Why wait for a cyber catastrophe to prepare for a cyber attack?

EY’s Global Information Security Survey (GISS) 2017-18 reveals that only 6% of P&U respondents are confident that they have fully considered the information security (IS) implications of their current strategy and that their risk landscape incorporates and monitors cyber threats, vulnerabilities and potential impacts. A further 41% have either made a recent change or are about to make a change to their current strategy and plan to consider IS implications, risks and threats.

But worryingly, over half (53%) of P&U respondents either do not appreciate or have only partially considered IS implications, risks and threats in their strategy and do not have plans to change their current course. In addition, 71% think present IS functions are not meeting expectations.

The GISS digs deeper with 62% believing that an attack that didn’t cause harm would be unlikely to prompt an increase in budget. Yet, according to a recent report, it takes an average of 99 days for organizations to detect an intrusion. To confront cyber threats, utilities should assume that all attacks cause harm, even if the impact is not immediately obvious.

At the very least, there will be a cost associated with responding to the event. Often, the people responsible for security lack influence with senior management and struggle to articulate the risk in order to obtain additional investment. This reinforces the need to elevate security to an enterprise-level risk and become an integral part of the utility’s overall strategy.

Understanding the complex cyber threat landscape

The first step for utilities seeking to enhance their security ability is to develop a better understanding of the threats they face and what they mean for the business.

Enterprise domain risks

Utilities are using advanced systems for real-time business intelligence and predictive analytics to fully tap the wealth of actionable information available in the growing volumes of data they manage. Threats associated with the collection, storage and analysis of big data, and the growing interdependencies between physical assets and information and operations technology (IT and OT) systems, have elevated the importance of security as an enterprise-level risk.

Grid and network infrastructure risks

The increasingly connected and complex nature of industrial control systems (ICS), including supervisory control and data acquisition (SCADA), makes them challenging to secure and vulnerable to cyber threats. OT assets that need to maintain 24/7 up-time face challenges with applying security upgrades and mitigating vulnerabilities. In addition, the growth in smart electric, gas and water networks and associated digitally enabled technologies are creating new points of entry for cyber attackers.

Customer domain risks

Growth in disruptive behind-the-meter technologies, including electric vehicles (EVs), smart appliances, the IoT and Future Internet of Things (FIoT), distributed energy resources (DERs) including web-enabled solar, batteries and home energy management systems, is further expanding the cyber attack surface across the P&U ecosystem. The use of smart metering data to enhance billing systems, better understand consumption patterns and ultimately improve user experience also increases the amount of information held by organizations, including utilities, third parties and aggregators.

This multi-ownership of data is making management of customer privacy even more challenging, especially with increased regulatory pressures such as the European Union’s General Data Protection Regulation.

To build resilience, utilities must assume the worst can happen

According to the GISS, employees, hacktivists and state-sponsored attackers are seen as the greatest immediate threats. Utilities are also increasingly fearful about nefarious actors exploiting vulnerabilities within new digital channels and tools.

Utilities face enormous challenges in identifying suspicious behavior, tracking who has access to their data, and finding hidden and unknown “zero-day” attacks. In addition, P&U organizations are not sufficiently addressing their ability to recognize and manage this new enterprise risk — 63% of P&U respondents say they don’t have a dedicated role within the security function focused on digital and the IoT.

In addition, each device connected to the network represents a target for attackers that needs to be secured, and each social media interaction with customers creates vectors for potential phishing attacks or other malicious targeting. According to the GISS, 49% of P&U respondents consider IS around social media to be a high priority. In fact, almost half (48%) agree that their risk exposure has increased over the past 12 months. This is a significant uplift vs. the previous year when only 8% agreed, reflecting the growing importance on the role that social media plays in a utility’s communications strategy.

With growing interdependence and interconnectivity of critical infrastructure across multiple sectors, cybersecurity is becoming increasingly challenging. A majority (58%) of P&U respondents find it hard to monitor the perimeter of their ecosystem vs. only 36% across all sectors. The rise of microgrids and DERs, as well as an increasingly fragmented energy value-chain with multiple new entrants and systems, often spanning numerous countries, make it difficult to understand and manage the risk, including where responsibility ultimately lies. Also, separate organizational governance of IT vs. OT can lead to a disjointed approach where security monitoring is often overlooked.

Utilities may feel more confident about confronting the types of threat that have become familiar in recent years, but still lack the capability to deal with more advanced, targeted assaults; they may not even be aware of emerging attack methods. To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy that includes review and adoption of leading practices against evolving threats. This requires a multilayered approach across a proven framework for managing cybersecurity.

Connecting the components required to regain cybersecurity for utilities

Establish a risk-enabled culture: Enterprise risk management deepens an organization’s understanding and awareness of risk across the entire business. Identifying risks within the internal and external environment becomes the responsibility of every employee from the CEO down. Much as a safety culture encompasses shared attitudes, perceptions and values that form part of an organization’s corporate culture to “do the right thing,” organizations need to create a security risk culture of awareness and vigilance that is equally embedded into the cultural fabric.

Advance strategic thinking: Cyber resilience requires an in-depth understanding of the disruptive drivers of change across the business and operational landscape. This is an opportunity for utilities to identify and assess risks that impact business strategy and to consider the implications of chosen approaches on risk and performance.

Adopt an agile and resilient operating model: Cyber resilience requires an end-to-end framework to prepare for threats and respond to the impact of a breach when it occurs. Such a framework for managing cyber risks will minimize the effect on day-to-day operations, the bottom line and the company’s reputation.

Invest in technology and innovation: Risk-enabled utilities are investing across multiple areas, including real-time defense, knowledge sharing and regulatory compliance. Future operating models may also be influenced by the rise of new and enabling technologies, such as blockchain and robotic process automation. But the GISS results also indicate that utilities will need to better understand the security implications of these technologies before deployment, particularly given that a significant majority of P&U respondents don’t have a dedicated role focused on the impact of such technologies.

Focus on the risks that matter most: Utilities need to go beyond compliance and focus on managing the risks that matter the most. Rather than being in reactive mode each time new cyber standards are announced, organizations need to adopt an agile approach that supports the incorporation of changes as they arise. Manage the risk appropriately and compliance will follow.

Utilities should operate on the basis that it will only be a matter of time before they suffer an attack that successfully breaches their defenses. However, the GISS suggests different levels of readiness among organizations. Having a cyber breach response plan (CBRP) that automatically kicks in when the problem is identified represents an organization’s best chance of minimizing the impact. There are key strategic questions for utilities to consider:

Cybersecurity — how will you ensure you can withstand attacks, isolate and assess the damage done, and shore up defenses to prevent similar breaches in the future?

Operating model optimization — what is the right balance between managing risks in house and outsourcing or co-sourcing?

Business continuity planning — how will you continue to operate as normal while remedying the attack?

Compliance — what are your duties in reporting the breach to the appropriate authorities, and how will these be discharged?

Public relations and communications — how will you communicate clearly and effectively with all potential stakeholders, including employees, customers, suppliers and investors, both directly and via the media and social media where there is public interest in the breach?

Litigation — how will you assess what potential litigation the attack leaves you vulnerable to, or even whether you have any recourse to legal action itself? How will you forensically record and maintain evidence for use by law enforcement agencies?

Insurance — do you have cyber insurance and is the incident covered? In which case, what can be claimed?

Maximizing investment — have you built rate cases or responded to performance-based incentives that would recover cyber investments and withstand regulatory scrutiny?

Digital investment — what do you see as the biggest benefits of investing in secure digital platforms and new ways of interacting with a growing, empowered customer base?

Collaboration — what are your competitors seeing as their greatest cyber threats? Are you stronger working as a community to counter threats than working alone?

Cybersecurity as everyone’s business

Understanding the threat landscape — detecting the potential risks on the horizon — is the groundwork of good cybersecurity. It allows utilities to limit the time they spend outside normality, to understand when and why they have moved into stress, and pre-empt the development of a full-on crisis.

Fighting back — protecting the enterprise from cyber risk — builds on this groundwork. It gives utilities the skills and confidence to deal with stress and crisis more effectively, with tools and processes that provide a framework for responding to attackers.

Having a robust response plan is the final piece. Utilities capable of employing a well thought-out and tested CBRP in which everyone understands their responsibilities, will de-escalate the crisis much more quickly.

By pulling these strands of cybersecurity together, utilities can respond in a more agile and resilient way, even in the face of the significant and increasing risk posed by diverse and often sophisticated cyber attackers. The tools and technologies required to meet threats are already available. In fact, many of them have developed innovative policies and processes for optimized use. This leading practice now needs to become the industry standard.