Wired for Safety: Navigating Cybersecurity Risks in the Utility Industry

Wired for Safety: Navigating Cybersecurity Risks in the Utility Industry

By Ron Gallimore, IT Cybersecurity Manager, ACRT Services

Safety and cybersecurity are closely linked, as both practices aim to protect assets and individuals from harm or threats, despite existing in different domains.

The significance of cybersecurity should be understood by all. It is required to maintain a reliable energy supply for American homes, businesses, and communities. The investment into cybersecurity is also crucial as it allows for the management of various cyber threats across energy systems — from generation to delivery, to ensure security and reliability.[1]

If you find yourself wondering, “What classifies as a cyber attack?” the National Institutes of Standards and Technology (NIST)[2] provides clarity stating, “An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.”

Threats to the Utility Industry

Utilities and other industry organizations are increasingly becoming targets of cyber attacks, putting their entire value chain at risk, including the following

• Generation: Disruption of service and ransomware attacks against power plants and clean-energy generators.
• Transmission: Large-scale disruption of power to customers through remotely disconnecting services.
• Distribution: Disruption of substations that leads to regional loss of service and disruption of service to customers.
• Network: Theft of customer information, fraud, and disruption of services.

Naturally, utilities operate a geographically distributed infrastructure. For example, the average span of a top 25 U.S. power company includes 121 plants spread across 94,000 miles of distribution, making it difficult to maintain visibility across information technology (IT) and operational technology (OT) systems.

These organizations are also at risk of additional susceptibilities due to geographic vulnerabilities in consumer-facing devices (either utility-owned or grid-connected) and organizational complexity as many utilities, “rely on several different business units to refine, generate, transmit, and distribute energy and resources.”[3]

What Steps Are Being Taken at the Government Level?

Earlier this year, the U.S. Department of Energy (DOE) announced $45 million in funding for 16 projects across the nation to better protect the energy industry from cyber attacks. The selected projects intend to develop new cybersecurity tools and technologies designed to reduce cyber risks, and strengthen the resilience of America’s energy systems — including the power grid, electric utilities, pipelines, and renewable energy generation sources. [1]

The DOE, in partnership with the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), also announced up to $70 million in funding, with opportunities ranging from $500,000 to $5,000,000, to advance the next generation of innovations that will help strengthen the resilience of our energy systems.[4]

Funding like this is vital, as energy sector cybersecurity preparedness is one of the three key areas CESER’s cybersecurity program supports. 3 Energy sector cybersecurity preparedness includes addressing situational awareness, information sharing, and risk analyses.

Due to the “highly dynamic technology and threat environment,” continuous assessments and sharing of information between the energy industry and government is crucial to determining threats and developing mitigation strategies promptly.

What Role Will Artificial Intelligence Play in the Industry?

Artificial Intelligence (AI) adoption around the world seems rapid, but within utilities and other industry organizations is proving to be laced with challenges and uncertainties.

A report by the Boston Consulting Group predicts that through scaling proven applications and technology, AI could potentially mitigate 5% to 10% of greenhouse gas emissions by 2030.[5]

In a T&D World op-ed by Teresa Hansen, Endeavor Business Media’s Vice President of Content – Energy, Hansen explains how AI can aid in enhancing resilience against black-sky hazards, facilitate the integration of intermittent renewable energy, optimize grid balancing, and enhance the efficiency of existing fossil-fueled plants. However, the adoption of AI will undoubtedly pose challenges and concerns — especially in terms of oversight and cybersecurity.[6]

Taking Steps to Improve the Security of the Grid

While the utility industry is especially vulnerable to cyber attacks, these risks can be significantly reduced with certain steps, such as a three-pronged approach. [3]

• Strategic intelligence on threats and actors before attacks on the network. Companies must move beyond reactive measures and take a forward-looking approach to security that integrates the security function into critical decisions about corporate expansion and the accompanying increase in infrastructure and geographic complexity. In parallel, leaders must develop security-minded plans to address “known unknowns” as attackers continue to find and utilize new attack vectors.
• Programs to reduce geographic and operational gaps in awareness and communication, creating a culture of security. A high-functioning utility security apparatus should be aligned to ensure that the best minds across the enterprise—not just in security—are aware of threats and have robust processes to report potential vulnerabilities and emerging incidents. Furthermore, technical systems should provide security with a common operating picture of sites across geographies and business units to detect coordinated attack and reconnaissance campaigns.
• Industry-wide collaboration to address the increasing convergence of physical and virtual threats. Industry partnerships, as the eyes on the ground for leading-edge technologies (and corresponding vulnerabilities), should engage in regular dialogue on how to secure the delicate ties between physical and virtual infrastructure, as well as IT and OT networks.

As a collective industry, we must take a proactive approach toward cyber threats facing our companies and networks. This might look like employing analytic teams to “monitor threats across the industry and region, including intelligence about technical vulnerabilities and the various factors (e.g., geopolitical, economic, legal) that shape the threat environment.” [3]

It is also recommended that utilities should begin with a holistic cybersecurity maturity assessment to evaluate their current cybersecurity maturity, benchmark capabilities against industry peers, and identify opportunities to build incremental capabilities.

Organizations that are taking the initiative to develop a strategic threat intelligence program should follow these steps. [3]

1. Identify gaps and opportunities based on the company’s existing threat intelligence program, to increase situational awareness across teams and identify areas where information sharing can be improved internally as well as externally with other utilities, vendors, and service providers.
2. Define a robust threat intelligence program, including identification of tactical, operational, and strategic threat intelligence topics, products, and artifacts and a corresponding cadence for release of each product.
3. Conduct a detailed review of enablers to the strategic threat intelligence program, including the threat intelligence team’s operating model and knowledge-sharing capabilities.
4. Train key threat intelligence stakeholders on product development and information-sharing best practices.

Powering a Secure and Resilient Future

As time goes on, cybersecurity will likely continue to be a critical concern for the utility industry. There will always be the potential for disruptions to essential services and infrastructures but by remaining vigilant, educating stakeholders, and prioritizing proactive risk management, our industry can mitigate the impact of cyber threats and ensure the reliable delivery of essential services to communities the communities we serve.

[1] T&D World Staff. (2024, February 27). Doe announces $45M to protect Americans from cyber threats. T&D World. https://www.tdworld.com/smart-utility/grid-security/article/21283565/doe-announces-45m-to-protect-americans-from-cyber-threats

[2] Computer Security Resource Center. (n.d.). Cyber attack – glossary: CSRC. https://csrc.nist.gov/glossary/term/cyber_attack

[3] Bailey, T., Maruyama, A., & Wallance, D. (2020, November 3). The energy-sector threat: How to address cybersecurity vulnerabilities. McKinsey & Company. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/the-energy-sector-threat-how-to-address-cybersecurity-vulnerabilities

[4] T&D World Staff. (2024, January 9). Doe announces $70 million research funding for cyber and physical threats. T&D World. https://www.tdworld.com/smart-utility/grid-security/article/21280398/doe-announces-70-million-research-funding-for-energy-sector-cyber-threats

[5] Dannouni, A., Deutscher, S. A., Dezzaz, G., Elman, A., Gawel, A., Hanna, M., Hyland, A., Kharij, A., Maher, H., Patterson, D., Jones, E. R., Rothenberg, J., Tber, H., Texier, M., & Ziat, A. (2023a, November 22). How ai can speed climate action. BCG Global.

[6] Hansen, T. (2024, January 17). My top three predictions for 2024 trends. T&D World. https://www.tdworld.com/utility-business/article/21279256/top-three-predictions-for-the-energy-industry-in-2024

This article was originally published in the 2024 May/June edition of the UAA Newsline.