IT Security in Utilities

Posted on April 22, 2014
Posted By: Arun Krishnamurthi

Modern energy and utility companies are becoming vulnerable in ways they are not familiar with: via cyber-attacks. A Symantec report in January said that in the first half of 2013, energy was the fifth most targeted sector worldwide. It experienced 7.6 per cent of all cyber-attacks[i]. During the same period, the Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) said that cyber-attacks had doubled and significantly, 53% of those attacks were against the energy sector[ii].

In 2012, a large oil corporation in the Middle East found that a virus - now famously known as Shamoon -- wiped out documents, intellectual property and business data from a large number of corporate PCs, interrupting oil operations[iii]. The growing new threat has the potential to be more devastating than terrorist attacks as we have known them. The attacks - which could be from state-sponsored groups, criminals, competition, hactivists or just code kiddies - can help seize mission-critical OT and IT systems. The results of such security breaches can be catastrophic. They can bring down entire cities by shutting down power systems and bursting gas pipelines. They can lock trading systems and financial markets. Shut down hospitals and airports. Because of growing connectivity between industries, the effects of an attack on today's energy and utilities businesses can have a cascading effect. It is time for the industry to take a fresh look at the meaning and implications of the security threats it is vulnerable to.

In an interconnected world of smart grids, a lot can go wrong. Control rooms and power lines can be remotely hijacked, putting at risk the lives and safety of entire regions. An equally worrying risk is to data. Today's energy and utility companies have more customer data than ever before. For industrial customers, they hold data related to devices and machinery in operation, peak usage and consumption patterns. For domestic customers, they hold personal information, financial data and passwords, all of which makes it simple to impersonate customers.

The reason why the industry is not adequately prepared to address these attacks is rather simple. The industry has traditionally remained focused on building infrastructure, with very little management focus on IT and data security. With growing connectivity, this must change. Today, the industry must bring pin point focus to dealing with cyber-attacks that could affect operations, business data and intellectual property.

For an industry that has been accustomed to building dedicated infrastructure - and therefore creating a natural sense of security - things are changing. With increasing cost pressure, it is not possible to continue to retain infrastructure and data in-house. Everyone is moving towards cloud technologies with hosted infrastructure. In such an environment, how does the industry safeguard its data and applications?

The answer is a practical no-brainer: it lies in bring more science, more algorithms, more encryption and more security protocols. However, the key is to use tried, tested and proven technology to stay ahead of the growing threat. Long-time industry hands will immediately realize why this is important. The industry is, by and large, not private. So it can't go ahead and do exactly as it wants. It must be cautious, and comply with standardized regulations and mandated security processes.

In summary, it is necessary to recognize that an increasing amount of technology in the supply chain is inevitable. It is going to result in a proportionate increase in cyber risk management. The solution is in customizing risk management based on an analysis of motives behind the attacks, a thorough analysis of assets and their vulnerabilities, a backup plan (in the event of security failure) and devising risk management processes that are aligned with regulations.

[ii] Homeland Security: Hack Attempts On Energy, Manufacturing Way Up in 2013, 29 June, 2013:
[iii] In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back, New York Times, 23 October, 2012:

Authored By:
Arun Krishnamurthi, Vice President & Global Head, Utilities, ENU (Energy, Natural Resources and Utilities), SBU, Wipro

Arun is the Global Head for the Utilities business at Wipro. He has been with Wipro's Energy, Natural Resources & Utilities (ENU) SBU since its inception in 1999 and has been a key member in building up the practice & its domain capabilities. He brings with him a rich 20 years of experience

Related Posts

Keeping Data Safe By Harry Stephens

Add your comments:

Please log in to leave a comment!
back to top

Receive Energy Central eNews & Updates


2014 Utility Analytics Week

Wednesday Oct 22, 2014 - Friday Oct 24, 2014 - Newport Beach, CA

Join us for our Third Annual Utility Analytics Week event where you will hear and learn about the hottest topics in analytics today. The analytics revolution is pushing utilities to respond to real time needs arising in the industry as more...

2014 Knowledge Executive Summit

Monday Nov 10, 2014 - Wednesday Nov 12, 2014 - NewPort Beach, CA

Connect with an exclusive gathering of over 100 elite CIOs, VP's of Customer Service and VP's of Operations to network and share knowledge around the most critical issues and opportunities facing utility executives. Enjoy a breathtaking resort setting along the more...

Utilities Executive Forum and Roundtable: November 18-20, 2014

Tuesday Nov 18, 2014 - Thursday Nov 20, 2014 - Ponte Vedra Beach , Florida - USA

Allow us to be your host for a gathering of senior utility executives featuring industry experts from Ferranti Computer Systems, Microsoft and Avanade discussing current challenges and trends in the Utility and Energy industry. We will be providing attendees an more...

Sponsored Content