From the ransomware shut down of the Colonial Pipeline to SolarWinds impacting 25% of energy utilities, cyber crimes are stacking up against energy companies. But it’s taking utilities and the energy sector longer to catch up with cybersecurity than in other industries.
If we turn the clock back less than ten years, we see much of the world’s energy infrastructure was not digitalized. Cyber risk was not even on the radar of most utilities. Times have changed. The energy sector is now experiencing a great transformation, shaped by digitalization. The adoption of sensors and intelligent technologies is helping utilities develop new business models and more effective ways to manage their assets, from substations to RTUs, as well as more easily integrate renewable energy. In addition, the convergence of information technology (IT) and operational technology (OT) is knocking down silos to reveal new synergies across organizations and opportunities for increased efficiencies.
It’s easy to see the benefits of the energy sector’s digitalization. Yet the rapid pace of this digitalization combined with relatively low investment in digital risk management, can leave this sector more vulnerable to costly cyber attacks than other industries. Those industries like financial services, for example, have been dealing with cyber threats for much longer. This reality has elevated cybersecurity to a critical level of concern for utilities.
Unique cybersecurity roadblocks facing utilities
For decades utilities have successfully managed resilience of the electricity system. It’s led to some very distinct principles such as:
- Resilience by design
This foundational principle entailed the design of electrical systems in such a way that failures in the electric system could overcome major problems while maintaining security of supply. However, this principle did isolate the power system from the outer world to minimize system external effects.
- High degree of workforce specialization
The engineering workforce for utilities is highly specialized and focused on the operation of specialized systems. This segregation, while very effective in the operation of a siloed system, led to a minimal amount of cross-disciplinary collaboration and experts with a very high degree of experience used to running their part of the system independently and without interference.
- “Never change a running system”
Ensuring the safety of human beings is of paramount importance in a dangerous system such as electricity. With this in mind, the belief of not adapting a once successfully installed system has slowed down, or in some cases, blocked system migrations necessary for security reasons.
- Build for generations
Due to the costly nature of electrical systems, the principle of building grids for several decades made and still makes sense. With computer technology and digitization taking over, this principle needs to be adapted for secondary technology and shorter life cycles need to be planned for to ensure state of the art security.
- Physical security is second priority
The resilient grid design and the dangerous nature of electricity have historically made infrastructure security and access control a low priority. In today’s world, managing physical security tightly and rapidly correlating security events has become necessary to prevent cyberthreats from local intrusions.
How utilities can overcome these challenges
During my time at Swissgrid, the company embarked on a focused initiative to tighten up its cyber- and physical security practices and risk management. We sought global input, including experts from the U.S. Very quickly, we came to realize that the security culture needed to go hand-in-hand with operational measures.
Defining a security strategy, allocating the responsibility for both cyber- and physical security to a Chief Security Officer helped to build the base. We also came to realize that building and operating our own Security Operations Center (SOC) was not enough: despite having an excellent team, we could not match the speed with which the threats changed. We therefore collaborated with others to foster practice and information exchange. Finally, and equally important, we recognized the need to remain nimble and humble, acknowledging that complacency is the road to increased vulnerability because there is no way to know what an attacker might have prepared.
Cyber threats and attacks will never go away — in fact, their scale and impact continue to grow at an alarming rate. To navigate this with success, utilities need to develop a diverse, collaborative, security and safety-minded culture from the ground up. They should embrace an attitude of constant vigilance and flexibility, and leverage powerful digital tools across the dimensions of cybersecurity, operations technology security and physical security. Simply put: defense in, disruption out.