by Simon Vardy, Managing Director, Accenture Australia Utilities Strategy Practice
The threat of cyber attacks on power infrastructure is a cause of global concern, with their critical systems a prime target for cyber attackers to inflict serious damage and disruption. In the past twelve months, hackers have breached the networks of energy providers in Germany, Ukraine and the US using sophisticated malware, causing power outages of various scales and prompting serious concern amongst providers and governments.
Irrespective of motive or source, a successful attack in Australia could see large populations across the country suffering major power outages, as well as causing enormous business disruption and resulting in substantial economic damage.
Additionally, energy providers in Australia are increasingly experimenting with “smart grid” trials, in the hope of providing consumers the power to use energy more efficiently and alleviate risk of future blackouts, as seen in South Australia in 2017. Despite the benefits, the evolution to smart grid technology that connects IT, energy management systems and consumers is blurring traditional boundaries and creating new security vulnerabilities.
Microgrids are increasingly being investigated by Australian energy providers, heralded for their flexibility, resilience and integration with renewable power. Microgrids provide the ability to “self-island” from a distribution network and can use distributed, self-healing architectures to maintain energy delivery. If a physical event or cyber attack causes a power outage, microgrids can also contain the impact by shedding non-essential loads and continuing to energise critical loads. However, they themselves are vulnerable as a result of their increased penetration of monitoring and control capabilities, which open up the possibilities for breaches of security.
As we transition to a more digitised energy world, there is a fear that the same greater connectivity enabled by smart grids and microgrids could also create even greater opportunities for cyber criminals to launch crippling attacks.
A rapidly evolving risk landscape
Australian energy providers are fully aware of the potential damage cyber attacks can inflict on our electricity networks. Accenture’s Digitally Enabled Grid survey revealed that more than half (57 per cent) of distribution business executives cite interruptions to supply as their greatest cyber attack related concern, closely followed by potential impacts on customer and employee safety (53 per cent). While distribution utilities are well-practiced at restoring grids after traditional disruptions like adverse weather or asset failure, Accenture research showed only half of utility executives thought they were well-prepared for the challenges of an interruption from cyber attack.
Further to this, the latest Accenture High Performance Security research shows that fewer than 40 per cent of electricity utilities globally have methods, tools and skills comparable to
the highest level of performance.
Our experience has also shown that the greatest challenges to effective preparedness and response to cyber threats are often internal, rather than external factors. In fact, obstacles are often created by the cultural and organisational silos that exist between operations and technology business units; as well as the dwindling number of personnel available to operate the grid without technology, which can significantly strain utilities’ capabilities.
The current technology landscape for many utilities operators features control systems that work on old or vulnerable operating systems – commonly without sufficient processing power to run effective virus scans, or a lack of encryption or authorisation on communications channels – accompanied by limited or no security for endpoints, such as programmable logic controllers and intelligent end devices.
Developing a resilient delivery system
Cyber security needs to become a core industry capability for energy providers, one that protects the entire value chain and extended ecosystem from end to end. The increasing convergence of physical and cyber threats requires the development of capabilities that go well beyond simple compliance.
Utilities should invest in cyber resilience measures, as well as effective response and recovery capabilities. There are some strategies utility companies should consider to strengthen resilience and response to cyber attacks. These steps could allow the building and scaling of cyber defence capabilities:
Investigate a platform approach to cyber security capabilities
With increased regulation and greater customer requirements, distribution businesses are finding it difficult to prioritise projects and may therefore find themselves lacking the
resources required to address and develop cyber security capabilities. It may therefore be productive to find ways to pool resources or look to platform-based models and technology
solutions that could help address common cyber security challenges, removing the need to build their own internal capabilities.
Integrate resilience into asset and process design
Most utilities still operate systems and assets that were designed before the advent of computers, and definitely before the emergence of cyber attacks. Including cyber security into
asset and process design will certainly make the distribution system more resilient. As an extra step, integrating natural hazard hardening as well as security into the design of
distribution grids will make these more resilient at a lower overall cost.
Share threat information
Distribution businesses are likely to be facing the same common threats. Sharing intelligence and information between businesses is a critical activity that could help create situational awareness of the latest threat landscape and how to prepare accordingly. However, data privacy and security regulations may impact greater openness and transparency between businesses. In the absence of information sharing between utilities, external cyber experts could be consulted to help create a much-needed situational awareness.
Develop security and emergency management governance protocols
Developing a cyber security governance model should reflect the prevailing corporate culture. For example, a top-down, centralised business should mirror its culture in its cyber security governance model. Similarly, a business that is less centrally controlled and managed should adopt a similar decentralised approach to the governance of cyber security. There is no single approach – each distribution business needs to consider its organisational and operational context in order to devise the most effective approach.
Develop relationships with regional security officials and with cyber response experts
Whether national security and intelligence officials or private sector cyber response and legal experts, expertise will be required to help contain, investigate and manage the
consequences of the response. Developing these relationships now, modelling the interactions and planning the response will be critical to an effective, efficient response to cyber
Embracing security at the core
Grid operators in Australia are at varying stages in the cyber protection maturity curve. While some are only working toward compliance with security standards, others are already working on developing cyber security as a core business capability.
To combat cyber risks, distribution businesses need an agile capability that creates and leverages situational awareness, based on changing threat factors and that can quickly react and intervene to cyber attacks. Leaning on the wider energy ecosystem, Australian transmission and distribution utilities must engage with government and industry forums so that new threats are managed quickly and effectively.
To meet the security imperative from within, a smart grid, or microgrid, must integrate consolidated, end-to-end IT and physical security into its design, ensuring system “irregularities” can be flagged seamlessly between grid control, security operations, network operations centres and beyond.
In Accenture’s view, the optimal approach to cyber security is an effective segmentation of risks, with the implementation of the most advanced security for highest-risk, high-value assets or highest-impact customers. At this level, utilities will have greater operational control, improved situational awareness, lower risk, superior control of operations and maintenance costs, and are better prepared for the impact of future disruptive technologies.
This should be achieved through certificate-based, device-level authentication (where feasible), network protocols that support encryption, application security, network segmentation, security monitoring, incident response and a hardening process to manage vulnerabilities in a timely fashion.
Cyber attacks to Australian utility infrastructure could cause chaos and mass disruption, from motivated ransom attacks to completely disabled networks. As utilities go digital, Australian energy providers must be proactive in both their adoption of smart and microgrid technology, as well as implementing powerful, adaptable security systems that minimise risks posed by cyber attacks.