All utilities organisations surveyed in the latest EY Power and Utilities Global Information Security Survey 2017-18 (GISS) have indicated that their cybersecurity function does not meet their needs. This is despite the fact that utilities are particularly attractive targets, such as for highly sophisticated state-sponsored actors in politically unstable regions looking to gain a political or monetary advantage.
The survey, Why wait for a cyber catastrophe to prepare for a cyber attack?, also found that 58% of sector respondents anticipate difficulties in monitoring the perimeter of their digital ecosystem, compared with 36% across all sectors.
Transformation of utilities sector increases risk management complexity
With the utilities sector moving through radical transformation, it is becoming more challenging to map the digital environment in which these organisations operate. The report highlights that an increasingly fragmented energy value chain, together with the rise of microgrids and distributed energy resources, make it difficult to understand and manage risks.
There are (i) enterprise domain risks, associated with the collection, storage and analysis of Big Data and the growing interdependencies between physical assets and information and operations technology; (ii) grid and network infrastructure risks, from the increasingly connected and complex nature of industrial control systems (ICS), including supervisory control and data acquisition (SCADA) which are challenging to secure, and (iii) customer domain risks, from growth in disruptive technologies leading to multi-ownership of data by utilities, third parties and aggregators.
Despite the rising threat level, however, 85% of respondents say they do not have a robust incident response program that includes regular crisis scenario testing.
“An expanding digital ecosystem with potentially millions of networked access points is exposing utilities to more sophisticated and frequent cyber attacks, which have the potential to disrupt critical infrastructure. Utilities are particularly attractive targets for state-sponsored actors in politically unstable regions. It is little surprise, therefore, that they are more worried than ever about the breadth and complexity of the evolving threat landscape,” said Mr Matt Chambers, EY Global Power & Utilities Risk and Cybersecurity Leader.
Utilities struggle to monitor their digital ecosystem more than all other sectors
The heightened perception of risk owing to the increased adoption of digital technologies is reflected in the report.
Only 6%, as compared to 19% of sector respondents last year, now say they are confident that they have fully considered the information security implications of their current strategy, and that their risk operating model incorporates and monitors cyber threats, vulnerabilities and potential impacts. And only 17% prioritise protection of non-IT “crown jewel” assets, while nearly a quarter (23%) still do not have a security operations center.
Mr Chambers said: “While utilities may feel more confident about confronting threats that have become familiar in recent years, they still lack the capability to deal with more advanced, targeted assaults. To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy that includes review and adoption of leading practices against evolving threats using a multilayered approach across a proven framework for managing cybersecurity.”
Budget a key constraint
The report also finds that 44% identify budget constraints as a key barrier to responding to cyber attacks. Nearly a third of respondents (29%) say they would need more than a 25% increase in budget to achieve management’s desired level of risk tolerance, yet only 9% expect to receive a budget increase of that scale in the next 12 months. Meanwhile, 62% believe that an attack that didn’t cause harm would be unlikely to prompt an increase in budget.
According to Mr Chambers, the people responsible for security often lack influence with senior management and struggle to articulate the risk in order to obtain additional investment. This reinforces the need to elevate security to an enterprise-level risk and become an integral part of the utility’s overall strategy.”
The majority (85%) of power and utilities respondents consider careless members of staff as the most likely point of weakness to attack. Almost half (48%) also believe that their risk exposure related to vulnerabilities from social media usage has increased over the last 12 months, significantly up from just 8% last year.
To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy that includes review and adoption of leading practices against evolving threats. This requires a multilayered approach for managing cybersecurity, including establishing a risk-enabled culture, advancing strategic thinking, adopting an agile and resilient operating model, investing in technology and innovation and focusing on the risks that matter most, said the EY report. (Read more here).