Few industries impact as many people and businesses around the world as the power and utilities sector. Virtually everyone relies on electricity on a daily basis, and to go without power can be a major hardship. Just ask anyone who has experienced an outage. From a business standpoint, a loss of power even for a few hours can deal a significant blow to operations.
That’s why strong cyber security is so critical for this industry. Many fear that hackers or cyber criminals could cause disruption in the power grid, wreaking havoc on society and in the business world.
As noted in a 2016 post by the National Cybersecurity Institute (NCI), an academic, training and research center that helps organizations meet cyber security challenges, spear-phishing email attacks, malware and viruses have been identified as ways hackers aim to gain access to power plants.
“It is important to realize cyber criminals can, and do, target virtually any digital device or system, including power and electrical systems,” the post said. “When it comes to our nation’s electric, water and power utilities, cyber security needs to be a priority. It is a complex and complicated infrastructure and plays a pivotal role in the delivery and performance of so many of our daily functions and processes.”
In addition to the sensitive data at risk, cyber attacks against utilities threaten the distribution of power throughout entire regions, as well as the function of operational processes at the individual, business and government level, NCI said.
In its 2017 Global State of Information Security Survey, consulting firm PwC says power and utilities organizations “face a dramatic increase in attacks by sophisticated adversaries such as nation-states and organized crime, as well as more typical compromises by employees.”
Over the past few years, power and utilities companies have steadily augmented their information security budgets, PwC said. Security spending rose 3% in 2016 over the year before, and has jumped 53% since 2012.
But despite the steady increases in spending, the number of detected incidents has gone up and down significantly, rising one year and dropping the next. Companies in the sector are improving their ability to detect compromises by highly skilled threat actors such as terrorists, foreign nation-states and hacktivists, the report said. They also reported new attack vectors and risks, including phishing schemes, business email compromise and ransomware.
Over the coming 12 months, the study said, power and utilities companies said they would invest in priorities such as aligning business objectives with information security strategy and improving collaboration among the business and IT organizational units. Many are also deploying technologies such as digital enterprise architecture and advanced authentication to help build a strong foundation of digital capabilities and address new cyber security and privacy needs resulting from evolving business models.
Increasingly, power and utilities businesses are integrating common security safeguards for cyber security, physical security and operational technologies to reduce risks, boost efficiencies and help ensure safety, PwC said. Already, many are well on their way toward aligning technologies, processes and people skills between IT and process control networks.
For example, 61% of the companies PwC surveyed said they have a single leader responsible for cyber security across corporate IT systems and process control networks. And 63% said they involve information security personnel when building or enhancing process control network systems. To help marshal an integrated response to cyber security compromises, more than half of power and utilities companies said their incident-response programs address both IT and operational technology systems.
Power and utilities businesses are deploying new technologies, processes and skills to update their cyber security practices, the report said. Nearly two-thirds (64%) have implemented a risk-based security framework, and half participate in industry or governmental information-sharing organizations.
A majority of companies in the sector are using advanced authentication, and many employ managed security services to run and improve cyber security capabilities such as authentication, monitoring and analytics, and identity management.
These efforts need to continue and be stepped up in order for power companies to effectively defend against attacks.
The U.S. Department of Energy, in its Quadrennial Energy Review released in January 2017, said “in the current environment, the U.S. grid faces imminent danger from cyber attacks, absent a discrete set of actions and clear authorities to inform both responses and threats.”
Widespread disruption of electric service because of a transmission failure initiated by a cyber attack at various points of entry could undermine lifeline networks, critical defense infrastructure, and much of the economy, according to the Energy Department’s report.