Most agree that there is an increased number of cybersecurity threats and actors today targeting the Utilities industry. Nation-state actors seek to cause security and economic dislocation – and Utilities are high on their list of targets. These external threats create additional risk along with the traditional threats posed by cybercriminals who understand the economic value of the Utility sector and hackers/activists who stand in opposition to Utility companies’ projects or other agendas.
Utility companies’ attack surface has greater exposure now with the advent of digitization – and most are further burdened by their excessive technical debt. Electric-power and gas facilities feature a unique interdependence between physical and cyber infrastructure. This interdependence makes them vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines and even physical damage. The proliferation of vehicle electrification and micro-grids will only add to the complexity.
While most utilities have become aware of their cybersecurity risks, many struggle to secure funding to invest in OT and IT cybersecurity controls. Regulators often lack the dedicated talent needed to review cybersecurity program investment requests, which can impede the utility’s ability to achieve cost recovery of needed cybersecurity improvements. The result is uneven approaches and outcomes to securing funding for incremental investment in cyber capabilities.
Traditional Approaches to Managing Cybersecurity Risk
Two approaches to managing cybersecurity have been dominant in the Utilities industry. If a utility outsources infrastructure management, part of that scope of responsibility typically includes cybersecurity. Depending on the utility’s preferences, the scope can be limited to execution-oriented tasks such as patching and/or staffing of the security operations center (SOC), managing security information and event management (SIEM) platforms, and responsibility for building and maintaining information security management systems (ISMS). In other cases, the scope includes more strategic responsibilities such as threat hunting, data loss prevention (DLP) and identity governance and administration (IGA).
For companies that use in-house teams, these activities and tasks will be among the tasks they perform. Some utilities have repatriated outsourced security services and encountered issues in attracting and hiring in-house resources due to a highly competitive labor market.
The Evolving Cybersecurity Complexity
Cyber seems to be continually in the news. For utilities, the topic has broadened from the long-standing Critical Infrastructure Protection (CIP) requirements to include the Transportation Security Administration (TSA) requirements to avoid situations like the Colonial Pipeline breach. These requirements add to the cybersecurity challenges facing all high-profile businesses and the additional responsibilities for any utility managing nuclear facilities. Sound complex? It is!
Utility CIOs and CSOs find themselves in the crosshairs of regulatory oversight bodies, concerned C-Suite peers, inquisitive board members and, on occasion, the press and public. Against this backdrop, the cyber environment in the Utilities industry has changed dramatically. The technical operations, systems and footprints of Utilities have always been costly and complex. The breakneck pace of digitization in both IT and OT environments has upped the stakes. More recently, the business challenges spurred by the COVID-19 pandemic have accelerated the adoption of digital solutions that rely on data, digital networks and devices.
As a result, complexity has driven up cyber risks and costs in such a way that they are now a significant consideration in the IT budgeting process. The number of serious cyberattacks is on the rise and include potentially devastating “ransomware” attacks and threats from hacktivists and nation-state agents who target vulnerabilities in a country’s ability to operate in our energy-dependent economy.
Cybersecurity Talent Shortage
A cybersecurity talent shortage is also impacting utility companies’ ability to mitigate risk and respond to attacks. In 2021, there were approximately 3.5 million unfilled positions in the cybersecurity industry. The problem is that technology requiring cybersecurity protection has become ubiquitous – and demand for these skills is more than anyone predicted.
For asset-intensive utilities, efficiency and reliability strategies have resulted in increased sensors and automation and an overwhelming – and growing – number of devices for IT staff to manage. As utilities bring more infrastructure online and rely more on the digital realm to store and manage sensitive data, it quickly becomes obvious there is a need for more cybersecurity professionals.
Finding and attracting qualified cybersecurity professionals is a global issue. The men and women with the necessary expertise are in such high demand that they basically have their pick when it comes to career selection and, unfortunately, the local “stodgy” utility company is often not top of mind for new graduates. The need for deep domain experience in utility-specific technologies and advanced certifications to deal with SCADA systems and possible NERC-CIP compliance further shrinks the pool of available talent.
New Cybersecurity Approaches Are Emerging
Both inside and outside of the industry, new approaches to cybersecurity are emerging. Utility CIOs and CISOs are seeking secure, vigilant and resilient approaches. The factors discussed above demonstrate the complexity. In response to that complexity there has been an increase in cybersecurity specialization. Utilities seeking external support will find that external providers, large and small, have cybersecurity teams performing in autonomous ways, giving them more direct control over solutions, methodologies and focused scope areas. How utilities will experience this is by an increased willingness to take on cybersecurity scope in standalone contracts.
Another benefit of the trend toward specialization is the emergence of specialized providers. Utility companies now have more workable cybersecurity solutions to choose from. It is important to consider that niche providers may be better positioned to work as part of an in-house team when internal management is a goal.
Regardless of whether your solutions are in-house, supplemented or outsourced, utilities should consider the following technology features:
- Advanced analytics: Real-time analytics are used to verify conditional access policies and identify high-risk sign-in behavior. The signals generated are fed into analytic tools such as conditional access to determine if access should be allowed, limited or blocked. It integrates with security information and event management (SIEM) tools to trigger further investigation. Security service and solution providers leverage advanced analytics to offer advanced dashboards around risk assessment and compliance based on the ingestion of large volumes of data. Robust analytics capabilities, gained from real-life cases, allow consultants to recommend innovative solutions.
- AI expertise: Leading security solution providers are building a cyber threat intelligence ecosystem with advanced AI-powered attack and detection platforms. Whether self-managing cybersecurity or seeking outside assistance, a utility should consider leveraging AI. AI-powered cybersecurity solutions improve the capacity to respond to and recover from cybersecurity incidents.
- Strategic acquisitions to broaden portfolio: Cybersecurity providers are actively acquiring other providers to strengthen their portfolios. The niche provider you choose today may become part of a larger organization tomorrow. The mark of a valuable acquisition is when the action results in additional specialized capabilities such as cyber risk analytics and cloud security.
Implications for Utility CIOs
Utility IT cybersecurity is no longer just a technological problem. It needs to be a company-wide directive. An enterprise solution must include regularly updated processes and policies, frequent security audits and drills and due diligence on any vendor with which your business may work. Utilities need to clarify roles and responsibilities between the CISO and the CIO.
Utility CIOs should keep in mind the following five considerations when addressing internal cybersecurity needs:
- Consider cyber requirements and threat management in isolation from other IT functions, such as applications or infrastructure.
- Partner closely with the CISO organization to align execution and policy. Policy benefits from considering the constraints of execution and execution forms the foundation of compliance.
- Be open to listening to cyber-focused providers even if the firm names are unfamiliar. In doing this, it is important to be aware that traditional utility services agreement templates may have requirements that are difficult for smaller firms to accept.
- The underlying technology needed for robust cybersecurity is changing fast. Ensure that your requirements and procurement processes encourage a discussion of the current technologies employed as well as an enhancement roadmap.
- “Double click” on claimed capabilities. Cybersecurity is now mission critical. When considering outsourcing, give your full attention to performing thorough due diligence on proposed solutions.
ISG helps utilities assess their cybersecurity needs, make a plan and select the appropriate providers to make it happen. Contact us to find out how we can help.