FiliiSolis is a 2-year-old, Bay Area startup commercializing several newly-patented solar power technologies that will revolutionize the home and portable solar energy industry. A FiliiSolis basic system includes highly efficient yet stylish, flexible, and light weight panels and bi-directional inverter that can be easily incorporated into existing structures, RVs - even cars – at a much lower price than competitors. While these systems are cutting edge and selling well, FiliiSolis’s most distinguishing product is its compact battery. FiliiSolis batteries enable off-grid systems and allow grid-tied customers to save money by purchasing electricity when it’s cheapest (often in the middle of the night in tier-cost municipalities) then run off battery power when grid power is expensive. Unlike traditional, battery-free solar systems, FiliiSolis systems provide electricity during grid blackouts and allow customers to save the power their solar arrays generate during daylight hours for later use – a particularly valuable feature in areas where customers cannot sell back their excess solar power to utilities. FiliiSolis batteries are lighter, safer, and lower cost than those offered by competitors. Further, the batteries scale up better than other storage suggesting that much larger applications are possible.
All of the company’s solar installations (panels, inverters and batteries) are smart technologies able to track panel energy generation, battery levels, and household consumption. Although the company has not previously leveraged this possibilities of these technologies, they are now enabled and are transmitting data back to the company. With this data FiliiSolis can:
- Track usage by customer to present up-sale and cross-sale opportunities
- Aggregate data across customers to provide insights into optimal panel configurations, weather impacts, predict energy needs, and analyze trends.
- Track performance metrics to quickly diagnose equipment malfunctions or damage.
Although many safeguards built into the batteries and inverters are automatic, FiliiSolis can control its smart solar installations remotely, enabling remote emergency shut-off, load balancing between batteries during high generation times, and sell back of electricity to utilities at peak price times (where permitted). FiliiSolis customers can receive updates on a FiliiSolis mobile app to better understand their peak energy use generation times. Customers can also connect the FiliiSolis app to other smart household apps to automatically adjust temperatures, shut off or dim lights, etc. based on energy usage during peak times.
Currently FiliiSolis has 46 employees. The company recently received venture capital backing supporting 12 months of operating cost but its coffers aren’t overflowing. The firm’s owners are planning for an IPO next year. The US government is also interested in FiliiSolis batteries as a means to limit national grid imbalances caused by the sporadic nature of power generated by renewable sources. Although FiliiSolis has submitted a grant application to the NSF for research funding to scale up their batteries for industrial use, funding is not guaranteed. The firm is currently run by two partners, the CEO, an engineer who developed the company’s technologies, and his brother the CFO, an MBA that’s running the business side of things.
You have just been hired by FiliiSolis’s one IT guy – Bob – to run the company’s cyber risk management program. Almost immediately you realize that the company has no cyber risk management plan, policies, or education in place. In fact it seems that during its rapid growth, FiliiSolis has largely ignored cybersecurity issues, so in reality, you’re not running a cyber risk management program, you’re creating it. The firm uses traditional office technologies and according to Bob, FiliiSolis has a variety of technical assets. Each office employee has a desktop computer, 5 sales personnel have work-provided netbooks /tablets which they use to create bids and take orders, 14 field (installation and service) employees have work-provided tablets which they use to store customer information and to review order details, installation plans, and service contracts. As with many start-ups, working long hours from home is also common among the company’s sales, development, and management staff. These employees check work email on smartphones and use company laptops to work remotely from home and from the road. Bob has set up a company VPN to allow secure remote access to the company’s data and internal email server but employees complain that it causes work delays. Enforcement and training on VPN use are nonexistent. Many employees across the company regularly connect personal devices to internal networks. BYOD is a free-for-all with no company device restrictions, policies, or controls.
The company has two web servers with basic application firewalls but patches and updates to the signature files are 6 months behind. The company also has a website that employs SugarCRM to function as an employee HR portal (for clocking hours, successful sales, and managing benefits) and as a marketing portal for field reps (sales info and lead management). The company’s website also allows residential customers to order new solar packages, upgrades, and add-on services via credit card and to schedule installation / service visits online. The website has access to the company’s internal cloud, used for backup, but there’s no data encryption.
Much of the company’s data in centrally stored in a data warehouse which includes three levels of user privileges: administrator, executive and base_user. The first of these has access to everything - read and modify privileges on all files and software and has been granted to only Bob and the two partners. For reasons you don’t understand, most of the company’s employees have been given executive privileges which allow read and modify rights to all files/data and access to the cloud backup. Payroll is managed in-house. Legal council is outsourced to a local law firm.
The company is actively selling its solar products and installation/maintenance services to both commercial and residential customers. They accept both checks and credit cards for purchases. Credit card numbers are stored in a customer database, saved to the data warehouse, for billing on-going service contracts. The company’s solar technologies, prior bids, and bid creation processes are proprietary. The company’s sustained growth warrants automation of material procurement for all of the products it manufactures on-site (batteries, solar panels, inverters) as well as the support products it does not manufacture in-house (cables, panel support brackets, wiring, etc.). A pull (demand-based) supply chain management system will require an integration of FiliiSolis’s inventory systems with those of its trusted suppliers.
Your boss, Bob the IT guy, is quite competent and knows the company’s cybersecurity posture isn’t good but all of his time is devoted to keeping the networks and hardware that support sales up and running. Further, he’s never created a cyber risk management program from scratch. Thus far the company has been lucky but recently users have complained about slow loading times for files stored on the cloud and the website seems buggy. An increase in early morning network traffic is also concerning. It’s your job to figure out what’s happening and then create and implement a cyber risk management plan for the firm.
Sample Solution