By Gregory Hale
Over half of utilities reported at least one shutdown or operational data loss a year, a new report found.
It goes to show with utilities increasingly adopting business models that connect OT power generation, transmission, and distribution assets to Information Technology (IT) systems, critical infrastructure is now more vulnerable to cyber attacks, the study found.
“What is happening in the utility space is the energy sector is going through a fundamental transformation with digitalization of power production and the introduction and switch out with traditional fossil generation for renewables and what that has done is created an increasingly hyper intelligent, super connected attack surface,” said Leo Simonovich, Siemens vice president and global head of industrial cyber and digital security. “In many ways it is a Catch-22. On one hand, there is the brownfield with digital bolted on top. On the other hand, we have this digitally native, renewable landscape that is distributed and decentralized.”
In the study, 56 percent of respondents reporting at least one shutdown or operational data loss per year, and 25 percent ended up impacted by mega attacks, which are frequently aided with expertise developed by nation-state actors, according to the report entitled, “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?” by Siemens and the Ponemon Institute.
The vulnerability of critical infrastructure to cyber attacks has potential to cause severe financial, environmental and infrastructure damage, and according to all respondents, 64 percent said sophisticated attacks are a top challenge and 54 percent expect an attack on critical infrastructure in the next 12 months.
“We wanted to understand what does risk look like in this energy transition and what are the readiness levels and what are the solutions they are thinking about? We found these are a major challenge for many utilities,” Simonovich said.
The utility industry is learning the increased sophistication levels of the attacks targeting the industry.
“It is not just the frequency of attacks, but it is the potency of attacks,” Simonovich said. “They are grappling from attacks that are sophisticated, with many coming from nation states, and many of those attacks being potent causing shutdowns, safety events and environmental incidents. Only 42 percent are ready to address this new cyber risk frontier and only 31 percent are able to respond when an incident does happen. Those statistics are troubling.”
The report that assesses global energy industry’s ability to meet the growing threat of cyber attacks to utilities and critical infrastructure connected to the electrical grid. The report details the utility industry’s vulnerability to cyber risk, readiness to address future attacks, and provides solutions to help industry executives and managers better secure critical infrastructure.
“The utility industry has woken up to the industrial cyber threat and is taking important steps to shore up defenses,” Simonovich said.
The study surveyed 1,726 utility professionals responsible for securing or overseeing cyber risk in Operational Technology (OT) environments at electric utilities with gas, solar, wind assets, and water utilities throughout North America, Europe, Middle East, the Asia-Pacific region, and Latin America. It identified key vulnerabilities in energy infrastructure that malicious actors seek to exploit, including common security gaps created as utilities rely on digitalization to leverage data analytics, artificial intelligence, and balance the grid with intermittent renewable energy and distributed power generation.
“Increasing electrification across a range of sectors is a crucial piece in the decarbonization puzzle, but, as the Siemens and Ponemon Institute report documents, an increase in grid-connected infrastructure creates additional vulnerabilities to cyber attacks. A devastating attack would not only harm the economy, but it could also slow down the rate of electrification. Getting this right is not only important for the security of our electricity system, but also for achieving our climate goals,” said Randy Bell, Director of the Atlantic Council Global Energy Center.
While the deployment of digital and networked equipment through the operating environment greatly increases the control and intelligence that organizations have over grid assets, these same technologies provide malicious attackers with new targets within a broader, more complex attack surface, the report said.
In an effort to digitize their fleet, utilities historically viewed cybersecurity as an afterthought, according to the report. Even when new OT assets are designed with security in mind, they are often connected to broader critical infrastructure which lacks systemic security controls. As utility executives incorporate distributed and digitally connected grid technologies into their asset portfolios, their ability to withstand a cyber-attack is limited at best.
The target of attacks has shifted toward OT, the report said. The majority of respondents agree cyber threats are a greater risk in the OT than the IT environment. Where past attacks primarily targeted data theft, current and future attacks can hijack control systems and logic controllers that operate critical infrastructure with the intent to cause physical damage and outages. This year, the majority of global utilities surveyed said, cyber threats present a greater business risk from their OT than their IT environment. Utilities are concerned by the unique characteristics of OT environments, including a focus on availability, reliability and safety.
The risk that cyber attacks pose to the OT environment is increasing in frequency and potency as malicious actors’ ability to accurately target critical infrastructure assets improves, causing even greater consequences for utility sector operators, managers, and executives.
Click here for a full copy of the report.