Mounting threat levels have pushed utilities to take a more robust approach to security, but according to Matt Chambers and Georgina Crundell from EY’s Power and Utilities team, there is still significant room for improvement.
The power and utilities (P&U) sector is going through one of the most transformative stages since its inception. Behaviours are shifting, governments and consumers alike are demanding cleaner energy, and evolving technologies drive a more decentralised and increasingly digital model. How utilities succeed in making the transition will depend on how effectively they manage their most important risks.
According to EY’s Risk Pulse survey, utilities rank business interruption from cyber attack, storms and catastrophic events as the most important risk today and in a future energy world. But security risks are constantly evolving, and it is becoming increasingly challenging for utilities to map the digital environment in which they operate and their interactions with it.
Connected devices that can collect vast amounts of personal data (such as smart meters) and the rise of the Internet of Things (IoT) add to the complexity of managing security across the transforming P&U ecosystem. The expected global cost of cybersecurity breaches across all sectors by 2021 is $US6 trillion, according to the Cybercrime Report 2017 Edition from Cybersecurity Ventures.
Legacy systems that were designed to operate in internal segregated or closed networks are increasingly interfacing and converging with IP-based networks to improve efficiencies in administration and monitoring.
This ever-expanding digital ecosystem, with potentially millions of networked access points, is exposing utilities to more sophisticated and frequent cyber attacks, which have the potential to disrupt critical infrastructure and breach customer and employee privacy. Governments around the world have moral obligations to provide access to power and clean water, and utilities are tasked with fulfilling these obligations. Yet they cannot do so if they leave themselves, and the critical infrastructure they manage, open to attack.
Utilities are particularly attractive targets for highly sophisticated state-sponsored actors in politically unstable regions looking to gain a political or monetary advantage. Hacker group Dragonfly 2.0 is an excellent example. A leading security firm recently warned that state-linked hackers were gaining access to US and European power grid operations – to the point where they could produce power blackouts anytime they wanted.
The cyber attack surface has significantly increased through advances in automation and connected devices. Combined with the commercialisation of attack tools that were once limited to a nation state’s arsenal, you have the ingredients for significant disruption.
Preparing to confront cyber threats
Mounting threat levels have pushed utilities to take a more robust approach to security, but there is significant room for improvement, especially in convergence with strategic planning.
EY’s Global Information Security Survey (GISS) 2017-18 reveals that only six per cent of P&U respondents are confident that they have fully considered the information security (IS) implications of their current strategy, and that their risk landscape incorporates and monitors cyber threats, vulnerabilities and potential impacts. A further 41 per cent have either made a recent change or are about to make a change to their current strategy and plan to consider IS implications, risks and threats.
But worryingly, over half (53 per cent) of P&U respondents either do not appreciate or have only partially considered IS implications, risks and threats in their strategy, and do not have plans to change their current course. In addition, 71 per cent think present IS functions are not meeting expectations.
The GISS digs deeper with 62 per cent believing that an attack that didn’t cause harm would be unlikely to prompt an increase in budget. Yet, according to a recent report, it takes an average of 99 days for organisations to detect an intrusion. To confront cyber threats, utilities should assume that all attacks cause harm, even if the impact is not immediately obvious.
At the very least, there will be a cost associated with responding to the event. Often, the people responsible for security lack influence with senior management and struggle to articulate the risk in order to obtain additional investment. This reinforces the need to elevate security to an enterprise-level risk and become an integral part of the utility’s overall strategy.
Understanding the complex cyber threat landscape
The first step for utilities seeking to enhance their security ability is to develop a better understanding of the threats they face and what they mean for the business.
Enterprise domain risks
Utilities are using advanced systems for real-time business intelligence and predictive analytics to fully tap the wealth of actionable information available in the growing volumes of data they manage. Threats associated with the collection, storage and analysis of big data, and the growing interdependencies between physical assets and information and operations technology (IT and OT) systems, have elevated the importance of security as an enterprise-level risk.
Grid and network infrastructure risks
The increasingly connected and complex nature of industrial control systems (ICS), including supervisory control and data acquisition (SCADA), makes them challenging to secure and vulnerable to cyber threats. OT assets that need to maintain 24/7 up-time face challenges with applying security upgrades and mitigating vulnerabilities. In addition, the growth in smart electric, gas and water networks and associated digitally-enabled technologies are creating new points of entry for cyber attackers.
Customer domain risks
Growth in disruptive behind-the-meter technologies, including electric vehicles (EVs), smart appliances, the IoT and Future Internet of Things (FIoT), distributed energy resources (DERs) including web-enabled solar, batteries and home energy management systems, is further expanding the cyber attack surface across the P&U ecosystem. The use of smart metering data to enhance billing systems, better understand consumption patterns and ultimately improve user experience also increases the amount of information held by organisations, including utilities, third parties and aggregators.
This multi-ownership of data is making management of customer privacy even more challenging, especially with increased regulatory pressures such as the European Union’s General Data Protection Regulation.
To build resilience, utilities must assume the worst can happen
According to the GISS, employees, hacktivists and state-sponsored attackers are seen as the greatest immediate threats. Utilities are also increasingly fearful about nefarious actors exploiting vulnerabilities within new digital channels and tools.
Utilities face enormous challenges in identifying suspicious behavior, tracking who has access to their data, and finding hidden and unknown “zero-day” attacks. In addition, P&U organisations are not sufficiently addressing their ability to recognise and manage this new enterprise risk – 63 per cent of P&U respondents say they don’t have a dedicated role within the security function focused on digital and the IoT.
In addition, each device connected to the network represents a target for attackers that needs to be secured, and each social media interaction with customers creates vectors for potential phishing attacks or other malicious targeting. According to the GISS, 49 per cent of P&U respondents consider IS around social media to be a high priority. In fact, almost half (48 per cent) agree that their risk exposure has increased over the past twelve months. This is a significant uplift versus the previous year when only eight per cent agreed, reflecting the growing importance on the role that social media plays in a utility’s communications strategy.
With growing interdependence and interconnectivity of critical infrastructure across multiple sectors, cybersecurity is becoming increasingly challenging. A majority (58 per cent) of P&U respondents find it hard to monitor the perimeter of their ecosystem versus 36 per cent across all sectors.
The rise of microgrids and DERs, as well as an increasingly fragmented energy value-chain with multiple new entrants and systems, often spanning numerous countries, make it difficult to understand and manage the risk, including where responsibility ultimately lies. Also, separate organisational governance of IT versus OT can lead to a disjointed approach where security monitoring is often overlooked.
Fighting back against the threat
To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy.
Utilities may feel more confident about confronting the types of threat that have become familiar in recent years, but still lack the capability to deal with more advanced, targeted assaults; they may not even be aware of emerging attack methods.
To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy that includes review and adoption of leading practices against evolving threats. This requires a multilayered approach across a proven framework for managing cybersecurity.
Connecting the components required to regain cybersecurity for utilities
Establish a risk-enabled culture: Enterprise risk management deepens an organisation’s understanding and awareness of risk across the entire business. Identifying risks within the internal and external environment becomes the responsibility of every employee from the CEO down.
Much as a safety culture encompasses shared attitudes, perceptions and values that form part of an organisation’s corporate culture to “do the right thing,” organisations need to create a security risk culture of awareness and vigilance that is equally embedded into the cultural fabric.
Advance strategic thinking: Cyber resilience requires an in-depth understanding of the disruptive drivers of change across the business and operational landscape. This is an opportunity for utilities to identify and assess risks that impact business strategy and to consider the implications of chosen approaches on risk and performance.
Adopt an agile and resilient operating model: Cyber resilience requires an end-to-end framework to prepare for threats and respond to the impact of a breach when it occurs. Such a framework for managing cyber risks will minimise the effect on day-to-day operations, the bottom line and the company’s reputation.
Invest in technology and innovation: Risk-enabled utilities are investing across multiple areas, including real-time defense, knowledge sharing and regulatory compliance.
Future operating models may also be influenced by the rise of new and enabling technologies, such as blockchain and robotic process automation. But the GISS results also indicate that utilities will need to better understand the security implications of these technologies before deployment, particularly given that a significant majority of P&U respondents don’t have a dedicated role focused on the impact of such technologies.
Focus on the risks that matter most: Utilities need to go beyond compliance and focus on managing the risks that matter the most. Rather than being in reactive mode each time new cyber standards are announced, organisations need to adopt an agile approach that supports the incorporation of changes as they arise.
Manage the risk appropriately and compliance will follow.
Developing a more robust response
Utilities should operate on the basis that it will only be a matter of time before they suffer an attack that successfully breaches their defenses. However, the GISS suggests different levels of readiness among organisations.
Having a cyber breach response plan (CBRP) that automatically kicks in when the problem is identified represents an organisation’s best chance of minimising the impact. There are key strategic questions for utilities to consider:
- Cybersecurity – how will you ensure you can withstand attacks, isolate and assess the damage done, and shore up defenses to prevent similar breaches in the future?
- Operating model optimisation – what is the right balance between managing risks in house and outsourcing or co-sourcing?
- Business continuity planning – how will you continue to operate as normal while remedying the attack?
- Compliance – what are your duties in reporting the breach to the appropriate authorities, and how will these be discharged?
- Public relations and communications – how will you communicate clearly and effectively with all potential stakeholders, including employees, customers, suppliers and investors, both directly and via the media and social media, where there is public interest in the breach?
- Litigation – how will you assess what potential litigation the attack leaves you vulnerable to, or even whether you have any recourse to legal action itself? How will you forensically record and maintain evidence for use by law enforcement agencies?
- Insurance – do you have cyber insurance and is the incident covered? In which case, what can be claimed?
- Maximising investment – have you built rate cases or responded to performance-based incentives that would recover cyber investments and withstand regulatory scrutiny?
- Digital investment – what do you see as the biggest benefits of investing in secure digital platforms and new ways of interacting with a growing, empowered customer base?
- Collaboration – what are your competitors seeing as their greatest cyber threats? Are you stronger working as a community to counter threats than working alone?
Cybersecurity as everyone’s business
Understanding the threat landscape, and detecting the potential risks on the horizon, is the groundwork of good cybersecurity. It allows utilities to limit the time they spend outside normality, to understand when and why they have moved into stress, and pre-empt the development of a full-on crisis.
Fighting back and protecting the enterprise from cyber risk builds on this groundwork. It gives utilities the skills and confidence to deal with stress and crisis more effectively, with tools and processes that provide a framework for responding to attackers.
Having a robust response plan is the final piece. Utilities capable of employing a well thought-out and tested CBRP in which everyone understands their responsibilities, will de-escalate the crisis much more quickly.
By pulling these strands of cybersecurity together, utilities can respond in a more agile and resilient way, even in the face of the significant and increasing risk posed by diverse and often sophisticated cyber attackers. The tools and technologies required to meet threats are already available. In fact, many of them have developed innovative policies and processes for optimised use. This leading practice now needs to become the industry standard.