A Midwest Electric Utility uses CIS Controls as their Cybersecurity Foundation
The Midwest electric utility is a not-for-profit member-owned electric distribution system, serving more than 47,000 active accounts in a 10-county area in North Dakota. We spoke with the VP of Information Technology and CIO with nearly 32 years of service with the utility, about how the CIS Controls are used in the organization. The VP/CIO stated, “The CIS Controls have been our foundation for a security roadmap over the last couple of years.”
Adopting the CIS Controls
When asked why they selected the CIS Controls, the VP/CIO stated, “At the time we were looking to change and update the controls we were using currently. At the advice of our auditor, we were told to look at the CIS Controls for our environment because they would be a lot more manageable compared to the NIST framework. At that point, we started getting more acquainted with the Controls and learning more about them and have been enthusiastic supporters ever since.” The VP/CIO explained the likeability about the CIS Controls saying,
“What I really appreciate about the CIS Controls is that they are a standard and a best practice that helps us with our roadmap. Adopting the CIS Controls also assists us in budget planning and decisionmaking about where we should allocate time and effort towards our security posture.”
The VP/CIO has seen quite a transition over the last 30 years with the utility. He noted, “It is a fun trip down memory lane to see how the IT and security environment evolved, from creating a network, having modems on desktops, installing routers, firewalls, etc.” For close to 15 years, the utility has had an established relationship with a global managed security services provider that provides monitoring, alerts, and updates as part of their service. They also rely on a trusted local IT solution provider to provide network security appliances and expertise to implement the CIS Controls. “We have improved our security posture every year with new technology and defenses,” stated the VP/CIO.
By using the CIS Controls internally as a gap analysis tool, priorities are set for the information technology roadmap which feeds into their annual budget process. After creating a 4-year plan, the utility is finishing its second year with the CIS Controls implementation. While they have found that some areas may have been extended slightly they are still on target with their short and long-term goals for improving their cyber maturity as part of their commitment to their members and community.