Responding to risk: A new survey shows how utilities can combat cyber threats
Digitalization offers new ways for energy utilities to embrace business models incorporating renewables and distributed energy management and to reinvent themselves as digital companies. However, the proliferation of grid-connected digital infrastructure creates vulnerabilities and cyber threats.
By Carl Fischer
Read the study: Caught in the crosshairs – Are utilities keeping up with the industrial cyber threat?
Assessing operational readiness of the global utilities sector.
A new study by Siemens and the Ponemon Institute, entitled Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?, reveals gaps in cybersecurity preparedness and capabilities among energy utilities, and offers recommendations on improving preparedness and response. The authors surveyed 1,726 professionals responsible for securing or overseeing cyber risk at utilities and operators of energy assets in North America, Europe, the Middle East, the Asia-Pacific region, and Latin America.
Vulnerability to cyber-risks
Decarbonization of the global economy requires electrification, but grid-connected assets also create new inroads for malicious attackers. Threat levels are particularly high with regard to Operational Technologies (OT) – the machines, systems, and networks by which power is generated, transmitted, and distributed. Specifically, security gaps arise from digitalization in connection with data analytics, artificial intelligence, and grid control technologies.
The report found that a lack of integration between OT and Information Technology (IT) created capability gaps that attackers can exploit. OT targets include control systems and logic controllers whose disruption can jeopardize the availability, reliability, and safety of assets by causing physical damage and shutting down operations. Potential impacts now include major environmental incidents through cascading effects.
Preparedness for cyber-incidents
Respondents said the frequency of attacks was increasing, with 56 percent having experienced a data breach or outage in the past year, and 54 percent expected an attack on critical infrastructure in the coming 12 months. The potency and sophistication of attacks have also increased. This may be due to the changing nature of cyberattacks, which are increasingly perpetrated by governments or actors using expertise and attack vectors developed by nation-states.
The study reveals a pervasive lack of preparedness. Only 42 percent of respondents rated their cyber-readiness as high, and only 31 percent believed they were ready to respond to, or contain, a breach. Key factors included the technical capabilities to identify threats, understanding of risk-based best practices, compliance with regulatory regimes, and internal factors within an organization. Smaller organizations needed more time (88.5 days) than larger ones (62.6 days) to coordinate responses and prioritize recovery efforts. This was also due to shortages of experts including control engineers, security specialists, and network specialists, as well as training and coordination between them.
Building stronger cyber-defenses
The report recommends strengthening cyber-defenses through improved awareness of all system components and their operations, and by training or hiring skilled personnel. Other factors included accounting for systemic complexity through better coordination between IT and OT, and awareness of new developments in technology and cybersecurity. These measures will boost detection and response capabilities, including through proactive contingency planning and prioritization for recovery.
Nov 05, 2019
Carl Fischer is an independent journalist specializing in business and technology news. He lives and works in Zurich, Switzerland.
Combined picture credits, Siemens Energy, Ponemon Institute, Getty images
Founded in 2002 by Larry Ponemon and Susan Jayson, the Ponemon Institute conducts independent research on privacy, data protection, and information security policy for private and public-sector organizations. It provides strategic consulting to help companies enhance their privacy and data protection programs and meet compliance and regulatory requirements in the USA and other countries.