Are utilities doing enough to protect themselves from cyberattack?

For companies pushing the bounds of innovation in the utility industry, information technology (IT) has increasingly acted as its eyes and ears, leveraging big data, advanced analytics and cloud computing to provide an understanding of real-time operating environments in fleets that may stretch tens or even hundreds of miles.

Utilities also use IT to control and balance operational technology (OT) – like distributed wind, solar and energy-storage assets with centralized power generation – to reduce emissions, improve efficiency and reduce costs for customers. The digitalization of OT assets for global utilities has opened seemingly endless opportunities. However, it has also exposed the vulnerability of critical infrastructure to cyberattacks.

A recently released cybersecurity report by Siemens and the Ponemon Institute explores this risk. It found that cyberthreats to utilities’ OT are growing more severe and sophisticated. It also assesses the industry’s readiness to address future attacks and puts forward solutions to help the industry secure critical infrastructure.

Clearly, the threat isn’t on the horizon. It’s already on the doorstep. Fifty-four percent of the 1,726 utility professionals surveyed — representing electric utilities around the world with gas, solar and wind portfolios, as well as water utilities — expect at least one cyberattack on critical infrastructure within the next year. A slightly larger majority reported experiences with a shutdown or loss of operational data annually.

Utilities are facing a perfect storm. Just as the industry is undergoing a digital transformation to modernize legacy equipment, prepare for a more distributed energy landscape with greater renewable integration, and protect customers against disruptions in service, cyberattacks have the potential to cause severe financial, environmental and infrastructure damage. But that shouldn’t deter efforts to realize the possibilities offered by the Fourth Industrial Revolution, including making investments to transform the sector that will bring power to the world and reduce emissions.

The troubling results in this report should instead drive utility industry executives, managers and security professionals alike to hold the necessary discussions that will lead to productive action for the safety and security of companies and our critical infrastructure. By identifying tough pain points and vulnerabilities, we can build awareness and share best practices to eliminate them.

And it’s apparent more must be done. Less than one-third of survey respondents assessed their readiness as ‘high’ if faced with containing a breach. Smaller organizations, in particular, were among those most deeply concerned with their cybersecurity capabilities. Across the industry, recruiting the right personnel and going beyond required compliance to adopt risk-based strategies is necessary to respond to an evolving threat environment.

The frameworks that the report outlines are a helpful and vital starting point for meeting current challenges. They emphasize the importance of utilities thoroughly knowing their systems and what they’re doing. That includes identifying how their systems are connected and employing professionals with the skills to strengthen and maintain those systems’ defenses.

The report also recommends the need for fortified systems and a ready response strategy if an attack is detected. Specifically, the adoption of digital tools like AI and big-data analytics can offer an effective way to enhance detection capabilities. In addition, it’s essential for utilities to devote specific leadership attention to OT security so that awareness is amplified and capabilities to thwart attacks continue to evolve.

This work is just beginning, but the arena in which we will fight the cyberattacks on our utilities is coming into clearer focus. With strategic and collaborative action – and honest discussion and assessment – we can meet risks with readiness and resiliency, giving utilities more confidence and peace of mind that their OT and IT components are well protected.

Leo Simonovich is part of the World Economic Forum’s ‘Systems of Cyber Resilience: Electricity’ community.