Why COVID-19 is making utilities more vulnerable to cyberattack - and what to do about it

In the energy industry, crisis moments like COVID-19 focus attention on two things: how to keep people safe, and how to continue to supply power to customers. Right now, that means working remotely is the number-one priority for utilities, but this reality also exposes the energy industry to new cyber-risks coming both from inside and outside the walls of its cyber defences. Lives are on the line; companies need to protect their workers and avoid outages.

Utility CEOs and board members face a unique blend of cyber and safety risks. By accessing critical plant production and grid networks from homes, employees raise the risk of a possible second-wave crisis: rolling outages and safety events at a time when keeping the lights on matters most. Attackers will attempt to exploit the rush to remote systems, understaffed facilities and new ways of working.

To avoid an impending cybersecurity crisis, utility leaders need to shift their focus towards making remote work increasingly secure, operationally viable and resilient. Boards and CEOs must move quickly to ensure the safety of employees while protecting the entire energy value chain from attack.

Balancing this new risk matrix requires four broad steps: Understanding the new cyber-risk, establishing baseline defences, building interoperable defences with partners, and resetting overall architecture to accommodate this new reality.

1. Understanding the new cyber-risk. Home-based work increases exposure to cyber-risks. Less-reliable internet connections, social engineering attacks against employees and their families, and honest mistakes made in unfamiliar workflows are all new potential risks. Partner companies will also face increased cyber exposure. Utilities need to deliberately choose which tasks pose unacceptable risks and which can be adapted for remote work. For example, many monitoring tasks can be done remotely – and safely – with the right procedures, but testing or servicing safety and backup systems remotely cannot.

2. Establish baseline defences appropriate to remote work. Layered defences, commonly known as ‘defence in depth’, reduce the consequences of cyberattacks, and remote work will elevate specific needs:

a) Secure connections. Employees without secure access can’t work effectively, which makes such access necessary – but not sufficient – for cybersecurity. Plant operators should proactively define who should access which assets and institute controls before approving remote technology.

b) Monitor for anomalies. Working from home makes some security practices impossible. For example, both valid and malicious commands now come from outside the plant. It’s hard to discern what’s normal. This increases the importance of monitoring as a way to distinguish between employees and attackers. Some monitoring can be automated, freeing time for relevant personnel to investigate suspicious activity.

c) Prepare for incident response. Plants now need an incident response plan that works when most employees are not onsite, some are hospitalized, and an attack appears within their systems. Assume attackers will pressure-test the new defenses and achieve at least partial success. Expect to need to activate incident response within the next few weeks, with limited on-the ground support and distributed remote expert support. Eradication and reboot may not be an option for the foreseeable future.

3. Build interoperable defences. Cybersecurity is only as strong as its weakest link. Utility leaders and peers at partner companies should work to implement common defence measures. These include defining privileged access, disclosing vulnerabilities or sharing threat intelligence. Ensuring that partner systems work from a shared roadmap will help utilities assess and improve security. Failing to consider partners’ cybersecurity leaves a potentially large blind spot in your defences.

4. Reengineering the security architecture. Utilities are making fundamental changes to their energy production workflows – and cybersecurity methods and architectures will also need to be revamped. Systems that assume workers are present at plants or field sites will now have the wrong emphasis. For example, plants typically ban portable devices - but most workers are now outside the plant, with access to those banned devices or social media platforms. Any blueprint designed for this new reality needs to defend and monitor the new remote workflows in this new context.

While the COVID-19 crisis makes these steps urgent, several long-term trends that pre-date the pandemic will drive similar changes. Distributed energy sources will require new operating models. Remote work and automation will offer efficiency gains. Energy companies will need to train their next-generation workforce. Cyberattacks against utilities will continue to escalate in frequency and sophistication. We know these changes are coming and may become permanent. Utilities will need to iteratively adapt cybersecurity protocols to protect operations as each trend shapes the new reality. Short-term and long-term, that’s how we will keep the lights on.