The Urgent Call to Protect Distribution Utilities from Cyberattacks
No company or industry is immune from a cyberattack, but for operators of electricity grids, the threat includes potentially devastating consequences to infrastructure and communities.
In fact, the Council on Foreign Relations has shared that the U.S. power grid is considered a glaring target for a major cyber-attack and the U.S. Department of Energy recently stated that our electricity system ‘faces imminent danger’ from cyberattacks. With the rise of large scale attacks from independent hackers and nation-states alike – from CrashOverride to NotPetya – utility distribution businesses companies should be wary that even if they are not the target, they may still experience the negative consequences.
Recent Accenture research into the Digitally Enabled Grid found that nearly two-thirds of utility executives believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electric distribution grids in the next five years. If a powerful cyberattack were successful, it could cause power outages, enormous business and economic disruption, and may even result in serious injury or harm to consumers and employees. Furthermore, a cyberattack of scale would raise serious concerns about the security of all parts of a utility’s value chain.
Indeed, the research also found that almost six in 10 distribution business executives (57 percent) fear interruption to supply as their greatest cyber-related concern, closely followed by potential impacts on customer and employee safety. But even so, many don’t feel prepared to handle it.
Digital transformation opens the electric distribution grid to new vulnerabilities
The increased connectivity of industrial control systems (ICS) enabled by the smart grid will drive significant benefits in the form of safety, productivity, improved quality of service and operational efficiency. In fact, digital technologies allow for instant feedback, a rich flow of grid data, and the ability to proactively diagnose and fix asset failures, minimizing operations and maintenance (O&M) costs and improving reliability.
Nearly 9 in 10 utility executives rightly see cybersecurity as a major concern in smart grid deployment. Smart grid technology connects IT and OT, electric assets, employees, consumers and vendors. While this digital transformation across the grid can make it more efficient and reliable, it can also generate new vulnerabilities to cyberattacks. The digital devices used in these operational technologies often lack the ability to authenticate administrators and cannot maintain the activity logs needed for forensic analysis.
However, electricity distribution companies that have not adopted the smart grid are already at risk, as the current technology landscape for many utilities features control systems that work on old or vulnerable operating systems. Utility executives should not refrain from installing the smart grid because they are fearful of cyberattacks; instead, they should accelerate their deployments and take full advantage of the automation available for their rate payors, but take care to make it fully secure. Utilities should also thoroughly evaluate their broader supply chain for the smart grid, since contractors and suppliers of hardware or services could also be compromised by third parties.
Protecting the grid against cyber threats
Accenture’s research found that, globally, just over half (54 percent) of utility executives believe they are “extremely well prepared” or “well prepared” to restore normal network operation after a cyberattack that would cause service interruption. However, strikingly, around 40 percent of respondents said that cybersecurity risks are not, or are only partially, integrated into their broader risk management processes.
That’s not enough. Cybersecurity must become a core industry capability that protects the entire value chain end-to-end. Distribution businesses need to be able to boost situational awareness through a system-wide assessment of the utility’s preparedness, base their approach on changing threat actors, and create a plan to quickly react, intervene and respond as an enterprise.
While there is no single solution, here are some key steps any distribution business should consider, to prepare for and respond to cyberattacks:
- Investigate a broad platform approach to cybersecurity. Deregulation has created many small- and medium-size distribution businesses that lack the resources required to develop sophisticated cybersecurity capabilities, but this can be solved through partnerships. These businesses could pool resources or look to platform-based models and technology solutions that could help them address common cybersecurity challenges, without needing to build their own internal capabilities.
- Keep cybersecurity a priority in asset design and development. Most utilities still operate systems that were designed before the advent of today’s computers, much less today’s security threats – so the design standards today need to take into account the threats of tomorrow.
- Share intelligence and threat information with contractors, peers, and industry groups – at machine speed. Distribution businesses will likely share many of the same threats, so exchanging information is critical to creating situational awareness of the latest threats and how to prepare accordingly.
- Align security governance and emergency management governance. One thing is certain besides death and taxes: the ability of certain nation states to breach your cyber defenses. Each distribution business should ensure that it has the capability to respond effectively, as an enterprise, as much as it has the capability to defend effectively.
- Establish relationships with cyber-security experts and with local security/intelligence officials. National security and intelligence officials and/or private sector cyber response and legal experts must help investigate and manage the consequences of the attack and response. Utilities need to develop those relationships now so they can work as a team when an attack strikes.
Cyberattacks pose a clear threat to electric power systems, and it is imperative that utilities, regulators and governments make the right decisions to defend the grid. Cyberattacks will evolve in sophistication and methodology, but if utilities seek to take the proper steps now, they can prepare and protect themselves for an uncertain future.