IT Security in Utilities

Posted on April 22, 2014
Posted By: Arun Krishnamurthi

Modern energy and utility companies are becoming vulnerable in ways they are not familiar with: via cyber-attacks. A Symantec report in January said that in the first half of 2013, energy was the fifth most targeted sector worldwide. It experienced 7.6 per cent of all cyber-attacks[i]. During the same period, the Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) said that cyber-attacks had doubled and significantly, 53% of those attacks were against the energy sector[ii].

In 2012, a large oil corporation in the Middle East found that a virus - now famously known as Shamoon -- wiped out documents, intellectual property and business data from a large number of corporate PCs, interrupting oil operations[iii]. The growing new threat has the potential to be more devastating than terrorist attacks as we have known them. The attacks - which could be from state-sponsored groups, criminals, competition, hactivists or just code kiddies - can help seize mission-critical OT and IT systems. The results of such security breaches can be catastrophic. They can bring down entire cities by shutting down power systems and bursting gas pipelines. They can lock trading systems and financial markets. Shut down hospitals and airports. Because of growing connectivity between industries, the effects of an attack on today's energy and utilities businesses can have a cascading effect. It is time for the industry to take a fresh look at the meaning and implications of the security threats it is vulnerable to.

In an interconnected world of smart grids, a lot can go wrong. Control rooms and power lines can be remotely hijacked, putting at risk the lives and safety of entire regions. An equally worrying risk is to data. Today's energy and utility companies have more customer data than ever before. For industrial customers, they hold data related to devices and machinery in operation, peak usage and consumption patterns. For domestic customers, they hold personal information, financial data and passwords, all of which makes it simple to impersonate customers.

The reason why the industry is not adequately prepared to address these attacks is rather simple. The industry has traditionally remained focused on building infrastructure, with very little management focus on IT and data security. With growing connectivity, this must change. Today, the industry must bring pin point focus to dealing with cyber-attacks that could affect operations, business data and intellectual property.

For an industry that has been accustomed to building dedicated infrastructure - and therefore creating a natural sense of security - things are changing. With increasing cost pressure, it is not possible to continue to retain infrastructure and data in-house. Everyone is moving towards cloud technologies with hosted infrastructure. In such an environment, how does the industry safeguard its data and applications?

The answer is a practical no-brainer: it lies in bring more science, more algorithms, more encryption and more security protocols. However, the key is to use tried, tested and proven technology to stay ahead of the growing threat. Long-time industry hands will immediately realize why this is important. The industry is, by and large, not private. So it can't go ahead and do exactly as it wants. It must be cautious, and comply with standardized regulations and mandated security processes.

In summary, it is necessary to recognize that an increasing amount of technology in the supply chain is inevitable. It is going to result in a proportionate increase in cyber risk management. The solution is in customizing risk management based on an analysis of motives behind the attacks, a thorough analysis of assets and their vulnerabilities, a backup plan (in the event of security failure) and devising risk management processes that are aligned with regulations.

[ii] Homeland Security: Hack Attempts On Energy, Manufacturing Way Up in 2013, 29 June, 2013:
[iii] In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back, New York Times, 23 October, 2012:

Authored By:
Arun Krishnamurthi, Vice President & Global Head, Utilities, ENU (Energy, Natural Resources and Utilities), SBU, Wipro

Arun is the Global Head for the Utilities business at Wipro. He has been with Wipro's Energy, Natural Resources & Utilities (ENU) SBU since its inception in 1999 and has been a key member in building up the practice & its domain capabilities. He brings with him a rich 20 years of experience

Related Posts


Add your comments:

Please log in to leave a comment!
back to top

Receive Energy Central eNews & Updates


What are the practical steps utilities can take in order to secure valuable insights from their data?

Tuesday Jun 14, 2016 - 12:00 PM Eastern - Virtual Event

In this session Vasan Krishnaswamy, Vice President, Energy Insight, OMNETRIC Group, will share some of the do's and don'ts he sees as utilities start to develop their analytics strategies and get started on project implementation. more...

2016 Modern Solutions Power Systems Conference (MSPSC)

Wednesday Jun 8, 2016 - Friday Jun 10, 2016 - Chicago, IL - USA

Join us at the fifth annual SEL Modern Solutions Power Systems Conference to rethink what’s possible and discover new opportunities for the next 100 years. more...

Sponsored Content