Securing utilities against cyber attacks
Big data = big risks? As power and utility (P&U) companies receive more information, they are almost certain to fall prey to cyber attacks — with potentially catastrophic consequences. Fraser Nicol reports.
Information security is increasingly a concern for utilities as they face a flood of data from customers, smart meters, operational assets and the power grid. Our recent Global Information Security Survey highlights key information security issues for the industry and the steps that leading utilities are taking to mitigate the risk of cyber attacks.
Biggest risks from external attack
Technology and data have completely transformed the P&U sector, allowing companies to use information to improve and expand services, and better engage with customers.
However, big data also brings added regulatory obligations around privacy and security — and the risk that sensitive data will be subject to increasingly sophisticated cyber attacks.
Most utilities recognize the information security risks they face. Eighty percent of respondents in the sector reported an increase in external threats, the most prevalent concerns being:
- Mobile computing
But while they may recognize the threats, it seems few utilities are ready for them. Only 11% of survey respondents said they felt their current information security measures fully meet their organization’s needs, 60% are running no or informal threat assessments, while 64% believe their security strategy is not aligned with today’s risk environment.
Improve, expand, innovate
As attacks grow in sophistication, IT infrastructure becomes more complex and the value of data increases, utilities’ security teams are under increasing pressure. Senior executives must act now to:
Improve - Become aware of the current cyber risks facing the organization, and be satisfied that the people tasked with managing these risks have the tools, time and access to expertise they need to do this effectively. Despite cyber risks being seen as potential “show stoppers” for many P&U businesses, our survey found that only 15% of senior management responsible for cyber security has direct reporting lines into the board.
Expand - Cyber security is a business issue, not an IT topic. When IT and security professionals seek to address cyber security across the enterprise, they are often impeded by weak organizational governance.
Innovate - P&U companies that aspire to use developments such as smart metering to become service provision innovators must continuously review, rethink and potentially redesign their entire information security framework to ensure the new services are provided in a secure manner. This may require a fundamental transformation of their information security program to proactively fortify against both the known and the unknown risks in the cyber risk environment.
Take a proactive approach
As utilities improve, expand and innovate, they are investing significant resources in information security. Almost a third of respondents from the P&U sector said they spend more than US$3m per year on the function, while about half of all utilities respondents say their information security budget will increase in 2014.
While utilities are spending big, in many cases their investment in information security remains ad hoc and too IT-focused. Organizations should place more emphasis on improving employee awareness of cyber security — 34% of P&U companies said they were only at a 1 or 2 on a 1 to 5 maturity scale. Security governance and management is also a concern with 36% of sector respondents also rating this as a 1 or 2.
These weaknesses are worrying because the effective management of customer data and the reduction of cyber risk both rely on the active support and engagement of non-IT business users.
Weaknesses in training and awareness, or approaches to security governance and management that are limited to IT, make it difficult for companies to successfully respond to cyber and privacy threats.
We are supporting many utilities through this process of integrating their information security into their overall business strategy. Key areas of support are:
- Strengthening security awareness and training, ensuring staff members from across the business receive guidance to recognize and address potential threats, particularly regarding mobile computing, malware and phishing
- Assessing their security architecture to ensure its design, size and operations are suitable for the entire enterprise
- Integrating information received from external sources into an enterprise-wide security risk management approach
As cyber security threats gather pace, leaders in P&U organizations must step up their efforts to improve their information security programs. A more proactive approach, greater employee awareness, innovative security solutions and an integrated information security program will enhance a company’s defenses against inevitable cyber attacks and protect it from potential reputational damage, regulatory action and higher costs.
Leading organizations know that cyber attacks will only increase — the time to act is now.
For more information
Read more in our latest Global Information Security Survey.
You may also be interested in our recent Plug in article, For your eyes only, which discusses identity and access management.