Transmitting high voltage electricity to a service area of nearly 80,000 square miles in five states is no small accomplishment. International Transmission Company dba ITC Transmission is a wholly-owned Subsidiary of ITC Holdings Corp. Headquartered in Novi, Michigan, ITC began operations in 2003 and was the nation’s first fully independent electric transmission business. Today, ITC is the nation’s largest independent electric transmission company serving central United States and some international markets in Canada. ITC Transmission and two other subsidiaries together control approximately 15,000 circuit miles of overhead and underground transmission lines, carrying more than 25,000 megawatts (or 25 billion watts) of electric power to a population of more than 13 million people.
As a publically traded organization, ITC is bound not only by specific compliance regulations but also by an inherent shareholder responsibility to maintain a strong security posture and mitigate security risks across the organization. Protecting their information and critical field assets from a potential breach is one the organization’s top priorities. Like many organizations, ITC faces a number of challenges including budget constraints, a growing reliance on technology to manage their critical infrastructure, increased pressure to enforce NERC/CIP regulations for cybersecurity assets, and increased workload with limited resources. As one option to address these expanding needs, ITC considered adding more security professionals to support their growing security program… a difficult sell to upper management.
Managed Security Program
Early last year, ITC approached its security partner, VioPoint, to discuss alternatives that would help align security with their business objectives. ITC Transmission engaged VioPoint’s Security Managed Program approach to establish an overall framework for managing risk. “We lacked the internal security expertise that was required to execute a solid security program,” says Mike Pokas, Director of Information Technology Services for ITC Transmission. “Being able to tap into the expertise and knowledge possessed by VioPoint’s security staff has helped us to overcome this current knowledge shortfall.”
VioPoint’s Security Managed Program utilizes a maturity based approach that begins by understanding the current security posture of an organization. By completing a simple online self-assessment survey, the organization establishes a baseline risk score. Once the baseline has been established VioPoint, develops a detailed strategy and roadmap to help the organization achieve their desired security posture. The roadmap consists of individual projects that will improve the organization’s risk posture. Over the course of a 12-36 month engagement, VioPoint provides the expertise and resources to deliver the defined projects.
After completing the first of a three year program, Pokas is committed to the approach and expertise provided by VioPoint’s managed security program, “I was able to see the value of the program immediately. The expertise and experience exhibited by VioPoint have been invaluable to me. It is easy to get buried in the thousand other internal priorities and lose sight of some important issues, such as cyber security. Having an outside resource to keep us focused has provided a lot of value.”
“Even though our consultant is from an outside organization, he has been recognized as someone possessing a substantial amount of security experience. He has introduced several program elements that we hadn’t thought of here,” added Pokas.
Moving forward ITC continues to improve their security program. “My advice to other organizations looking at a managed security program is to definitely explore the idea as it could be of great value to your organization,” advised Pokas.