The utility industry is no stranger to threats, but as the threat landscape has grown and evolved, incidents have become much more unpredictable and difficult to manage. As the traditional risk management model in the industry has typically been reactive or procedural, this leaves organizations in a vulnerable position.
For example, extreme weather events have been steadily rising globally in recent years. The World Meteorological Organization recently found that the number of weather-related disasters globally had increased five-fold over the past 50 years. From the Atlantic hurricane season last year, to recent winter storms across central and Northeast United States, extreme weather events show no signs of dissipating. Not only are they increasingly unpredictable, the decentralization of renewable energy storage and generation means that grids have a wider array of geographical vulnerabilities.
The growth of smart grids has also opened up the attack surface to include cyber security threats, which are also growing immensely. This new risk profile reflects the critical interdependencies between an energy grid’s physical and virtual infrastructure. Utilities are faced with a widening attack surface caused by the increasingly complex and expanding Internet of Things (IoT) as well as the shift to decentralized systems.
Rethinking how we approach and manage risk
With the evolving threat landscape in mind, utility companies must have reactive and flexible disaster recovery plans, as well as adopting proactive network resilience strategies. While the industry may be more familiar with certain types of threats, they must also prepare themselves to tackle more unpredictable black swan events too.
To be as resilient as possible, utilities must first seek to gain an accurate view of the network by capturing, curating, and integrating data from all corners of the organization so they can assess potential risks with a bird’s eye view. Utility organizations can use historic data to inform resilience plans by identifying the hazards most common to their service area and institutionalizing insights from previous similar events. Live data is also essential to provide a real-time ‘risk picture’, which can be used to identify new trends.
For example, some operators are using geospatial data to create a location-based outage dashboard to track the site and source of power outages in real-time. In doing so, they are also helping to ensure efficient crisis management and promoting safety and long-term customer satisfaction.
Making data valuable
Unfortunately, many operators still don’t have access to valuable data because their existing geospatial information systems aren’t integrated with information from the network or wider workforce. It is uncommon for network data to be held in a digital, mobile-friendly, and therefore more accessible format which enables operators to draw on live intelligence from workers in the field.
Many networks also don’t link all network data with location, and they only have a graphical view of their network, not an accurate technical model that can evolve and change.
This lack of network intelligence makes it difficult to understand the status of the network, the exact root of risks and how to develop mitigation strategies. Without an intelligent digital System of Record (SoR), data is often siloed in various parts of the business, hidden away and inaccessible. This leaves risk managers in the dark and doesn’t provide them with the best possible view of potential network vulnerabilities. In order to achieve greater resilience, there are several steps businesses can take.
I have outlined the four considerations that I believe contribute to better data-driven network resilience below.
● Create a ‘risk picture’ of your current network
It is important to assess the current network to identify points of failure to mitigate network weaknesses. Digitize and decentralize network data sources to create a risk picture drawing on diverse, live data on the ground and link this to accurate location data. Companies should be drawing on live, local data from field workers’ mobile devices and remote sensors and overlaying this onto geospatial network data to reveal the locations and hazard sources. This should be used to inform a real-time, network-wide risk picture.
● Ensure security is front of mind
Prioritize critical network software that supports state-of-the-art security as well as geographic resilience. Regardless of whether a company prefers on-premise or third-party cloud environments, they should ensure that their network data is encrypted and that they have a copy so there is no single point of failure when threats arise.
● Create an incident response strategy
Evaluate the impact an incident could have over your network and create a plan of action to limit the damage should an incident occur. Companies should take steps to create a company-wide damage assessment and incident response strategy for office and field teams. This proactive approach can vastly limit the impact of a threat if it comes to fruition. When Typhoon Faxai hit Japan, Tokyo Electric Power Company (TEPCO) was able to overlay live geospatial information on blackout locations onto Google Maps data to help engineers quickly identify the sites of damage or hazards.
● Test, and test again
Organize regular drills to test your IT systems and operational procedures and to ensure your systems and teams have everything they need to respond to incidents quickly and efficiently. Both physical and virtual infrastructure, as well as the workforce, should be tested to ensure that the network is as resilient as possible. This includes training field teams so they are prepared for the unexpected and adapting network assets to mitigate against edge cases. This will ensure that best practice is baked into workforce behavior and procedures.As the threat landscape continues to grow in the virtual and physical world it’s important for the sector to reassess current risk management approaches and ensure they are still fit for purpose. By following the guidance set out above, operators will be in a strong position to create an accurate risk picture that will inform a network resilience strategy that leads directly to a more resilient business.