The COVID-19 pandemic threw a wrench into the power utility sector’s cybersecurity planning, leaving North American electric utility leaders facing the challenge of securing the grid against the growing threat of cyberattacks while meeting profound changes in energy use.
As the pandemic’s one-year anniversary nears, broader economic trends point to fundamental shifts in how America’s workforce uses energy. Those still-fluid changes, plus the increased risk of cyberattacks and mandatory cybersecurity standard compliance, have created complex new dynamics for the electric utility sector.
Results from Black & Veatch’s 2020 Strategic Directions: Electric Report survey of the power industry reveal that while utility leaders have made strides in meeting compliance requirements of the Critical Infrastructure Protection Program (CIP) of the North American Electric Reliability Corporation (NERC), there’s still plenty of work to be done. The rapidly changing landscape of coronavirus-complicated energy demands has elevated new cyber-risk vulnerabilities and the related potential of substantial service loss, asset damage and data security breaches.
Cyberattacks: A Growing Threat for North American Power Grid
Cybersecurity experts long have warned of potentially significant attacks on the North American power grid as consumers and utilities alike embrace the efficiencies of connectivity, the Internet of Things (IoT) and new digital technologies.
An increasingly unstable global political climate has heightened the sense of urgency for cybersecurity mitigation. Analysts warned the U.S. energy sector of potential phishing attacks emerging out of heightened military tensions between the U.S. and Iran, according to a January 2020 report by Industry Dive. Just days later, a cybersecurity firm reported that hacking groups were targeting critical infrastructure sectors, including the North American power grid, although no breaches occurred.
Economic downturns are well-known to heighten the frequency of cybersecurity attacks. Desperate times and idle hands favor increased online criminal activity, as security officials learned during the 2008-2009 economic recession. In the case of the coronavirus, however, the threat is exponential. Not only are there more cybercriminals and bad actors lurking, but the sudden shift in energy use — and the need for utilities to respond to those unprecedented demands while safeguarding their staff during the pandemic — have created new security gaps.
Such a confluence of events presents a unique challenge. North American utility leaders must press forward to meet cybersecurity compliance requirements, assess new risks and rapidly allocate resources to keep cybersecurity measures up to speed with America’s rapidly changing power requirements.
Utilities Make Gains in Cybersecurity Implementation
The good news is that the electrical industry, under the pressure of a looming July 2020 CIP compliance deadline, already had made inroads securing their cyber assets before the COVID-19 pandemic took hold. In April 2020, the Federal Energy Regulatory Commission (FERC) responded to coronavirus disruptions, issuing an order extending deadlines for CIP compliance’s five components. Deadlines now range between October 2020 to April 2021, depending on the component.
But many in the energy sector already were working hard on their cybersecurity compliance. In last year’s Black & Veatch Strategic Directions: Electric Report survey, respondents chose cybersecurity as their No. 3 choice as the most challenging issue facing the industry. This year’s results show cybersecurity slipping slightly to sixth place, reflecting shifting coronavirus resource priorities and cybersecurity implementation prompted by the CIP deadlines.
Overall, the newest survey results reveal that electric utility leaders remain committed to cyber securing their assets for at least the next five years. Cybersecurity is second only to asset management in terms of prioritized financial investment into technological improvements, capturing 14 percent of their total technology budget.
Cybersecurity Work Yet to Be Done
Despite the sector’s advances in cybersecurity implementation, survey results revealed areas where significant work has yet to be done.
Many utilities still are working to close their operational technology (OT) gap. Roughly one-fifth of respondents indicated that while they have a program covering cybersecurity for information technology (IT), they have yet to implement one for OT, despite CIP requirements. This can be accomplished, strategically, by identifying the cyber risk gaps and prioritizing a closure strategy.
For a recent project with Louisville Gas & Electric Company and the Kentucky Utilities Company (LKE), Black & Veatch applied a best practices methodology, identifying cybersecurity gaps for technology, hardware, software, staff, training, process and governance across all their physical assets. After internally scoring LKE on strengths and weaknesses, an external threat analysis was created for their unique operations. That was translated into a benefit-cost ratio, allowing LKE to prioritize the most bang for their cybersecurity investment buck over the next five years.
Another concern is that while utilities increasingly have leveraged new technology for operational efficiencies, many have not kept up with the subsequent cyber risks. Nearly one-quarter of utilities surveyed noted that their cybersecurity investments had not moved in lockstep with their investments into digital assets and customer engagement.
This is a classic cybersecurity challenge in the adoption of digital operations. Investments in operational efficiencies such as connecting operating grids to dynamic real-time control or going from serial communications to IP connectivity bring tremendous benefits, but they often create new cyber risks. The lag between the operational improvements and the programs, processes and training to make them cyber secure can expose vulnerabilities that illicit individuals may capitalize on to damage equipment, cause disruptions or compromise secure data.
Smaller utilities lag behind larger ones when it comes to cyber securing their assets and meeting compliance regulations. A lack of resources and economies of scale make it more challenging to warrant significant system investments. According to the survey, more than half — 54 percent — of utilities serving 500,000 to 2 million customers have a formal cybersecurity program covering IT and OT, meaning nearly half are lacking on one side or the other. For utilities with fewer than 500,000 customers, 63 percent cover both IT and OT, meaning almost 37 percent are missing one component.
One strategy for smaller utilities is for municipalities to band their resources together for a cooperative roll-out. Ohio’s American Municipal Power cooperative, for example, owns and operates electric facilities, allowing them to provide a wide range of cooperative services on a non-profit basis.
Overall maintaining compliance with cybersecurity regulations, endpoint management (personal computers, laptops, mobile devices and the like), access control vulnerabilities, and retaining cybersecurity talent moved solidly into most utilities’ priority radar for the next five to 10 years.
This is a significant change over last year’s results, when security education and training, and optimizing security products and platforms claimed the top two ranks. Still, there is an ongoing need for education and training, given that human error is vulnerable to cyberattacks if not mitigated through proactive training programs. This is especially relevant at the OT level as the industry works to close the gaps with new IT adoptions and manage the increased device connectivity of both upstream (production controls) and downstream (consumer-focused) devices. Monitoring and instant response capabilities are training areas that are lagging for many utilities.
Cybersecurity Planning for Coronavirus- Prompted Usage Shifts
Considering the coronavirus impact on the sector, electric utility leaders should enter the winter planning period with an eye to a new, agile mid-term period resource planning impact and with a creative philosophy to technology adaptation.
As America’s workforce moved from downtown to online home offices, the energy loads followed them, creating fundamental changes in physical use and in usage times, as well as increased load needs for services such as data centers and broadband access to the cloud.
The load shift was significant and rapid. According to a Gallup Panel data report, by mid- April, nearly seven out of 10 employed adults were working from home. By late-summer, Business Insider reported, major companies — including Google, REI, Zillow, Twitter and Square — had announced that their employees could work at home indefinitely.
Many residential areas essentially have become commercial, and indicators suggest these fundamental workplace shifts may stay that way indefinitely. Utility leaders re-evaluating shifting customer needs and grid modernization requirements while reassessing new constraints and load loss probabilities also must factor in the impact of the cybersecurity exposures on their shifting customer and grid assets, as well as their increasingly automated grid and field operations along the way.
Additionally, the electric utility sector must ensure their employees’ safety, looking to adopt new technology that accommodates work that traditionally was accomplished via human visits, including video, automated monitoring and controls technologies. Many companies have the same challenge and have been using video technology, remote conferencing and visualization to provide services that typically would have been achieved in person.
The energy sector never has faced such a profound disruption in both structural and cyclical energy use. Utilities must be agile and responsive to dynamic customer needs while not forgetting the associated cybersecurity risks. Now is the time to move beyond the short-term responses to coronavirus-fueled structural changes and factor these structural changes into mid-term planning that aligns cybersecurity strategies with shifting service obligations and prioritizes for the most significant potential load losses, associated attack vectors and mitigation strategies.
This will ensure that the energy sector can secure their response to customer needs, safeguard their physical and digital assets, and protect their service values and associated revenue streams against the opportunity loss of a cyber event. And, perhaps most importantly, they must be a reliable, trusted source of energy, backed by adaptive services and technologies, as North America recovers from the disruptions from the worst pandemic in a century.
About the Authors
Bo Poats is a managing director in Black & Veatch Management Consulting’s business technology and architecture (BTA) team, focusing on asset and energy portfolio reliability, resiliency and security requirements and the application of best practice risk measurement and mitigation. He has nearly four decades of energy sector leadership in enterprise risk management and investment planning support in the electric and gas utility, independent power and major end-use consumers sectors.
Joe Zhou is a senior managing director who leads the business technology and architecture offering group within Black & Veatch Management Consulting. The BTA offering group delivers innovative and integrated solutions around asset, risk and cybersecurity management. Zhou has more than 30 years of experience, focusing on providing strategic and transformative consulting and systems integration services to power, gas and water utilities around the world.