Cybersecurity in Energy Sector
Cyberattacks are on the increase in the electricity sector, yet IEA analysis indicates that utilities face serious difficulties in finding and retaining the skilled professionals needed to defend themselves.
As with most industries, utilities increasingly use digital technologies to better manage plants, grids, and business operations, which contributes to energy security by improving quality of supply, providing additional services to customers, and enabling clean energy transitions through the integration of distributed energy resources. However, this progress comes with risks. Digital systems, telecommunication equipment, and sensors throughout the grid increase utilities’ exposure, as each element provides an additional entry point for cybercriminal organisations.
Publicly available information on significant cybersecurity incidents is limited due to under-reporting and lack of detection. However, there is increasing evidence that cyberattacks on utilities have been growing rapidly since 2018, reaching alarmingly high levels in 2022 following Russia’s invasion of Ukraine. Recent cyberattacks in the electricity sector have disabled remote controls for wind farms, disrupted prepaid meters due to unavailable IT systems, and led to recurrent data breaches involving client names, addresses, bank account information and phone numbers. Worldwide, the average cost of a data breach hit a new record high in 2022.
Critical infrastructure, including gas, water and particularly power utilities, are favoured targets for malicious cyber activity.
Current cyberattack trends pose an unprecedented threat to critical infrastructure, such as electricity systems
While electric power utilities across the globe already dedicate substantial budgets to cybersecurity - averaging 8% of total IT budgets in the United States and Canada - job posting data from major power utilities in the United States shows that cyberattack events trigger sudden increases in demand for cybersecurity professionals, suggesting a lack of long-term strategy or planning in the past. Smaller companies in the United States and others in developing economies could show similar behaviour in the future after suffering preventable attacks.
Cyberattacks on power utilities often trigger sudden increases in demand for cybersecurity professionals
European Union utilities have also been in reactive mode. While the implementation of secure remote working (both for corporate and industrial systems) and related cyber risks may explain the job positing peak in February 2020, these trends suggest that European Union utilities were not fully prepared at the time to face critical events such as the Covid-19 pandemic and Russia’s invasion of Ukraine.
Despite these occasional spurts in cybersecurity job postings by power utilities, long-term data from the United States shows a slight decrease in the share of cybersecurity among total postings in the sector since 2010. By contrast, the share of cybersecurity job postings in finance and insurance companies in the United States has increased almost threefold during the same period, and that in the public administration almost twofold.
In addition to lower rates of job postings, power utilities have difficulties recruiting and retaining cybersecurity employees due to three main reasons:
领英推荐
1. A worldwide shortage of cybersecurity workers across all sectors, estimated at 3.4 million people in 2022.
Available data for the United States, Canada and the United Kingdom suggests salaries offered by power utilities in cybersecurity job postings are among the lowest for the occupation.
2. Power utilities require specific cybersecurity skills adapted to their regulated technical and operational activities.
Given the wide range of job vacancies, cybersecurity experts are likely to prefer sectors offering better conditions, further increasing the shortage of professionals in the power utility sector. Finance and Banking, in particular, is a sector well known for its high levels of investment in cybersecurity.
3. Salaries offered to cybersecurity hires in power utilities are among the lowest, in general.
Considering these findings, it is not surprising that power utilities seem to have difficulties finding cybersecurity profiles adapted to their tasks. This is certainly due in part to the very specialised nature of their activities and the high degree of digitalisation in recent years, leading to complex IT and OT systems capable of remote control and operation of plants and grids.
Responsibility for securing power systems does not rest exclusively with power utilities. Policy makers play a central role in enhancing the cyber security of power systems, along with regulators and equipment providers. Without a strategic approach towards ensuring cyber-skills, power system stakeholders may not be able to effectively cope with future attacks. The main action areas for achieving more appropriate electricity security frameworks are institutionalising responsibilities and incentives; identifying, managing and mitigating risks; monitoring progress; and responding to and recovering from disruptions. Smaller utilities may require additional support from policy makers and regulators, as their fixed costs for cybersecurity infrastructure and systems are higher in relative terms.
Although long-term data on job vacancies seems to suggest that demand for skilled cybersecurity personnel at power utilities is relatively stagnant, the sector has been doing well in terms of business continuity and resiliency, namely absorbing damage and avoiding major impacts to end users. In order to achieve this, many power utilities have relied on external support from specialized companies instead of creating large inhouse cybersecurity teams.
Cyber threats will continue to evolve and become both more frequent and more powerful, given the established business models of cybercriminals and the wide range of advanced technologies at their disposal. It is therefore essential that every power utility, big or small, includes cybersecurity as a core element of their business strategy and ensures access to inhouse / externally supported or augmented cybersecurity professionals and their skills, continuously updating them and ensuring talent availability and retention.