Energy powers our lives and without it, we are literally in the dark–making it critical that we ensure our energy infrastructure is reliable and available. 

Like every other industry, the utility power industry has become digital, leveraging smart meter data to understand utilization and personal data to help engagement, behavior, and personalization. One of the greatest threats to the industry is from cyber attacks that could cause availability problems or the loss of control of this personal data. This post explores some of those threats, changes in the regulatory landscape to help protect personal data, and what Uplight is doing as a partner to the industry to help protect the data it is entrusted with. 

The energy industry has experienced a surge in cyber threats, with incidents ranging from ransomware attacks to sophisticated intrusions. The compromise of SolarWinds software is one example where sophisticated, nation state attackers were able to install a backdoor in utility networks, exposing critical vulnerabilities in the supply chain. This and other incidents have led to heightened awareness and the desire for better preparation such as the recent 2-day simulation organized by the North American Electricity Reliability Corp (NERC) to test response and recovery from cyber attacks.

Additionally, the rise of ransomware attacks targeting utilities has become a significant concern. The Colonial Pipeline ransomware attack in 2021 demonstrated the potential for cyber incidents to disrupt energy supplies while impacting our economy, national security, and public safety. These events underscore the urgency for the utility power industry to fortify its defenses against evolving cyber threats.

Regulatory bodies play a crucial role in shaping cybersecurity and privacy practices within the utility power sector. The NERC Critical Infrastructure Protection (CIP) standards, for instance, establish mandatory security requirements to secure certain utility systems and the NIST Cybersecurity Framework was created to help critical infrastructure improve cyber risk management practices and maturity. The General Data Protection Regulation (GDPR) set the standards for protecting consumer data and led to multiple US state-based privacy regulations including the California Consumer Protection Act (CCPA), the reinforcing California Privacy Rights Act (CPRA, and the Colorado Privacy Act (CPA). These standards provide the details and blueprints to address potential threats.

As a partner to utility companies, Uplight navigates an increasingly complex data privacy landscape, including adherence to new consumer rights, such as correcting personal information and limiting the use of sensitive data, which necessitated internal and external modifications for compliance. Additionally, we must adapt to different states’ unique requirements, including data access, correction, deletion, and portability. The energy sector’s energy usage data requires enhanced data security and consent mechanisms to comply with diverse regulations.

The trust that our customers place in us means we must handle customer data securely and in accordance with various state laws, particularly for companies operating in multiple states and countries. The challenge for Uplight is not just compliance with federal and state laws but also maintaining agility to adapt to evolving legal requirements in data privacy and protection.

In addition to the enhancements in our data privacy program, Uplight has continued to put significant effort into our Information Security program including:

• Expansion of our dedicated Security team, enabling us to have added subject matter experts to augment our already strong team of security experts and to be responsive to our growing organization. 
• Upgrades to our endpoint protection including engaging a leading Endpoint Detection and Response (EDR) tool, providing advanced detection and prevention of malware tools, including those used by ransomware actors.
• Utilizing an industry-leading Managed Detection and Response (MDR) provider for enhanced security and 24×7 coverage. While we’ve expanded our internal team, we still can’t be everywhere all the time and our MDR provider serves as additional, dedicated subject matter experts for our security logs and events so we’re protected.
• Producing SOC 2 reports every year of Uplight’s existence, confirming independent validation of our control effectiveness. Having a third-party audit and attest to our SOC control environment means you don’t just have to take our word that we’re performing well.
• Performing multiple third-party penetration tests. In addition to third-party SOC testing, we have technical penetration testers look for potential vulnerabilities multiple times a year. 

Uplight takes our responsibility to protect the security and privacy of data seriously. I am excited to lead Uplight’s continuing efforts to improve and mature our information and security practices as a strong partner for our utility clients.