Building a cyber-resilient electricity sector is a key priority for the post-COVID era

The COVID-19 crisis is having a dramatic impact on our society and has reinforced our reliance on a stable internet and power infrastructure.

The World Economic Forum’s COVID-19 Risks Outlook found that the third greatest concern for companies is that new working patterns may increase cyberattacks: “As the COVID-19 crisis accelerates dependency on technologically-enabled economic processes, it is also exacerbating […] cyber-risks.”

Cyberattacks on critical energy infrastructure pose a risk to energy systems, economies and societal welfare. The loss of power across a large region for an extended period would produce severe impacts for businesses, governments and wider societies.

Traditionally, managing the risk of a major outage in the energy industry meant dealing with issues such as component failure or inclement weather via robust mitigation and recovery plans.

Over the past decade or more, the electricity industry has been undergoing a rapid and transformative digitalization of its ecosystem that has been essential to ensuring the reliability and continuity of power supplies during the pandemic. These digital technologies have amplified the level of interconnectivity and convergence of operational technology (OT) and information technology (IT) – and are expanding the cyberattack surface for malicious actors to exploit. Without adaption, previously secure systems and environments become insecure.

The electricity sector is currently facing cyberthreat actors with at least three distinct motivations. Firstly, electricity IT networks have been targeted (via ransomware attacks) by organized crime gangs seeking financial gain. Secondly, other actors have conducted cyberespionage and, thirdly, disinformation operations. Advanced Persistent Threats (APTs) are known to target ICS (Industrial Control System) networks seeking to perform pre-attack reconnaissance or cause outright damage and disruption.

However, the digitalization of the electricity ecosystem has been further accelerated during the COVID-19 crisis, and has highlighted specific intrinsic systemic issues that mainly relate to the unprecedented pressure on the digital architecture and supply chain dependencies. For example, as a result of the large-scale shift to work-from-home practices, the digital landscape and architecture of electricity companies is being reshaped, while the escalating risk associated with this shift is straining supply chain resiliency and cybersecurity operations.

If these are not addressed in a holistic manner, the escalating risks may have a domino effect that is likely to impact critical functions and industry ecosystems globally.

While many industries are dealing with similar challenges, sophisticated cyber-related breaches of IT infrastructure linked to the power system have the ability to impact critical operations and society at large.

Since 2018, the World Economic Forum’s Systems of Cyber Resilience: Electricity community, supported by more than 70 executives from power companies, technology manufacturers, government entities and academic institutions, has been focusing on enhancing the cyber resilience of critical infrastructure in an increasingly interconnected and interdependent world.

In a report released by the World Economic Forum in 2019, the Systems of Cyber Resilience: Electricity community outlined seven industry-specific principles to enable boards of directors of Electricity Companies take a strategic approach to cyber resilience.

These principles were aiming to address three key challenges:

1. Understanding the multi-faceted and complex supply chain of actors with diverse priorities, practices and maturity.

2. Overseeing risks related to legacy and modern technologies with increasing complexity cause by digitalization and renewable technologies.

3. Taking a holistic and systemic approach to cyber-risks covering IT and OT environments and a highly interconnected ecosystem.

These principles aimed to help boards shape a responsible course of action and oversight of cyber-risks that balances business objectives against increasing cybersecurity-related risks.

On 30 June, the World Economic Forum published a Playbook for Boards and Cybersecurity Officers to provide a bridge with business leaders responsible for governance and strategy, and to help accelerate an effective adoption of these principles. These key steps will help boards instil a culture of cyber resilience within the enterprise and broader ecosystem:

1. Drive the cultural and organizational shifts required to enhance cyber resilience within the company and throughout the broader ecosystem.

2. Ensure effective oversight of the cyber resilience programme.

3. Mandate business leaders to take ownership of cyber-risks, align them with their business' strategic objectives and integrate them into business decisions and budgets.

4. Nominate a corporate officer accountable for cyber resilience and for guiding both the board and business leaders in making better risk-informed decisions related to cyber resilience.

Regulation is widely recognized across many sectors as an effective tool for aligning and improving business practices. To date, regulation in the electricity sector has predominantly focused on safety. Recent technological innovations, including the move towards the smart grid, and the evolving cyber-risk landscape necessitate a comparable focus on cybersecurity regulation to protect against large-scale disruption

Policy-makers, regulators and electricity companies should collaborate to create a base-level alignment of cybersecurity regulations for the electricity industry across countries and regions, while retaining the flexibility to tailor their regulations to reflect their unique needs and national interests.

The Systems of Cyber Resilience in Electricity community has analyzed the gaps in current regulations and identified opportunities for improvement in regulatory practices for public and private sector entities to further enhance cyber resilience in the ecosystem:

1. Development of principle-based global cybersecurity regulatory guidance, enabling utilities to align their cybersecurity practices across regions, enhancing flexibility.

2. A common product certification approach, with limited and specific use cases, to assist utilities in securing their supply chains.

3. Enhanced collaboration across government, industry, academia and supply chains, leading to more flexible, effective and targeted regulatory and information- sharing practices.

Digitalization, decentralization and globalization are continually increasing the attack surface. From connected equipment to new market entrants and multinationals operating across borders, there are more connections into the electricity ecosystem than ever before. Third parties and components present risks throughout the supply chain, and the onus is on organizations to take responsibility for assuring the security of the components and services that the grid is built upon.

As digital products become more widespread, the growing complexity of the supply and value chains poses a significant threat to the electricity ecosystem. The traditional approach to securing the supply chain works on the assumption that the threat is greatest at the manufacturing stage.

Securing the value chain must address the end-to-end product life cycle, including design, commission and operations until retirement. The different entities in the value chain collaborate on business-critical activities for products and systems, and hence an isolated approach will not suffice. A resilient ecosystem requires individual as well as shared responsibility.

In response, World Economic Forum’s Systems of Cyber Resilience: Electricity community members have developed a report, which proposes a new value chain responsibility model.

Organizations within the electricity industry must ensure a balanced product and system-level security requirements. Effective and sustainable measures for protection go beyond the securing of individual products and systems. Product and systems-centric programmes must be established. These programmes require a common understanding and acceptance of the different stakeholders’ responsibilities.

To be effective in securing the value chains, approaches must include both defense in depth (which covers the entire product life cycle starting with design) and defense in breadth (which spans from the organization’s suppliers to asset owner, and eventually to system integrators and operators) strategies.

Moreover, a close dialogue on security during the procurement process, between asset owner, product supplier and system integrator, will help ensure the best possible outcome. Products and suppliers that have internally adopted holistic and robust practices to cybersecurity should be prioritized. Security can’t be optional in the tender process and subject to pricing criteria.

The need to adapt to how systems are operated will need a relationship of trust between asset owners, operators and suppliers to find the optimum ways to address cybersecurity practice according to operation regimes. As the power, scale and impact of new technologies continues to accelerate, the hands-off approach to managing the impact of technology to date risks potentially catastrophic consequences for society. Getting this right means managing risks and unintended consequences with foresight and decisiveness.