - Management Conferences, 2016, FEA-USP, Brazil CYBER SECURITY GOVERNANCE AND MANAGEMENT FOR SMART GRIDS IN BRAZILIAN ENERGY UTILITIES Daniel Jardim Pardini https://orcid.org/0000-0003-0422-1639 Astrid Maria Carneiro Heinisch https://orcid.org/0000-0003-1092-9780 Fernando Silva Parreiras https://orcid.org/0000-0002-9832-1501 Universidade Fumec, FACE, Belo Horizonte, MG, Brasil ABSTRACT The event of cyber security in critical infrastructures has aroused the interest and the worry of energy utilities, government, regulatory agencies, and consumers as well as of the academic and research institutions. If on one hand it is prominent the vulnerability of the cyberspace, which augments the risk of attacks in the organizational environment, on the other hand, the research leading to alternatives for the governance and management of these critical structures are still too incipient. This study aims at building a theoretical-empirical model of cyber security governance and management and testing it along with academic experts and professionals from the energy sector. By using the Delphi method and statistics techniques for validation, an assessment instrument was developed based on both the constructs: governance and management; and nine dimensions with their respective variables that allowed for an analysis of the situation of the Brazilian energy utilities regarding the protection of their cyberspaces. The contribution of the article reaches two fronts: a conceptual and empirical one as it expands and systematizes the knowledge about aspects of the governance and management of cyberspaces; and a methodological one as it proposes measuring those dimensions in energy utilities. Key words: Governance, Management, Cyber Security, Operational Risk, Smart Grids. * http://creativecommons.org/licenses/by/4.0/deed.en https://orcid.org/0000-0003-0422-1639 https://orcid.org/0000-0003-1092-9780 https://orcid.org/0000-0002-9832-1501 JISTEM USP, Brazil Vol. 14, No. 3, Sep/Dec., 2017, pp. 385–400 Pardini, D. J., Heinisch, A. M. C., Parreiras, F. S.386 www.jistem.fea.usp.br INTRODUCTION Besides the extensive literature of technical and normative nature that deals with the critical technological structures aimed at the protection of security systems in organizations, the studies on cyber security governance and management are practically unknown, especially concerning the energy sector. Energy provisioning is considered an essential service, and a key element for the improvement of the quality of life of the population, enhancing social inclusion and sustainable development (Coutinho, 2007). As the demand for energy has been raising at a higher rate compared to its capacity, it is noticeable that over the last 50 years the energy provisioning system worldwide has used technologies developed in the 40s and 50s as fundament; which frequently leads to the saturation of the system (Gellings, 2009). Many actions have been taken as an attempt to modernize the energy sector and mitigate the risks of power outages. Among them, it is emphasized the implementation of smart grids, object of the present study, aiming at making the electric grids more resilient, safer, more efficient and reliable in the future. The smart grids consist of the increased use of digital information and control technology to improve reliability, security and efficiency to the electric grid (MIT, 2011). The security of smart grids, also called critical infrastructures, in their physical and operational layers follow the traditional means of protection. However, it is in the cybernetic layer, technological infrastructures for monitoring transmission and distribution of electric grids, that the major concerns for the service providers of the electric sector can be found. This is due to the increasing system vulnerabilities and due to the fact that it is unknown if organization would be prepared to face these threats (Coutinho, 2007). It is notorious that the absence of a well-defined theoretical basis still prevails, especially for the conceptions of corporate governance and management within the scope of cyber security. The research is evident taking this conceptual gap: What would be the dimensions of corporate governance and management in energy utilities for the cyber security of smart grids? Therefore, the intention is to broaden the knowledge over the management of this new concept of electric energy. This paper targets at identifying, evaluating and describing the dimensions of cyber security governance and management in Brazilian energy utilities regarding the smart grids. The conceptual framework in the environment of smart grids is handled throughout this article, as well as the conceptions of governance and management in the cyberspace and their dimensions, the theoretical-empirical model and the methodology for research, the validation and application of the model in the scope of Brazilian energy utilities and the conclusion of this study. THE CONTEXT OF SMART GRIDS: THE CYBERSPACE AND THE THREATS POSED TO ORGANIZATIONAL ENVIRONMENTS A smart grid is a system for electric grid transmission and distribution using remote sensing, monitoring, bidirectional communication and control systems distributed in the energy provisioning (Newton’s Telecom Dictionary, 2009). The control system of electric grid incorporates information and telecommunication technologies intending to monitor the entire energy value chain – generation, transmission, distribution and consumption (MIT, 2011; NIST, 2010; Sorebo & Echols, 2012). http://creativecommons.org/licenses/by/4.0/deed.en Cyber Security Governance and Management for Smart Grids in Brazilian Energy Utilities 387 JISTEM USP, Brazil Vol. 14, No. 3, Sep/Dec., 2017, pp. 385–400 www.jistem.fea.usp.br In order to ensure the reliability and operational efficiency of the smart grids, the utilities involved shall perform a dynamic optimization of resources and operations in the network towards cyber security, developing and incorporating real time, automatized and interactive tecnologies; aimed at the demand and generation of energy, using technologies for peak shaving and advanced energy storage, providing relevant information about the measurement of energy consumption and control options for the consumer (MIT, 2011). In addition to consumers and energy utilities, the stakeholders in the implementation and application of the smart grids are the regulatory agencies, the service providers, the information technology developers and the researchers and development institutions (R&D) (Momoh, 2012). The identification and mapping of the interactions between the organizations and its stakeholders can be helpful in understanding the roles that the stakeholders and other elements play on the organizational risks. Hatch & Cunliffe (2013) identify three components to explain the dynamics of interactions between the organization and the environment: the interorganizational network, the general environment and the global international environment. As of the interorganizational network, any organization interacts with other organizations either to hire employees, secure working capital, gain knowledge or to structure, rent or purchase infrastructures and equipment. Taking into account the general environment, consider those dimensions that directly or indirectly affect organizational activities, as follows: social, cultural, legal, political, economic, technological and physical variables. The global international environment includes the aspects beyond the national constraints of those organized at a global scale. Here we emphasize the institutions that handle common interests and diverse general environments (Hatch & Cunliffe, 2013). If we wanted to define the environmental layers for the cyberspace of smart grids in energy utilities we would have the draft presented in Figure 1 with the respective threats from external environments. The cyber environment is conceived as as the collection of information and communication technology infrastructures (ICT) of an organization, including the Internet, telecommunication networks, computer systems, personal devices, embedded sensors, processors and controllers (Bodeau et al., 2010). Provided the context, two big components of the cyber environment can be identified: the communication network which supports the data on the control system and controls the actual physical processes and the internal computer network environment utilized for non-critical operations and administrative tasks (Aitel, 2013). Besides these two infrastructures, it is important to include the operational data referring to critical organization processes. The criticality of the information is also reflected by the criticality of the assets involved in data exchange, also called critical cyber assets. These are the assets contributing to increase the level of automation and system intelligence, although they become more exposed to the actors of this environment (ANSI, 2009; Bodeau et al., 2010; MIT, 2011; NIST, 2010; Sorebo & Echols, 2012). By integrating their infrastructures to the cyber environment, the organizations create an area of intersection between the organization environment and the cyber environment and then become subjected to external threats. Threats that differ in many perspectives from organizational environment approaches. Table 1 presents a taxonomy of operational risks that might affect the cyberspace. http://creativecommons.org/licenses/by/4.0/deed.en JISTEM USP, Brazil Vol. 14, No. 3, Sep/Dec., 2017, pp. 385–400 Pardini, D. J., Heinisch, A. M. C., Parreiras, F. S.388 www.jistem.fea.usp.br Table 1. Taxonomy of cyber operational risk Actions of People System and Technology failures Failed Internal Processes External events Inadvertent HW Process design or execution Disasters Errors Capacity Process flow Weather events Mistakes Performance Process documentation Fire Omissions MaintenanceObsolecence Roles and responsibilities Flood Notifications and alerts Earthquake Deliberated SW Information flow Unrest Fraud Compatibility Escalation of issues Pandemic Sabotage Configuration management Service level agreements Theft Change control Task hand-off Legal issues Vandalism Security Settings Regulatory compliance Coding practices Process control Legislation Inaction Testing Status monitoring Litigation Skills Metrics Knowledge Systems Periodic review Business issues Guidance Design Process ownership Supplier failure Availability Specifications Market conditions Integration Supporting Process Economic conditions Complexity Staffing Funding Service dependency Training and development Utilities Procurement Emergency services Fuel Transportation Source: Adapted from Cebula &