People know a storm can disrupt the electrical grid and cause a wave of complications across the region or country very quickly. But now, for those charged with grid reliability and keeping the lights on, there’s a different kind of storm blowing in. The transition to renewables, the smart grid, connectivity of operational technologies (OT), as well as greater remote access (control and monitoring) capabilities, are propelling energy provision into the 21st century—but bringing growing cybersecurity threats.
All of this is unfolding at a time of increasing geopolitical turmoil and when nation-states, well-funded and organized, are increasingly turning attention to U.S. infrastructure. Just as other industries are doing, it’s time for utilities to double down on cybersecurity—especially in light of available federal grants and financial incentives to do so. Those that allocate resources and act now will help reduce the cost of remediating assets in the field tomorrow and avoid untold mitigation costs that a cyber incident could bring.
This Is a Business Risk, Not an IT Issue
In OT environments, disruption of the processes that OT devices control is the greatest threat, meaning security practices should first focus on the control and availability of OT and their communications media. This is quite different from the information technology (IT) environment, which defends OT from cyberattacks and requires a different set of capabilities.
Many executives still picture cyber threats as the work of a hooded hacker attempting to gain network access (Figure 1), but today’s threats go way beyond a breach and extend further than the chief information officer’s organization. Individual utilities without the capabilities or a security-aware team are left facing the risk and fallout. The financial burden of remediating an attack, let alone the long-term reputational damage, makes cybersecurity a high business priority to solve—and it’s time to build appropriate defenses and focus the entire enterprise on the challenge.
1. Cyber threats go well beyond rogue attackers and are often funded by nation-states or other deep-pocketed organizations. Source: Envato Elements
While the energy industry has standards—including mandatory compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity guidance—they’re limited to only regulating the bulk electric system, a very small percentage of the overall grid. The Federal Energy Regulatory Commission (FERC) can only regulate systems that affect interstate commerce, meaning regulatory oversight of distribution falls to states. Much of the increased use of digital assets is occurring on the distribution network, and regulatory compliance alone is not enough to manage the growing business risk.
Preparing for Proactive Cyber Risk Mitigation
Utilities need to create risk-informed practices to predict, prevent, and contain cyber disruption. These include:
■ Understand Scale of OT Vulnerabilities. Traditionally, OT were mechanical devices and not networked. Those that had digital control used closed proprietary protocols, which had the same effect as physical segmentation. But the past decade’s digitization of assets, and advances in wireless connectivity, especially serial communications protocols, mean these technologies can now operate over the internet, and as the number of digital assets deployed increases, the attack surface expands.
■ Define Accountability for Cybersecurity. No single person or function has all the information to make an informed decision, so it’s essential to bring together all players. Operations owns the business risk of reliable service and ongoing safety. IT, overseeing the most exploited cyber vectors, must be involved, as it often manages IT equipment on OT networks. And both cyber and physical security are best informed to assess vulnerabilities and the likelihood of exploitation, as well as to recommend the best remediation strategies.
■ Budget Allocation. Funding is finite, so it’s critical to allocate budget to the highest-priority changes required for security. Companies will need an accurate understanding of current assets, digital attributes, a comprehensive network diagram with data overlays, and risk assessment scenario planning. Many times, the chief information security officer (CISO) sits within and shares a budget with the CIO. It’s imperative that the security organization has a unique budget to address issues from end to end. Doing so is fiscally more effective, as it’s always cheaper to deploy devices securely than to repair them in the field.
■ Assess Available Internal Skillsets. Depth of talent with the operational knowledge to implement the kind of cybersecurity transformation required is critical. Assess those skillsets and consider whether the team has the budget and bandwidth necessary to make this a priority.
What Your Implementation Provider Should Bring to the Table
Companies that prioritize external support to process the changes required for modern cybersecurity should be looking for defined capabilities and expertise, including:
■ Asset Discovery. Passive scanning is commonly used for asset discovery and is suitable for most of the OT environment but will not always provide full visibility. Additional methods, including active probing with industrial protocols, device profiling, and configuration analysis with historian, should be used alongside a passive-scanning approach.
■ Baseline Assessment of Critical Fundamentals. Perform an asset inventory to define the security baseline configuration, review identity and access management, and determine the level of current network securities and governance practices. Not all OT devices have the same risk and impact, so categorize each asset, risk-prioritize them, and focus resources on protecting the more vulnerable and important ones.
■ System, Platform, and Process Enhancements. Use automation tools to assess and manage credentials as well as audit access and maintain entitlements. It’s important to get a clear picture of how assets and smart meters are deployed, and how interactions occur with smart vehicles and distributed energy.
■ Change Management Expertise. The pace of technological change, introduction of artificial intelligence (AI) into asset management, and threat actor landscape are evolving quickly. Ensure any third party helping with cybersecurity transformation brings deep change management and real boots-on-the-ground industry experience.
■ Prepare for Future Disruption. Recognize that, despite all of our efforts to prevent attacks, there may come a day where you need to respond. A well-designed and rehearsed incident response plan is vital.
Remember, focusing the necessary resources and funding on cyber risks today means staying in business tomorrow. This journey may take years to complete. Commitment will be key.
—Matt Chambers is a principal at Ernst & Young LLP and serves as the EY Americas Power & Utilities Cybersecurity Leader. Dillon Dieffenbach is a principal at Ernst & Young LLP and serves as the EY Americas Energy & Resources Cybersecurity Leader. The views reflected in this article are the views of the authors and do not necessarily reflect the views of Ernst & Young LLP or other members of the
global EY organization.