Cyber Security in Utilities Sector
Utilities are evolving fast through digitization. More assets are getting connected today than ever in order to become agile, customer focused and innovative. This leaves the sector vulnerable to cyber attacks, as has been witnessed throughout the world in recent years.
Role of the Utilities sector
As nations develop and bring prosperity to people, the contribution made by the utilities sector (Primarily energy, water, sanitation, and even telecommunications) needs to be acknowledged. These infrastructure heavy industries play a critical role, albeit a silent one, in building the backbone of any country. It is also noteworthy, that the utilities sector acts as a multiplier for most other downstream industries and businesses. The energy industry alone contributes approximately 3-5% of the GDP for countries like USA, UK, Germany etc. Therefore, with so much at stake, it is very important to keep these assets in peak working condition for the betterment of the economy.
Mega trends in Utilities
In the future there will be two distinct styles of utility.
The energy industry has witnessed significant changes across the value chain – in the way energy is created, transported, stored and consumed. Furthermore, there have been developments in technologies available to execute supporting functions – from cloud computing to digital technologies.
Clear and present danger
In the new paradigm of a connected world, where different ideas and interests jostle for dominance, the threat of cyber attacks looms large, particularly with the utilities sector infrastructure, given its critical role in the economy. Any serious act of cyber terrorism can cripple a nation and cause immense economic and social harm. Over the past decade or so, around the globe, there have been multiple incidents where unknown actors have hacked into critical systems and stolen information.
Given the threat profile, Industry experts have expressed concern over the current state of cyber security preparedness.
- The utilities sector is vulnerable to two types of cyber attacks driven largely by convergence of OT/IT infrastructure by way of digitization.
- IT systems used for business and administrative purposes. These involve corporate breaches where networks are attacked, office computers are compromised or business information is stolen.
- OT systems such as sensors, Supervisory Control and Data Acquisition (SCADA) systems, software and other controls that facilitate pipelines, power plants, and Transmission & Distribution (T&D) grids.
The US energy subsector adopted the Cyber security Capability Maturity Model (C2M2) developed via a public– private partnership initiative. The model aims to enhance the subsector’s cyber security capabilities while providing a clear way to understand the cyber security preparedness of the infrastructure.
The C2M2 model helps organizations to evaluate, prioritize and improve their own cyber security capabilities. Importantly, the model provides a common language and appropriate initiatives that non-technical decision makers can readily use to combat the issue. Encompassing much more than just technical solutions, the model helps organizations assess and manage their true vulnerabilities: people, processes and reporting.
Our Point of View
Through years of consulting experience in the Industry on specialist IP and a research base, blended with practical on-ground experience, at out group Cordence Worldwide, we have the following point of view regarding cyber security issues within the utilities sector:
- Cyber security is a business issue and not just a technical matter. It needs to be looked at from a holistic standpoint because today, cyber capabilities are the weakest point that can elevate risks and increase the impact of malicious incursion in any organization. We have seen in most cases that human beings, and their inability to maintain and comply with appropriate process discipline, are the root cause.
- Boards need to include cyber security as a board level agenda item and manage cyber risk in the same way that other risks are managed. This includes the risk of the entity not complying with various national and international government requirements and standards.
- We recognize the unique nature of utility assets. These assets are critical to the economic well-being of the jurisdictions in which they operate and any failure of these assets can cause catastrophic impacts on the economy and the people that economy serves.
- The megatrends in the industry mean that the opportunity for this risk to be significant will only increase over time unless appropriate risk management techniques are put in place.
- We think that good cyber risk management involves the following:
- A cyber security risk management program to identify analyze and mitigate cyber security risks across the organization and its supply chain.
- A program covering both operational technology (OT) and information technology (IT) assets. Ability to manage threats and vulnerabilities with appropriate plans and procedures.
- Capability to be situationally aware, and constantly scan potential future threats.
- Create a culture that views cyber security risk management in the same way as other core functions.
- Work with other utility organizations to share critical information, strategy development and operational activities.
This article was written in collaboration with our Group Cordence Wordwide.