- 100% of survey respondents say their cybersecurity function is not fit for purpose
- Utilities struggle to monitor their digital ecosystem more than all other sectors
- 85% of respondents say they don’t have a robust incident response program
LONDON, 31 JANUARY 2018. All utilities organizations surveyed in the latest EY Power and Utilities Global Information Security Survey 2017-18 (GISS): Why wait for a cyber catastrophe to prepare for a cyber attack?, say that their cybersecurity function does not meet their needs. The survey also finds that 58% of sector respondents anticipate difficulties in monitoring the perimeter of their digital ecosystem, compared with 36% across all sectors.
With the sector moving through radical transformation, it is becoming more challenging for utilities to map the digital environment in which they operate. The report highlights that an increasingly fragmented energy value chain, together with the rise of microgrids and distributed energy resources, make it difficult to understand and manage risk. Despite the rising threat level, however, 85% of respondents say they do not have a robust incident response program that includes regular crisis scenario testing.
Matt Chambers, EY Global Power & Utilities Risk and Cybersecurity Leader, says:
“An expanding digital ecosystem with potentially millions of networked access points is exposing utilities to more sophisticated and frequent cyber attacks, which have the potential to disrupt critical infrastructure. Utilities are particularly attractive targets for state-sponsored actors in politically unstable regions. It is little surprise, therefore, that they are more worried than ever about the breadth and complexity of the evolving threat landscape.”
The heightened perception of risk owing to the increased adoption of digital technologies is reflected in the report.
Falling from 19% of sector respondents last year, only 6% now say they are confident that they have fully considered the information security implications of their current strategy, and that their risk operating model incorporates and monitors cyber threats, vulnerabilities and potential impacts. And only 17% prioritize protection of non-IT “crown jewel” assets, while nearly a quarter (23%) still do not have a security operations center.
Chambers says: “While utilities may feel more confident about confronting threats that have become familiar in recent years, they still lack the capability to deal with more advanced, targeted assaults. To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy that includes review and adoption of leading practices against evolving threats using a multilayered approach across a proven framework for managing cybersecurity.”
The report also finds that 44% identify budget constraints as a key barrier to responding to cyber attacks. Nearly a third of respondents (29%) say they would need more than a 25% increase in budget to achieve management’s desired level of risk tolerance, yet only 9% expect to receive a budget increase of that scale in the next 12 months. Meanwhile, 62% believe that an attack that didn’t cause harm would be unlikely to prompt an increase in budget.
Chambers says: “Often, the people responsible for security lack influence with senior management and struggle to articulate the risk in order to obtain additional investment. This reinforces the need to elevate security to an enterprise-level risk and become an integral part of the utility’s overall strategy.”
The majority (85%) of power and utilities respondents consider careless members of staff as the most likely point of weakness to attack. Almost half (48%) also believe that their risk exposure related to vulnerabilities from social media usage has increased over the last 12 months, significantly up from just 8% last year.
Notes to Editors
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
This news release has been issued by EYGM Limited, a member of the global EY organization that also does not provide any services to clients.
About EY’s Global Power & Utilities Sector
In a world of uncertainty, changing regulatory frameworks and environmental challenges, utility companies need to maintain a secure and reliable supply, while anticipating change and reacting to it quickly. EY’s Global Power & Utilities Sector brings together a worldwide team of professionals to help you succeed — a team with deep technical experience in providing assurance, tax, transaction and advisory services. The Sector team works to anticipate market trends, identify their implications and develop points of view on relevant sector issues. Ultimately, this team enables us to help you meet your goals and compete more effectively.
For more information, please visit ey.com/powerandutilities.
About the EY Global Information Security Survey 2017-18
EY’s 20th Global Information Security Survey captures the responses of nearly 1,200 C-suite leaders and information security and IT executives/managers, representing many of the world’s largest and most recognized global organizations. The research was conducted between June-September 2017.
For more information, please visit ey.com/giss.