Digital transformation is coming at critical infrastructure at a rapid pace. Where power and utility organizations might have had decades in the past to react and ready for change, today’s distributed energy resources, smart grids, and “electrification of everything” are tightening the timeline to adapt and evolve. At the same time, mounting cybersecurity threats represent one more moving target.

Ernst & Young’s (EY) 2017-18 Risk Pulse survey saw power and utility (P&U) organizations identifying business interruption from cyber attack, storms and catastrophic events as their top concern. Some 80% of the global survey respondents ranked this business interruption as “more or much more important than other risks.” Automation and connected devices, too, are expanding the cyber attack surface for global P&U operations.

The firm noted, “security risks are constantly evolving, as the attack surface keeps getting larger across physical assets, digital infrastructure and business processes.” As evidence, the report pointed to Symantec’s warning about Dragonfly 2.0’s campaign targeting dozens of energy companies in spring and summer of 2017, and gaining access to their networks in more than 20 cases.

Yet over half of the survey’s respondents “do not appreciate or have only partially considered IS implications, risks and threats in their strategy and do not have plans to change their current course.” Additionally, 71% were dissatisfied with their present information security functions.

63% of P&U respondents say they don’t have a dedicated role within the security function focused on digital and the IoT. — EY

Critical Infrastructure Cybersecurity Threats

Many utilities need a deeper understanding of possible threats. The cyber landscape is increasingly complex for power players including:

  • The move to collect, store, and analyze large amounts of data across interdependent assets and systems can increase enterprise domain risks.
  • Electric, gas, and water networks are increasingly connected to complex industrial control systems (ICS) making it necessary for vigilance with security upgrades and mitigating threats.
  • More energy-related systems and technology are seen in the consumer domain — from DERs to electric vehicles and smart appliances — even as customers demand greater transparency and sharing of information, which is further expanding the surface for cyber attacks.
  • Difficulties monitoring the perimeters of the ecosystem. Some 58% of utilities find it increasingly challenging to secure systems at the edge (compared to 36% across all sectors).

85% feel the most obvious point of weakness will come from careless employees. — EY

Utilities face other unique challenges in protecting critical infrastructure. For one thing, they are often working with legacy infrastructure and resources are more often allocated to the physical than to systems and information security. In fact, in the EY pulse survey, 29% of respondents said they required more funding to achieve the desired level of risk tolerance while only 9% expected to receive a budget increase of more than 25%.

At the same time, a majority (62%) said that an attack that didn’t cause harm would be unlikely to prompt a budget increase. This, even though, a 2017 Gartner report suggested it takes 99 days on average for an intrusion to be detected.

At the same time, utilities exist in a dynamic regulatory environment even as they work to manage evolving technology, sophisticated ICS and SCADA systems, and potentially large amounts of customer and employee data.

Fighting Back Against Cybersecurity Threats

EY recommended several risk management strategies RedTeam can enthusiastically echo:

  • Assess risk appetite and tolerance
  • Clarify roles and responsibilities in monitoring, managing risk
  • Know that compliance management is not risk management
  • Set up a risk management and coordination framework that addresses compliance standards and business continuity needs

Click below to download our free NERC-CIP Compliance Checklist for critical infrastructure organizations

Ultimately, cybersecurity demands end-to-end awareness of threats and the business’s security framework. Based on an in-depth look at risks and assessment of risk tolerance, the P&U professional can better develop a strategic approach to adapt to the market’s accelerating rate of change without simultaneously increasing the risk.

Understanding points of weakness and potential threats and having a robust response plan in place can make an important difference. After all, the security of critical infrastructure impacts every one of us.

Part of a proactive strategic approach can be finding the right partners. Preparedness demands that the P&U player identify, protect, detect, respond, and recover. RedTeam’s experts can help you take a more robust approach to your security and provide guidance in your remediation efforts. Contact us today to schedule your free security consultation.

Do you have questions regarding your risk readiness or comments on taking a proactive approach? Leave them in a comment below and a member of our team will respond!