When it comes to cyber security, large North American integrated utilities have an extremely full agenda. They face a constant barrage of increasingly sophisticated cyber attacks coming from multiple threat-actors including, insiders, hacktivists, organized criminals, nation states and terrorists. All are looking for a weakness in the armor of utilities’ cyber defenses. Additionally, they are dealing with enhanced and more integrated regulatory requirements from the North American Reliability Council (NERC) for Critical Infrastructure Protection’s (CIP) version 5, which has standards that must be met by April 1, 2016. At the same time, utilities are implementing more automation solutions across their information technology (IT) and operational technology (OT) assets to drive efficiency and productivity gains, delivering on commitments made to their rate payers. All converging to create a new and enlarged attack surface for cyber threats.
In a more legacy-based, analogue and serially connected operating environment, the risks of systemic cyber attacks were far less likely; however, this is no longer the case in an increasingly connected world where:
- Automation is driving IT and OT convergence.
- Remote third-party vendors require access to a utilities infrastructure to support their devices.
- Consumers are demanding real-time data for everything from electric usage to outage recovery times.
- The generational shift in the workforce to the millennials, who expect everything and everyone to be connected.
Yet it’s not uncommon to hear organizations, even large multi-jurisdictional utilities, argue whether or not the possibility of attacks breaching both the enterprise and operational systems are possible. But refusing to acknowledge the existence of a potential problem does not negate its reality; it merely means if and when something does happen, an organization may not be appropriately prepared to respond.
Realistically speaking, it is not possible to mitigate all threats, and implementing the latest and greatest cyber-defense technologies can be very costly, both from a capital and operational prospective. In addition, such technologies are also not always effective. These circumstances require a new sense of realism for the power industry—if a utility has not already suffered a breach at some level, it will inevitably come at some point.
Understanding utility enterprise risks versus threats and having a plan to respond to malicious events is paramount. And that thinking is very different from the traditional approach, in which an attack has been viewed as improbable and even impossible.
While converging technologies create new challenges and vulnerabilities, they also offer the means to solve them. Advanced analytics, for example, will at some point offer manageable and cost-effective predictive capabilities able to address the considerable risks utilities face, but the industry is not there yet.
While there is no foolproof way to be prepared for an event, utilities can take action now. Companies that develop a cyber-incident management plan, identify and engage their first responders—internal and third-party—and regularly test their plan just as they would for business continuity and disaster recovery will be far ahead of their contemporaries in cyber preparedness. There is no single solution to prevent cyber incidents. However, previous breaches have demonstrated that the most prepared organizations will be the quickest to recover—protecting the assets and data critical to their operations.
Jim Guinn, II, managing director, Accenture Operations, is the lead for Accenture’s Resources cyber security group delivering solutions for clients in the energy, utilities, chemicals and mining sectors globally. Jim's responsibilities including helping companies manage complex cyber security and privacy needs in the connected world.