Responding to risk: how utilities can combat cyber threats

Digitalization offers new ways for energy utilities to embrace business models incorporating renewables and distributed energy management and to reinvent themselves as digital companies. However, the proliferation of grid-connected digital infrastructure creates vulnerabilities and cyber threats.

By Carl Fischer

A new study by Siemens and the Ponemon Institute, entitled Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?, reveals gaps in cybersecurity preparedness and capabilities among energy utilities, and offers recommendations on improving preparedness and response. The authors surveyed 1,726 professionals responsible for securing or overseeing cyber risk at utilities and operators of energy assets in North America, Europe, the Middle East, the Asia-Pacific region, and Latin America.

Decarbonization of the global economy requires electrification, but grid-connected assets also create new inroads for malicious attackers. Threat levels are particularly high with regard to Operational Technologies (OT) – the machines, systems, and networks by which power is generated, transmitted, and distributed. Specifically, security gaps arise from digitalization in connection with data analytics, artificial intelligence, and grid control technologies.

The report found that a lack of integration between OT and Information Technology (IT) created capability gaps that attackers can exploit. OT targets include control systems and logic controllers whose disruption can jeopardize the availability, reliability, and safety of assets by causing physical damage and shutting down operations. Potential impacts now include major environmental incidents through cascading effects.

Respondents said the frequency of attacks was increasing, with 56 percent having experienced a data breach or outage in the past year, and 54 percent expected an attack on critical infrastructure in the coming 12 months. The potency and sophistication of attacks have also increased. This may be due to the changing nature of cyberattacks, which are increasingly perpetrated by governments or actors using expertise and attack vectors developed by nation-states.

The study reveals a pervasive lack of preparedness. Only 42 percent of respondents rated their cyber-readiness as high, and only 31 percent believed they were ready to respond to, or contain, a breach. Key factors included the technical capabilities to identify threats, understanding of risk-based best practices, compliance with regulatory regimes, and internal factors within an organization. Smaller organizations needed more time (88.5 days) than larger ones (62.6 days) to coordinate responses and prioritize recovery efforts. This was also due to shortages of experts including control engineers, security specialists, and network specialists, as well as training and coordination between them.

The report recommends strengthening cyber-defenses through improved awareness of all system components and their operations, and by training or hiring skilled personnel. Other factors included accounting for systemic complexity through better coordination between IT and OT, and awareness of new developments in technology and cybersecurity. These measures will boost detection and response capabilities, including through proactive contingency planning and prioritization for recovery.

Nov 05, 2019
Carl Fischer is an independent journalist specializing in business and technology news. He lives and works in Zurich, Switzerland.

Combined picture credits, Siemens Energy, Ponemon Institute, Getty images