An overwhelming majority (89%) of power and utility executives say their cybersecurity function does not fully meet their organization's needs, according to the EY Global Information Security Survey 2016-17.
That number continues to rise compared with last year (86% in 2015) as companies struggle to manage increased risk from growth in digital and connected devices.
"Cybersecurity efforts must evolve with advancing technology. The proliferation of digital devices and the convergence of operational technology (OT) and information technology (IT) environments are creating new efficiencies and business improvements but are also increasing the attack surface of power and utility companies," said Matt Chambers, EY Global Power & Utilities, Risk and Cybersecurity Leader. "Now, with attackers casting their sights on bigger targets, critical infrastructure is more at risk than ever before."
Fifty-eight percent of survey respondents acknowledge they have recently experienced a significant cybersecurity incident. Employees were overwhelmingly considered to be the biggest source of attack with 84% of respondents listing careless employee actions as a threat. The majority (58%) of executives rated security awareness and training as a high priority.
Chambers said: "Power and utility companies are grappling with significant disruption in the sector and the security implications of digital transformation often gets lost. As a result, too many organizations only consider investing in cybersecurity after there is a large breach or if it's mandated rather than committing budget up front."
The majority (66%) of power and utility executives say budgets will increase over the next 12 months but it may not be enough. Thirty-nine percent of respondents say they need at least a 25% budget increase to achieve their desired level of risk tolerance. However, only 13% expect this magnitude of increase in funding.
"Protecting customers, employees and the wider community requires a robust program to sense, resist and react in the most effective way possible to different risk scenarios. Cybersecurity efforts often prioritize preventative controls – and it is important hygiene to protect the technology from standard threats – but that will be insufficient against a determined attacker. Utilities must invest in strengthening detect and response capabilities. Attacks to disrupt safe and reliable service are already occurring," said Chambers.