As if U.S. electric utilities didn’t already have enough to worry about in hardening their assets against severe climatological events, protecting their critical infrastructure from cyber or physical attacks increasingly are keeping operators up at night.
A report last December by Politico sounded the latest alarm, noting that federal records showed that the number of physical and computerized assaults on electric infrastructure spiked in 2022 to their highest level in at least a decade. That included 101 reported events over the first eight months of last year, eclipsing the previous peak of 97 incidents.
While federal regulations require electric utilities to comply with certain cybersecurity standards for protecting their systems from keyboard predators, cyber-attacks persist as advancing technology — notably digitalization that helps manage utility operations — expands the attack surface and creates new vulnerabilities. The grid’s aging infrastructure and legacy technology also significantly increases the risk of attacks that can lead to power outages, endangered public safety and financial loss.
So how are U.S. electric utilities responding? With expert analyses of a survey of more than 650 U.S. power sector stakeholders, Black & Veatch’s 2023 Electric Report finds that utilities understand the challenges and are working to bolster their cyber defenses.
New Technology: Risk and Reward
As technology advances, pressure mounts on utilities to maintain a competitive edge. This means some may feel compelled to adopt new technology quickly, without fully considering the impact it might have on their business or operations. As such, there’s been a fundamental shift within operational technology (OT) as survey respondents report — for a second consecutive year — a shorter vetting process for adopting new technologies, with half assessing a new technology for five years or fewer before their organization will adopt it, consistent with 2022.
While new technology has its benefits, it can also open the network to vulnerabilities that put the organization at risk of cyberattack.
These potential risks are further emphasized by nearly half of respondents (46 percent) replying that they don’t know where they are in the implementation phase of their security plans. That perhaps illustrates that utilities’ security programs haven’t yet caught up with this rapid adoption of new technologies.
Utilities must adjust their cybersecurity plans to accommodate the rapid adoption of new technologies. Implementing a comprehensive risk management strategy that includes evaluating the new technology, identifying and implementing the necessary security controls, and ongoing monitoring and testing of the system will be paramount to the success — and security — of technology adoption.
Concerns around ransomware and phishing both have decreased among respondents since last year’s report. But both remain the top two cyber threats of concern to utilities, with 72 percent citing phishing and 56 percent pointing to ransomware as their top worries. Given that phishing is a major gateway to ransomware, this may indicate that utilities have more understanding of the nuances of ransomware and feel more confident in their ability to mitigate potential risks. In addition, a recent report from the potential risks and threats associated with Egress, a cybersecurity company that provides intelligent email security, said phishing attacks are becoming more sophisticated, especially as cybercriminals continue to hone their skills by using AI-powered technologies.
New to the list — ranking third — was cyber-enabled sabotage, added as a survey response option this year because the U.S. Department of Homeland Security actively is working to prevent such activity through initiatives with the Idaho National Laboratory (INL). Those strategies include Cyber-informed Engineering (CIE) and Consequence-driven Cyber-informed Engineering (CCE). Black & Veatch is a licensed CCE partner with the INL.
Based on this year’s data, it’s clear that utilities understand the importance of mitigating the risk of a ransomware attack and are taking the proper measures to protect their data and systems. In fact, nearly 70 percent of those surveyed report a high level of confidence (48 percent are somewhat confident and 21 percent are extremely confident) in their ability to recover from a cybersecurity attack (Figure 22). This is true for both OT and IT teams.
While this appears optimistic on the surface, when viewed with other data, it may indicate over-confidence. For example, more than four in 10 (44 percent) respondents don’t know if they are using a risk-based framework, and nearly 10 percent say they are not using one. In addition, 81 percent are unsure about how much of their budget they are spending on cybersecurity. Without question, a false sense of confidence about the robustness of a utility’s security posture could be dangerous as it may lead those enterprises to overlook vulnerabilities exploitable by would-be cyber predators.
The current state of cybersecurity in the U.S. power sector demands constant vigilance and attention. As technology rapidly evolves, so do the threats targeting utility vulnerabilities. But with increased awareness, education and investment in cybersecurity measures, utilities will be better positioned to safeguard their systems and customers from the potentially devastating consequences of a cyberattack.
