The utilities industry is digitizing, a trend that promises to provide significant benefits for companies and consumers alike. However, this trend can also leave utility companies vulnerable to cyberattacks that could cut off service to large swaths of their customers.
As illustrated by the 2015 cyberattack on Ukraine’s energy grid that caused a persistent blackout for some 250,000 people, a successful cyberattack on a utility company can have devastating consequences. In the years since this attack, cybercriminals have been developing increasingly sophisticated spear phishing and ransomware attacks that are costly, disruptive, and damaging.
As such, as utility companies evolve toward an increasingly digitized business model, it will be essential for them to place a premium on cybersecurity. First and foremost, this will involve keeping cybersecurity considerations top of mind as they navigate the following key industry trends:
1. OT/IT Integration
Traditionally, the utilities industry has kept operational technology (OT) — sensors, software, and other equipment related to monitoring and managing utility processes — separate from informational technology (IT). Because OT is seldom connected to the internet or a large internal network, to date, it has been largely insulated from cyberattacks.
That said, utility companies are increasingly integrating OT and IT to create a more interconnected, intelligent service grid. Doing so provides a wide range of benefits, including predictive maintenance, streamlined automation, reduced downtime for customers, and enhanced visibility into operational processes.
But bringing OT online also creates new opportunities for cyberattackers to reach key grid control points, making it much easier for them to disrupt service. What is more, legacy OT systems often lack even baseline security safeguards like password-protected logins. Thus, as utility companies continue to explore end-to-end systems integration, it will be critical for their OT and IT departments to carefully coordinate their efforts to bring together their traditionally siloed domains in a safe, secure manner.
2. IoT Data and Analytics
With the rise of the Internet of Things (IoT) — which, in a way, is the pinnacle of OT/IT integration — utility companies are deploying a variety of new sensors that gather data on everything from systems outages to asset health to usage patterns. This data helps companies improve their operational strategies, whether by responding to data trendlines in real time or storing data in the cloud to facilitate descriptive analytics.
IoT devices are an essential part of creating an intelligent grid, but the data management requirements of large-scale IoT deployments are a considerable challenge for many utility companies — even those that have brought much of their OT online. Companies must not only secure and track their IoT assets carefully, but adhere to best practices for cloud computing security to prevent attacks on their stored data. They must also carefully track traffic on their networks and subnetworks, which may require specialized tools given the sheer volume of data involved.
3. Proliferating Customer Data
Adept data management is particularly critical to protecting customer data. Utility companies collect and retain vast amounts of data on their customers, including credit card information and home addresses. These data collection efforts have only been amplified by the rise of smart metering technologies, which enable utility companies to gather even more granular information on their customers’ usage patterns.
Companies need to be able to analyze this data or share it with appropriate third parties without compromising their customers’ privacy, which is not always easy — see the 2017 cyberattack that exposed the sensitive information of 52,000 utility customers in Connecticut. Breaches like this one can erode customer trust, tarnish a company’s reputation, and potentially run afoul of industry regulations, leading to costly noncompliance fines.
A Proactive Approach to Cybersecurity
Moving forward, engaging with the industry trends outlined above will be critical for any utility company hoping to stay competitive, provide excellent service, and remain compliant with industry regulations. As they make these transitions, utility companies have the opportunity to take a proactive approach to cybersecurity. Process auditing is key, but companies should not conflate compliance with cyber-readiness. As their systems become increasingly connected, their security efforts must scale up accordingly. This may include:
- Managing OT and IT device access using multifactor authentication or biometric security.
- Securing data at every level, from individual IoT devices to customers’ meters to cloud infrastructure.
- Requiring all contractors and other third parties to adhere to specified cybersecurity best practices.
- Pairing technological security solutions with robust employee training to help mitigate threats that stem from human error (think: spear phishing attacks).
For many utility companies, implementing these protective measures is easier with the guidance of an expert partner. At SEI, our consultants have extensive experience in an array of cybersecurity technologies and approaches, and we have a proven track record of identifying and addressing companies’ vulnerabilities. We also bring years of experience in the utilities industry to the table, and understand the unique challenges utility companies face. We know that with the right balance of security and flexibility, it is entirely possible for the utilities industry to defend against cyberattacks while simultaneously modernizing its operations.
