2018-118 Information Security StrategyDate: September 7, 2018 Report No. 2018-118
INFORMAL STAFF REPORT
TO MAYOR AND CITY COUNCIL
SUBJECT:
City of Denton and Denton Municipal Electric’s strategies for securing information and
information systems
EXECUTIVE SUMMARY:
The purpose of this report is to address Public Utility Board’s request for information regarding
the City of Denton’s and Denton Municipal Electric’s security strategies for the infrastructures
supporting its information and bulk electric systems.
BACKGROUND:
Critical infrastructure and utility providers have seen an increase in threats to information system
breaches that, if successful, could result in a considerable amount of damage to critical
infrastructure, affect public safety and could cost providers millions of dollars to cover the costs
related to the attacks. Recent news uncovered possible vulnerabilities that many U.S.-based
providers might be susceptible to, including:
Hackers have shown the ability to electronically infiltrate control rooms of electric utilities,
and can cause blackouts and other disruptions to the power grids;
Hackers have compromised some isolated utility networks thought to be secure, and control
switches to the power grid to disrupt power flow; and
Hackers have gained access utility providers’ networks through compromising vendors’ and
contractors’ systems.
Although widespread catastrophic exploitation of these vulnerabilities has not occurred in the
United States, they have heightened the concerns of many citizens. To mitigate the risk of
malicious intruders, DME relies, to an extent, on the City of Denton’s Technology Services
Department for security management programs that establish a framework and continuous cycle
of activity for assessing risk, developing and implementing effective security procedures, and
monitoring the effectiveness of these procedures. The Technology Services Department has been
proactive in implementing multiple layers of protection for IT supported technologies. Over the
past year, the department has detected and mitigated approximately 1.6 billion total threats and
vulnerabilities. On average, approximately 50,000 malicious webpages are blocked per month.
Additionally, approximately 18 million emails were received at the City this past year; in which,
64% percent were detected as spam and 3.6% were detected as malware.
Without a comprehensive security plan and industry best practices in place, even the best
systems can be compromised. Multiple security tools, practices and procedures have been
Date: September 7, 2018 Report No. 2018-118
implemented during the last several years to protect the systems against unauthorized access and
viruses. Some of these include:
Secure architecture and design validated by third party
Electronic and physical security controls
Strong password policies and access controls
Controlled use of administrative privilege
Proactive monitoring and analysis of logs
Annual vulnerability assessments, penetration testing and tabletop exercises
Site and hardware redundancy that includes a backup Data Center
Incident response plan and business continuity plan
Comprehensive cyber security policies
Security retainers with companies specializing in information security for rapid response
Scheduled patch management
Periodic social engineering exercises to staff
Proactive cyber security training for all City employees
Formation of an Information Security Committee, which includes members from various
departments across the City, to create a holistic approach to information security governance,
risk management, and compliance.
Other various security technologies
o Perimeter Security: firewall, Intrusion Detection and Prevention Systems IDS/IPS,
demilitarized zone (DMZ) for public facing applications, e-mail scanning (anti-virus)
o Network Security: firewall, web proxy, wireless security, enterprise remote access,
security information and event systems
o Endpoint Security: desktop firewall, anti-virus, patch management, local security
policies
o Application Security: application testing, code review, database monitoring,
o Data Security: drive encryption, data archive, data wiping, data classification, identity
access management
Additionally, the operations at Denton Municipal Electric (DME) adds another layer of security
through its Compliance Program regulated by the North American Electric Reliability
Corporation’s (NERC) Critical Infrastructure Protection (CIP) Standards, which are designed to
increase the security and reliability of the Bulk Electric System (BES). The NERC CIP
Standards cover many areas that are typically considered in many Cyber Security programs
across the industry, such as:
Identifying the level of impact on each BES Cyber System to ensure appropriate controls
and protection are in place
Date: September 7, 2018 Report No. 2018-118
Implementing security management controls to minimize the opportunity for
misoperation of the BES
Implementing appropriate training for all employees
Securing electronic and physical perimeters
Evaluating and installing security updates and patches to all applicable systems
Ensuring the latest virus signatures/definitions are installed on antivirus applications,
intrusion detection systems, and firewalls
Testing of incident response and disaster recovery plans on a regular basis to ensure any
downtime is minimize
Tracking and managing all changes to the BES system, and ensure that no changes go
undetected
Enforcing a strict information security policy specific to working with BES
DME also employs annual cyber security training specific to critical infrastructure security and
protection program for employees working in or with BES Cyber Systems and will soon
implement a compliance software system to increase efficiency and effectiveness in its
compliance management program.
Although DME has taken due care to protect its ratepayers and citizens through these programs,
DME can only protect what it has actual operational control over. DME, like every other utility,
must also rely on its neighboring interconnected utilities that are part of the ERCOT network to
do their role.
Overall, the city of Denton is committed to safeguarding the city of Denton assets. Although it is
hard to predict and foresee every possible threat, companies that implement a comprehensive
information security program increase their chances of protecting physical assets, employees and
customer data if a dangerous situation arises.
STAFF CONTACT:
Melissa Kraft George Morrow
Chief Technology Officer General Manager, Electric Administration
(940) 349-7823 (940) 349-8487
Melissa.Kraft@cityofdenton.com George.Morrow@cityofdenton.com