Why Power & Utilities Struggle with Cyber Security...

56% of utility companies worldwide have lost valuable data, time and money to cyberattacks, just in 2019. Why is the industry facing more cyberattacks now, and what is the secure way forward?

The US government was forced to issue emergency legislation on Sunday after Colonial Pipelines, the largest fuel pipeline in the US was hit by a ransomware cyber-attack. The Colonial Pipeline carries 2.5 million barrels a day - 45% of the East Coast's supply of diesel, gasoline and jet fuel. DarkSide, a cyber-criminal gang on Friday took control of over 100 GB of data and work to restore the service is still ongoing. This is just one of the many cyberattacks on the Energy sector's critical infrastructure in the recent past.

Baltimore City in May 2019 woke up to a crippling ransomware attack that disabled its energy lines for weeks, incurring an estimated?$18.2 million? in damage. In Florida, there was a botched cyber attack recently to poison the water network jeopardising?15,000 people . Closer to Europe is the Ukraine Power Plant hack of three power generation plants, five years ago, that caused an outage for?80,000 customers .

The number of planned attacks on Power and Utilities (P&U) companies has seen a steady uptick in recent years.

56% of utilities? have lost to cyberattacks in 2019.

And it is a direct attack on the business continuity and the bottom line.?

Related: ?9th Cyber and SCADA Security for Power & Utility industry 2022

76%? of energy executive respondents, cited that business interruption was the most impactful cyber loss, including direct loss of revenue, restorative costs associated with reviving operations or improvements to cybersecurity defences, regulatory fines, and legal implications, not to mention the embarrassing reputational damage.

Technical and Human Vulnerabilities

Why is the P&U industry?one of the most hacked ? Going by the McKinsey?report , the P&U industry is more vulnerable to cyberattacks due to three weaknesses.?

First, there has been an increased number of threats?targeting nation-state actors to denote security and economic dislocation?or?for hacktivists to register their opposition?to certain agendas.?Second, because of their?geographic, and organizational complexity, and the?decentralized nature?of the P&U companies, it gives?more “area” for an attack.?

And?thirdly?because of the unique interdependencies between the electric-power and gas sector, and OT and IT networks.?The wide gap between physical and cyberinfrastructure?with all its wireless smart meters, and the interfaces that condense tons of data on energy generation, transmission, distribution and network into the palm of your hand -?makes energy sector companies more vulnerable to contemporary cyber attacks.

The weakest link, though, is human. Employees or users have invariably spread many malware and phishing attempts by hackers. It all points toward the need for awareness and training.?

Related:?9th Cyber and SCADA Security for Power & Utility industry 2022

Cyber Security Challenges for the Digitally Expanding Energy Sector

One of the?biggest challenges for the utility industry?is to have “an?up-to-date, built-in cyber resilience in their system?and organization that can withstand cyber-attacks and guarantee recovery when hit,” believes Jos Menting, Chief Technologist Cybersecurity, ENGIE Laborelec (Belgium). Jos, who spoke with Prospero Events previously, said that to maintain uninterrupted supply organizations should have cybersecurity behaviour as second nature and address?the lack of trained cybersecurity personnel.?

The lack of trained cybersecurity personnel is one of the top concerns among CISOs

The interconnectedness of energy and power systems and the contagion effect?also pose a tall challenge for energy companies, regulators, and stakeholders. Many companies also?don’t seem to have a dynamic risk management protocol?in place if they were to be attacked.?Jan-Tilo Kirchhoff, Managing Director, Compass Security, Germany who took part in our 6th Cyber and SCADA security for P&U industry 2019, affirms, “security needs to be treated on the same level as safety and health requirements.”

How to Move Towards a Secure Future?

The transforming characteristics of the energy sector and a developing vulnerability profile require?a step-change in risk management?with a focus on creating dynamic resilience capabilities. These include an agile and adaptive response framework focused on regeneration and rapid recovery.?

A Cybersecurity first culture is the need of the hour

The P&U industry is perhaps all too aware of risk management. In a digital scenario, though, preparation exercises seem to lack.?Eight out of 10? energy sector organizations revealed they are not actively recruiting digital transformation skills automation or AI. With an ageing workforce and the rapid advancement in digitization, this is not good news.

It starts with a?cybersecurity first culture?within companies. This is critical as?attackers keep growing?and you?need to be up-to-date to defend your business.?

Legacy OT Systems

The majority of Power & Utility companies use legacy OT systems that were not built with security in mind. Many of these systems are still running well past the end of life of their operating systems, making it hard to secure them against current threats.

Exposure to Threats from Digitalization

The utility industry is aggressively embracing digitalization for operational efficiency and, in the process, exponentially increasing the points exposed to the threat. Every device and sensor deployed, from a remote sensor at a wind farm to an IoT component in EV Charging Station could be a potential point of attack for hackers.

Human Factors

The weakest link in the cybersecurity strategy is the people themselves. Lack of a security culture means that the people operating OT systems are not aware of the threats out there and could unknowingly put the critical systems at risk. The power & utility industry is not alien to attacks carried out by insiders either.

Standards ≠ Security

Critical Infrastructure Protection (CIP) in North America and Network and Information Systems (NIS) and other directives in Europe outline the standard for organisations to improve cyber-resilience. However, simply complying with security standards does not ensure security. Also, not all organisations are in compliance 100% of the time.

The Skill Gap

There is a worldwide shortage of skilled personnel capable of?developing and analyzing OT cyber security. Employing professionals with the skills and the experience to strengthen and maintain the OT and IT systems’ defences remains a challenge for the power & utility industry as well.

Share best-practices

There is no such thing as a silver bullet to tackle the potential threats. However, you do not need to reinvent the cybersecurity wheel yourself either; you can learn the best practices& from those who do it the best.

Here is a golden chance to be updated with the best tech and network with the best minds in Cyber & SCADA security in Europe. Join the?9th Cyber and SCADA Security for Power & Utility industry 2022 ?to join the conversation on the fast-evolving threat landscape and best practices to prevent, mitigate and manage incidents.