Survey: 56 percent of utilities have faced a cyberattack in the last year
The utility industry may be more vulnerable to cybersecurity threats than previously realized, according to a new report by Siemens and the Ponemon Institute.
The report, “Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?”, looked at how prepared utilities are for future attacks, as well as offering solutions to create a more secure power grid.
“The utility industry has woken up to the industrial cyber threat and is taking important steps to shore up defenses,” said Leo Simonovich, global head of Industrial Cyber & Digital Security at Siemens. “We hope this report help utilities benchmark their readiness and leverage best practices to stay ahead of attackers.”
More than 1,700 utility professionals were surveyed for the study, all who are specifically responsible for security of cyber risk in Operational Technology (OT) environments at gas, solar, wind assets, and water utilities across the world.
Of those surveyed, 56 percent said they experienced at least one shutdown or operation data loss in the last 12 months, with 25 percent of respondents saying they were impacted by the powerful WannaCry or NotPetya attacks in the past two years.
“Only 42 percent of the survey respondents rated their cyber readiness as high, and only 31 percent were fully ready to respond,” Simonovich said. “Utilities should start by assigning ownership in their organization, checking for the blind spots, getting visibility into their own systems, and prioritizing investment in industrial security.”
One of the main pain points for utilities is due to the adoption of OT power generation, transmission, and distribution needing to connect to already-existing information technology (IT) infrastructure. Simonovich explained that the target of malicious attacks has shifted away from IT and toward OT. This is an important change because “cyberattacks on OT power systems can lead to power outages, personal injury and cause severe financial, environmental and infrastructure damage,” he said.
IT includes “the servers, computers, and mobile devices that enable business operations in the utility industry in office environments” and OT includes “the machines, systems, and networks used to generate, transmit, and distribute power,” according to the report.
The survey found a number of issues that could be easily exploitable, many of which are created as utilities begin to rely on digitalization for data analytics, artificial intelligence, and balancing the grid through renewable energy and distributed power generation.
Thirty percent of cyberattacks on OT systems are not detected, and respondents agreed that attacks on their OT systems have become a greater threat than attacks on their IT systems.
Fewer than one-third of respondents felt that their OT and IT security approaches work together. Zero-day, or novel, attacks were noted as the second-highest risk to their systems (second only to insecure endpoints), and on average, it took utilities 72 days to respond to a malware attack. One of the biggest threats was a lack of human talent to help mitigate attacks and more than half of respondents said they do not have the proper staffing to manage such an attack.
Another 64 percent of respondents said that “sophisticated attacks” are a top challenge and 54 percent said they expect an attack on critical infrastructure in the next 12 months.
The move to decarbonization is an issue utilities are currently dealing with that makes them especially vulnerable to cyber attacks. This includes things like the addition of high-efficiency gas turbines and the upgrade of steam and gas turbines, decentralized hybrid solutions, battery additions, thermal storage hybrid solutions, wind power, and large scale PV.
“Utilities are facing the perfect storm,” said Simonovich. “The digital transformation to modernize legacy equipment and preparing for a more distributed energy landscape also now provides malicious attackers with new targets within a broader attack surface.”
The report did offer a number of solutions for utilities. Cybersecurity approaches include visibility into utility systems, understanding of a utility’s IT and OT systems, and adding to human skill sets. Systems approaches include keeping up with developments in technology, business models, and attack modes; detecting when an attack or other anomaly occurs; and responding when an incident is detected.
The utility industry faces unique challenges, and ensuring their electric delivery remains available, reliable, and safe should remain priorities.