A Brave New World at the Cyber-Energy Nexus: A Case Study on Cyber Security, Resilience and Organizational Change Open Access
Downloadable ContentDownload PDF
A Brave New World at the Cyber-Energy Nexus: A Case Study on Cyber Security, Resilience and Organizational Change is a novel and timely study that provides an in-depth exploration of one organization’s decade-long transformation to become more cyber resilient. This case study is framed by two theoretical constructs – cyber resilience and organizational change – with the goal of better understanding how changes in policies and procedures enabled a organizational transformation to take place. Organizational change theory provides a valuable lens to better understand how organizations can improve through changes in policies (French and Bell, 1990) and procedures (Weick, 1995). These theoretical lenses provide a unique perspective into some of the human factors and organizational development mechanics of cyber resilience that have not been explored in existing organizational change theory and only sparse treatment has been given in applied literature, focusing on securing electricity infrastructure and critical infrastructures from emerging cyber threats. Beyond energy infrastructure, the exploration of organizational change provides a valuable lens to explore how to transform other critical infrastructures to become more cyber resilient. To realize the goals of this study, the researcher developed a web-based version of the electricity sector cyber security maturity model (ES-C2M2) to facilitate the collection of data and assessment of energy utilities cyber security resilience posture ( https://esc2m2.pnnl.gov). As of December 2017, the tool had over 7,000 unique webpage visitors. The research data findings suggest this tool and methodology can help facilitate the organizational change process and better understand how organizations can transform to become more cyber resilient. These findings may also inform future legislation that requires the formulation of policies and procedures to respond to complex, non-linear and evolving cyber threats. Cybersecurity is a process, not an end state or solution. But as cyber security threats evolve and combine challenges from other hazards (e.g. weather, natural disaster, physical attacks), a more holistic approach should help foster cyber resilience and ability to rapidly respond to planned and unplanned cyber threats. This is especially important for critical infrastructures, such as electricity infrastructure, that are increasingly networked and digitized and vulnerable to high-impact, low-probability cyber-physical events.