8 minute read 30 Sep 2021

Cyber criminals are targeting the P&U sector, which has been made more vulnerable by COVID-19 disruption, according to a recent EY survey.

Waves hitting on pier

How power and utility CISOs can adapt to enable a digital future

By Alex Campbell

EY EMEIA Cybersecurity, Associate Partner

Cyber security advisor to large organizations. Digital trust thought leader. Wine lover. Father of two.

8 minute read 30 Sep 2021

Cyber criminals are targeting the P&U sector, which has been made more vulnerable by COVID-19 disruption, according to a recent EY survey.

In brief
  • CISOs in the power and utilities (P&U) sector are more worried than ever before about the cybersecurity threat.
  • Half of P&U respondents warn that their budgets are not enough to cover the challenges that have arisen in recent times.
  • As threat actors launch ever-more sophisticated attacks, CISOs are trying to position themselves as enablers of transformation.

A cyber attack on the power grid or water supply can bring society to a crashing halt. Since the COVID-19 pandemic started, and the shift to remote and hybrid working gave threat actors new avenues to exploit, cybersecurity teams in the P&U sector have been on the highest alert. 

According to the latest EY Global Information Security Survey (GISS), more than half (53%) of P&U cybersecurity leaders have never been as concerned as they are now about their ability to manage the threat.

They have good reason to feel uneasy. The attack on Ukraine’s electricity system, which left thousands without power in sub-zero temperatures in 2016, was an early sign of things to come. In Europe, during the early months of the first COVID-19 lockdown, hackers used the supply chain to infiltrate the IT systems of German power, water and energy companies. More recently, in February 2021, cyber criminals accessed a Florida-based water plant, changing the chemical levels in the water, before being detected. In fact, according to the GISS, in the last 12 months alone, 8 in 10 P&U CISOs have seen an increase in disruptive attacks – the highest among all sectors in our survey.

CISOs are under pressure to manage the cybersecurity risk and to help maintain an uninterrupted service that relies in large part on their ability to embed security by design. According to this year’s GISS, however, their work is being made significantly more difficult. Three factors are to blame: budgets that have not kept up with the changing threat; an outdated perception of cybersecurity across the business; and the growing sophistication of cyber criminals.

Cyber funding is falling short of requirements

P&U cybersecurity leaders are struggling to secure the resources they need. One in two (50%) flag that they are working with budgets that are insufficient to manage the cybersecurity challenges that have emerged over the past 12 months. A more modest 42% of leaders in other sectors, on average, share the same concern.

The issue is not that finance and the executive team underestimate the importance of cybersecurity. “Boards do now understand that cybersecurity is a key risk, but that does not necessarily translate into them releasing additional budget,” says Kris Lovejoy, EY Global Consulting Cybersecurity Leader. “Partly that is because there has been a failure from some heads of security to articulate clearly how to deal with the increased cybersecurity risk.”

Today, P&U respondents are searching for savings and making difficult decisions. Among those who say their budget is insufficient for their needs, 55% say they have been forced to review legacy architectures and identify cost-reduction opportunities, and half (49%) have scaled back their innovation activities to focus on nonstrategic tasks (see figure 1).

GISS PU Graphic 1

The result is deep consternation: nearly half (43%) of P&U cybersecurity leaders believe it is only a matter of time before their organization suffers a major breach that could have been avoided if they had received additional investment. This proportion is higher than in the other sectors surveyed where, on average, 37% of leaders believe that underfunding is making a breach inevitable.

Cybersecurity teams are viewed as opponents rather than partners

One unwelcome irony for P&U CISOs is that the more they are underfunded, the more they are held to account. Over half (59%) of P&U respondents say that cybersecurity is coming under more scrutiny than ever before.

A simple explanation for this could be that the business lacks faith in the function’s abilities, regardless of the level of budget it receives. Just 45% of P&U respondents believe their executive management team would describe cybersecurity as "protecting the enterprise." Whereas in other sectors, an average of 61% are confident they would get this endorsement.

Part of the problem could be that cybersecurity is rarely seen as a strategic partner. Fewer than half (46%) of respondents in the sector are confident in the cybersecurity team’s ability to speak the same language as peers in the business. Just 31% believe they are seen as supporters of innovation.

GISS PU Graphic 2

The lack of engagement between cybersecurity teams and key functions, e.g., HR, product development and R&D, is evident in the weakness of their relationship. Just 12% describe their relationship with product development and R&D as one of high trust and consultation; the figure falls to 7% when it comes to their interactions with business lines, which would include critical partners such as logistics, engineering and production.

In the absence of strong ties with the business, there is likely to be little understanding of how cybersecurity could play a positive role in the transformation or digitization of operational technology (OT). And, in an environment where budgets are tight, boards are prioritizing functions where there is a clear route from investment to added value.

The adversary is stronger and more unpredictable

P&U companies are facing a more extensive and sophisticated threat than in the past. Most respondents tell us that they have seen a rise in the number of disruptive attacks in the last year (see figure 3), and 40% warn that hackers are consistently experimenting with new strategies, such as targeting weak links in the supply chain, that may override the security systems in place.

GISS PU Graphic 3

The rise in attacks can be partly explained by pandemic disruption. The World Economic Forum has, for example, warned that attackers are specifically targeting the P&U sector because they believe it is newly vulnerable due to COVID-19 impacts, such as the move to remote working.

Another challenge is that the sector has embarked on a massive digital transformation journey in recent years, with P&U companies connecting their IT with OT to modernize infrastructure and control their plants and networks. As Clinton Firth, EY Global Cybersecurity Lead, Energy, explains: “Digital transformation creates powerful new opportunities but, as the different environments merge, the attack surface area increases. That is causing a lot of stress.”

Digital transformation creates powerful new opportunities but, as the different environments merge, the attack surface area increases. That is causing a lot of stress.
Clinton M. Firth
EY Global Cybersecurity Lead, Energy

In some areas, the convergence makes the environment more complex to protect, providing attackers with millions of potential entry points. The rollout of smart meters and connected home initiatives are prime examples.

Moreover, sophisticated and well-resourced crime groups understand the potential for ransomware in an industry where operational shutdowns can quickly become a national emergency. State-sponsored groups also see cyber attacks on their rivals’ critical infrastructure as a powerful weapon. Indeed, 40% of P&U leaders believe that state-affiliated actors are behind the breaches they have suffered, compared with only 24% of CISOs in other sectors who say the same.

How P&U leaders can respond

To succeed within a challenging internal and external environment, P&U CISOs need to take action, embed security by design, and consider risk and security from the outset.

Make a broader case for funding

Threat actors have started targeting the P&U sector with ever-greater frequency, exploiting justifiable concern about any interruption to the population’s power or water supply. The research suggests, however, that cybersecurity funding has not kept up with the growing risk.

Currently, P&U cybersecurity leaders say that citing risk reduction and emerging threats is their preferred way to justify new funds (42%). As attacks increase, they should highlight the importance of response and recovery as well as prevention, to build a more broad-based argument for resources. “You need to accept there are going to be attacks and that some will be successful, so the business case is for a budget that goes beyond just prevention,” explains Firth.

Update the language and reference points of cybersecurity

Cybersecurity functions are struggling to build close relationships across the business – often among engineering teams that oversee the most critical systems and operational data. Overcoming these differences is not just a case of learning to use specific terminology and frames of reference, but also recognizing that discrete cultures exist in different pockets of the business.

Firth suggests that CISOs should adopt multiple perspectives to build bridges. “The problem is that many CISOs came up through IT, and today, there is a paradigm clash between IT and OT,” he explains. “On one hand, you’ve got engineers focused on availability and safety, on systems that are potentially decades old. On the other, you’ve got a CISO urging them to patch the system straight away because of confidentiality and integrity concerns. It’s a real stress point.” 

On one hand, you’ve got engineers focused on availability and safety, on systems that are potentially decades old. On the other, you’ve got a CISO urging them to patch the system straight away because of confidentiality and integrity concerns. It’s a real stress point.
Clinton M. Firth
EY Global Cybersecurity Lead, Energy
Prepare how to respond across a growing footprint

P&U businesses face a sector-specific challenge in protecting IT and OT as these systems converge. But many P&U CISOs are also worried about vulnerabilities from their organization’s procurement activities: 44% say they are making it a top priority to fix new vulnerabilities in the supply chain. Remote working is another issue, with 43% of P&U cybersecurity leaders prioritizing measures to address risk introduced by changes forced upon them by COVID-19.

The sector is an attractive target because of the impact that an attack has on society. In this way, sophisticated, state-sponsored actors are targeting the sector, and the cybersecurity function will struggle to compete with adversaries such as these. CISOs need to assume that their organizations will be attacked, and be sure to have a well-rehearsed incident response plan involving the supply chain before the attack happens.

Today, hackers are exploiting the sector’s vulnerabilities more than ever before – and CISOs should assume that the rate of attack will only increase. If they can overcome the barriers they face around security by design, CISOs can not only minimize the disruption of these attacks but also build a reputation as strategic enablers of digitization.  

Summary

Faced with a growing cybersecurity threat, CISOs in P&U are being held back by several challenges, including budgets that are no longer fit for purpose, an outdated reputation among business partners, and the new approaches of cyber criminals. If they take action now, they can become enablers of a secure, digitized future.  

About this article

By Alex Campbell

EY EMEIA Cybersecurity, Associate Partner

Cyber security advisor to large organizations. Digital trust thought leader. Wine lover. Father of two.