The power and utilities (P&U) sector is going through one of the most transformative stages since its inception. Behaviors are shifting, governments and consumers alike are demanding cleaner energy, and evolving technologies drive a more decentralized and increasingly digital model. How utilities succeed in making the transition will depend on how effectively they manage their most important risks.
According to our Risk Pulse survey, utilities rank business interruption from cyber attack, storms and catastrophic events as the most important risk today and in a future energy world. But security risks are constantly evolving, as the attack surface keeps getting larger across physical assets, digital infrastructure and business processes. It is becoming increasingly challenging for utilities to map the digital environment in which they operate and their interactions with it.
Connected devices that can collect vast amounts of personal data (e.g., smart meters) and the rise of the Internet of Things (IoT) add to the complexity of managing security across the transforming P&U ecosystem. Legacy systems that were designed to operate in internal segregated or closed networks are increasingly interfacing and converging with IP-based networks to improve efficiencies in administration and monitoring.
This ever-expanding digital ecosystem with potentially millions of networked access points, is exposing utilities to more sophisticated and frequent cyber attacks, which have the potential to disrupt critical infrastructure and breach customer and employee privacy. Governments around the world have moral obligations to provide access to power and clean water, and utilities are tasked with fulfilling these obligations. Yet, they cannot do so if they leave themselves, and the critical infrastructure they manage, open to attack.
Utilities are particularly attractive targets for highly sophisticated state-sponsored actors in politically unstable regions looking to gain a political or monetary advantage. Hacker group Dragonfly 2.0 is an excellent example. A leading security firm recently warned that state-linked hackers were gaining access to US and European power grid operations — to the point where they could produce power blackouts anytime they wanted.
“The cyber attack surface has significantly increased through advances in automation and connected devices. Combined with the commercialization of attack tools that were once limited to a nation state’s arsenal, and you have the ingredients for significant disruption.”
Matt Chambers, Global P&U Protecting the Enterprise Lead, EY
Preparing to confront cyber threats
Mounting threat levels have pushed utilities to take a more robust approach to security, but there is significant room for improvement, especially in convergence with strategic planning.
EY’s Global Information Security Survey (GISS) 2017-18 reveals that only 6% of P&U respondents are confident that they have fully considered the information security (IS) implications of their current strategy and that their risk landscape incorporates and monitors cyber threats, vulnerabilities and potential impacts. A further 41% have either made a recent change or are about to make a change to their current strategy and plan to consider IS implications, risks and threats.
But worryingly, over half (53%) of P&U respondents either do not appreciate or have only partially considered IS implications, risks and threats in their strategy and do not have plans to change their current course. In addition, 71% think present IS functions are not meeting expectations.
The GISS digs deeper with 62% believing that an attack that didn’t cause harm would be unlikely to prompt an increase in budget. Yet, according to a recent report, it takes an average of 99 days for organizations to detect an intrusion. To confront cyber threats, utilities should assume that all attacks cause harm, even if the impact is not immediately obvious.
At the very least, there will be a cost associated with responding to the event. Often, the people responsible for security lack influence with senior management and struggle to articulate the risk in order to obtain additional investment. This reinforces the need to elevate security to an enterprise-level risk and become an integral part of the utility’s overall strategy.
Understanding the complex cyber threat landscape
The first step for utilities seeking to enhance their security ability is to develop a better understanding of the threats they face and what they mean for the business.
Enterprise domain risks
Utilities are using advanced systems for real-time business intelligence and predictive analytics to fully tap the wealth of actionable information available in the growing volumes of data they manage. Threats associated with the collection, storage and analysis of big data, and the growing interdependencies between physical assets and information and operations technology (IT and OT) systems, have elevated the importance of security as an enterprise-level risk.
Grid and network infrastructure risks
The increasingly connected and complex nature of industrial control systems (ICS), including supervisory control and data acquisition (SCADA), makes them challenging to secure and vulnerable to cyber threats. OT assets that need to maintain 24/7 up-time face challenges with applying security upgrades and mitigating vulnerabilities. In addition, the growth in smart electric, gas and water networks and associated digitally enabled technologies are creating new points of entry for cyber attackers.
Customer domain risks
Growth in disruptive behind-the-meter technologies, including electric vehicles (EVs), smart appliances, the IoT and Future Internet of Things (FIoT), distributed energy resources (DERs) including web-enabled solar, batteries and home energy management systems, is further expanding the cyber attack surface across the P&U ecosystem. The use of smart metering data to enhance billing systems, better understand consumption patterns and ultimately improve user experience also increases the amount of information held by organizations, including utilities, third parties and aggregators. This multi-ownership of data is making management of customer privacy even more challenging, especially with increased regulatory pressures such as the European Union’s General Data Protection Regulation coming into effect from May 2018.
To build resilience, utilities must assume the worst can happen
According to the GISS, employees, hacktivists and state-sponsored attackers are seen as the greatest immediate threats. Utilities are also increasingly fearful about nefarious actors exploiting vulnerabilities within new digital channels and tools.
Utilities face enormous challenges in identifying suspicious behavior, tracking who has access to their data, and finding hidden and unknown “zero-day” attacks. In addition, P&U organizations are not sufficiently addressing their ability to recognize and manage this new enterprise risk — 63% of P&U respondents say they don’t have a dedicated role within the security function focused on digital and the IoT.
In addition, each device connected to the network represents a target for attackers that needs to be secured, and each social media interaction with customers creates vectors for potential phishing attacks or other malicious targeting. According to the GISS, 49% of P&U respondents consider IS around social media to be a high priority. In fact, almost half (48%) agree that their risk exposure has increased over the past 12 months. This is a significant uplift vs. the previous year when only 8% agreed, reflecting the growing importance on the role that social media plays in a utility’s communications strategy.
With growing interdependence and interconnectivity of critical infrastructure across multiple sectors, cybersecurity is becoming increasingly challenging. A majority (58%) of P&U respondents find it hard to monitor the perimeter of their ecosystem vs. only 36% across all sectors. The rise of microgrids and DERs, as well as an increasingly fragmented energy value-chain with multiple new entrants and systems, often spanning numerous countries, make it difficult to understand and manage the risk, including where responsibility ultimately lies. Also, separate organizational governance of IT vs. OT can lead to a disjointed approach where security monitoring is often overlooked.
“With so many disparate threats, utilities must recognize that cybersecurity needs to be treated not only as an IT-related concern but as a whole-enterprise priority.”
Alex Campbell, Associate Partner, Ernst & Young LLP
Fighting back against the threat
Utilities may feel more confident about confronting the types of threat that have become familiar in recent years, but still lack the capability to deal with more advanced, targeted assaults; they may not even be aware of emerging attack methods. To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy that includes review and adoption of leading practices against evolving threats. This requires a multilayered approach across a proven framework for managing cybersecurity.
Connecting the components required to regain cybersecurity for utilities
Enterprise risk management deepens an organization’s understanding and awareness of risk across the entire business. Identifying risks within the internal and external environment becomes the responsibility of every employee from the CEO down. Much as a safety culture encompasses shared attitudes, perceptions and values that form part of an organization’s corporate culture to “do the right thing,” organizations need to create a security risk culture of awareness and vigilance that is equally embedded into the cultural fabric.
Cyber resilience requires an in-depth understanding of the disruptive drivers of change across the business and operational landscape. This is an opportunity for utilities to identify and assess risks that impact business strategy and to consider the implications of chosen approaches on risk and performance.
Cyber resilience requires an end-to-end framework to prepare for threats and respond to the impact of a breach when it occurs. Such a framework for managing cyber risks will minimize the effect on day-to-day operations, the bottom line and the company’s reputation.
Example — strategic response framework to prepare for and respond to business interruption from cyber attack
Risk-enabled utilities are investing across multiple areas, including real-time defense, knowledge sharing and regulatory compliance. Future operating models may also be influenced by the rise of new and enabling technologies, such as blockchain and robotic process automation. But the GISS results also indicate that utilities will need to better understand the security implications of these technologies before deployment, particularly given that a significant majority of P&U respondents don’t have a dedicated role focused on the impact of such technologies.
Utilities need to go beyond compliance and focus on managing the risks that matter the most. Rather than being in reactive mode each time new cyber standards are announced, organizations need to adopt an agile approach that supports the incorporation of changes as they arise. Manage the risk appropriately and compliance will follow.
Mounting threat levels require a more robust response
Utilities should operate on the basis that it will only be a matter of time before they suffer an attack that successfully breaches their defenses. However, the GISS suggests different levels of readiness among organizations. Having a cyber breach response plan (CBRP) that automatically kicks in when the problem is identified represents an organization’s best chance of minimizing the impact. There are key strategic questions for utilities to consider:
- Cybersecurity — how will you ensure you can withstand attacks, isolate and assess the damage done, and shore up defenses to prevent similar breaches in the future?
- Operating model optimization — what is the right balance between managing risks in house and outsourcing or co-sourcing?
- Business continuity planning — how will you continue to operate as normal while remedying the attack?
- Compliance — what are your duties in reporting the breach to the appropriate authorities, and how will these be discharged?
- Public relations and communications — how will you communicate clearly and effectively with all potential stakeholders, including employees, customers, suppliers and investors, both directly and via the media and social media where there is public interest in the breach?
- Litigation — how will you assess what potential litigation the attack leaves you vulnerable to, or even whether you have any recourse to legal action itself? How will you forensically record and maintain evidence for use by law enforcement agencies?
- Insurance — do you have cyber insurance and is the incident covered? In which case, what can be claimed?
- Maximizing investment — have you built rate cases or responded to performance-based incentives that would recover cyber investments and withstand regulatory scrutiny?
- Digital investment — what do you see as the biggest benefits of investing in secure digital platforms and new ways of interacting with a growing, empowered customer base?
- Collaboration — what are your competitors seeing as their greatest cyber threats? Are you stronger working as a community to counter threats than working alone?
Cybersecurity as everyone’s business
Understanding the threat landscape — detecting the potential risks on the horizon — is the groundwork of good cybersecurity. It allows utilities to limit the time they spend outside normality, to understand when and why they have moved into stress, and pre-empt the development of a full-on crisis.
Fighting back — protecting the enterprise from cyber risk — builds on this groundwork. It gives utilities the skills and confidence to deal with stress and crisis more effectively, with tools and processes that provide a framework for responding to attackers.
Having a robust response plan is the final piece. Utilities capable of employing a well thought-out and tested CBRP in which everyone understands their responsibilities, will de-escalate the crisis much more quickly.
By pulling these strands of cybersecurity together, utilities can respond in a more agile and resilient way, even in the face of the significant and increasing risk posed by diverse and often sophisticated cyber attackers. The tools and technologies required to meet threats are already available. In fact, many of them have developed innovative policies and processes for optimized use. This leading practice now needs to become the industry standard.Decision-makers across the entire C-suite should understand that cybersecurity needs to be treated as an enterprise-level risk that encompasses both cyber and physical threats to the IT and OT environments. Ultimately, cybersecurity needs to become more than just an IT issue and become everyone’s business.
Read our other articles to learn what your peers are saying about key strategic, operational, financial and compliance risks. Take the opportunity to have your say by completing our Risk Pulse Survey on behalf of your organization or find out more about how our risk and cybersecurity professionals can help.