Deloitte Lays Out Three Cybersecurity Obstacles Facing Retail Power Companies, and Three Steps to Overcome Them
Managing cyber risk in the electric power sector: Deloitte Global report
- February 4, 2019
- 370 views
Three obstacles stand out when it comes to retail power companies' efforts, and their capacity, to reduce cyber risk stand out, according to a recently released report from Deloitte.
Digitization of power grids and generation assets is opening up new, wide vistas for those looking to perpetrate cyber attacks, or otherwise threaten or compromise the production and delivery of electrical power and energy. The energy sector perennially ranks as one of the top three U.S. economic sectors cyber attackers target, and the frequency and sophistication of cyber threats continues to increase, according to Deloitte's, Managing cyber risk in the electric power sector.
“The advancement of electrical infrastructure presents an interesting obstacle for cybersecurity: as grids become modernized and digitized, they become more supported by and integrated into third-party operations,” says Paul Zonneveld, Deloitte Global Energy & Resources Risk Advisory leader. “With increasingly complex global supply chains, power companies will need to identify and map threats across the extended enterprise.”
A "uniquely critical enabling function"
The production and delivery of high-quality electricity with near 100-percent reliability has come to be a fundamental building block, defining attribute and the lifeblood of modern industrial and post-industrial age societies the world over, the Deloitte report authors point out.
"The power sector is seen as uniquely critical for the 'enabling function' it provides across all critical infrastructure sectors. If the power went out across a large region for an extended period, highly dependent systems—such as financial, communications, transportation, water, and sewer networks—would be severely impacted, leaving the population immobile, incommunicado, and in the dark. In a word, vulnerable," they write in the report.
U.S. energy sector participants reported 59 cyber attacks in 2016— 20 percent of the annual total 290 across all sectors. Only critical manufacturing and communications reported more, Deloitte highlights in the report.
"What’s more, electric power companies report a continuous barrage of attempted intrusions, and though most fail, activity is accelerating," they continue. "U.S. Energy Secretary Rick Perry commented that such intrusions are 'happening hundreds of thousands of times a day.' And in early 2018, there was 'an extreme uptick' in cyberattacks targeting the electric grid in North America."
Three notable obstacles and three steps to overcome them
Deloitte's report authors lay out the three notable obstacles standing in the way of retail power companies reducing cyber threats and cyber attacks across the supply chain.
Ownership of the cyber supply chain is often ill-defined, so companies must establish clear accountability.
As pressure mounts to move operations to the cloud, companies must do their due diligence in assuring that providers are secure.
Companies often do not have the manpower to assess cyber risks from their vast number of suppliers.
The Deloitte report authors go on and recommend three steps retail power companies can take to overcome these obstacles.
Map infrastructure assets and evaluate vulnerabilities: Electrical power companies should map infrastructure assets and prioritize them by cruciality. They should next determine the vulnerabilities of assets and assess the maturity of the control environment for managing threats. And finally, companies should build a framework for protecting critical assets using people, processes, and technology.
Evaluate suppliers’ security processes: To manage cyber risk in the supply chain, a promising first step is to engage with the supply chain procurement function. Electric power companies must understand suppliers’ cybersecurity processes for products and services and assure that they comply with leading industry practices.
Engage with industry peers and government agencies: Managing cybersecurity risk should not stop at the individual enterprise level. Electric power companies can improve cybersecurity processes by helping to establish industry standards, exchanging threat intelligence with peers, and testing new technologies.
“Technological innovation and analytics should drive every electric power company’s cybersecurity strategy,” adds Zonneveld. “New tools are increasingly available, and the capability to monitor networks in real time, discover threats, and address them is advancing rapidly—providing needed protection for the industry at large.”