Imagine you’re sitting in the executive chair, when the lights suddenly flicker and go out. Everything stops working—no lights or phones—the only thing still functioning is your cellphone. Maybe, if it’s cloud-based, your email system is working. What do you do next?
Today, this is a question increasingly more executives can answer, due to the growing focus on cybersecurity and security-related exercises like the US-based national-level GridEx series. But for T&D utilities, many questions remain. What’s on the horizon? What will the next attack look like? What happens when adversaries start attacking my operational technology (OT) as well as my IT? Will my previous investment help me prevent and response to the next attack?
To answer these question, we need three things.
First, we need to understand that ‘cyber’ security in not just technology, but also impacts operations. Recently, a colleague and I were discussing her Southeast Asian client’s security concerns. The company’s Chief Information Security Officer (CISO) understood the threat from one of its regional neighbors—let’s call it the “Kingdom of Asia” (KoA). But a C-suite colleague in charge of the T&D business seemed oblivious, regularly fielding delegations from the KoA in the company’s control rooms and buying OT from KoA-based providers. Instead of focusing on the KoA’s long-term interest in his country’s critical infrastructure, this executive was simply looking to the CISO to solve the ‘cyber’ problem by ensuring compliance with national IT security regulations.
The CISO was seeking advice on how to get this T&D executive to understand and own his part of the problem. And accepting ownership is key. Most operational executives own some part of the OT. When an attack comes, their personnel will be in the front line, and may even be the adversary’s key vector. Hence the CISO’s determination to get his peer on board.
How to do this? Our experience shows the most effective way to boost awareness and improve capabilities across a company full of engineers is to give them a problem to solve. We advised the CISO to provide this executive with a credible attack scenario that didn’t just affect technology, but also impacted his operations—then use a new approach with an ideal mix of analytical power, creativity and innovation to develop capabilities that went beyond standards compliance. This approach not only helped solve the issue, but also forced the breakdown of silos between technologists and operations to define and co-create the company’s capabilities.
Second, recognize that cybersecurity standards lag the cybersecurity threat. My conversations with leading thinkers in security reveal a growing consensus that cyber threats are evolving faster than the standards and, indeed, faster than “cyber warriors” could have predicted. The line between some nation-state cyber programs and cyber criminals is evaporating. What would have been criminal gang activity to steal money 10 years ago is morphing into state-affiliated criminal activity for hire. If you’re an energy provider and your competitor in the KoA wants to devalue your company, there’s a group for that. If you’re a utility providing service to a key competitor of Nation State X in your service territory, there’s a group for that too. Fact is, criminals have increasing access to nation state tools—and some nation states are actively protecting those criminals.
So, if your company is investing in assets based solely on current standards, you are playing with big risks. As an industry, we need to think about capabilities to prevent, protect, respond and recover across the business, and not focus just on outdated standards. We can do this through intelligent security.
This brings us to the third step: make security intelligent. Our Digitally Enabled Grid research shows utilities in Europe and Asia seek advice from their national security services more often than those in North America. But all utilities should be using strategic intelligence to help drive their business strategy.
This is more than threat intelligence. As we saw in Ukraine, adversarial nations have an interest in national utilities’ OT. Since the attack, Ukrainian T&D executives probably know more about Russia’s interests and capabilities than any of their peers elsewhere, and Ukrainian and Western governments have provided much more information.
But what if you’re a Dutch or Brazilian utility executive? Do you really understand your adversaries’ interests in your company or their capabilities? Are you buying “suspiciously low-cost” assets and technology from them? Have you empowered your company with the intelligence to understand the threat, and begun to drive a culture of intelligent security throughout the organization, not just in IT?
These questions all boil down to one key issue for any T&D utility: how to develop an intelligent security capability while delivering short and long-term value to the company. Ultimately, this is a challenge that every utility will need to address.