Multinational consulting firm KPMG recently completed its annual global survey of 1,300 CEOs, including a subset of CEOs from some of the world’s largest utilities. Perhaps not surprisingly—given the events in the Ukraine, the recent warning from the U.S. Department of Homeland Security, and the constant news concerning hacks in various industries—CEOs in the electricity sector indicated a strong concern with cybersecurity. In fact, according to KPMG, fully 48% "showed concern that becoming a victim of a cyber-attack is a matter of 'when' and not 'if.'"
Many Utilities Unprepared for the Cyber Future
Just as concerning, 42% of those utility CEOs surveyed did not feel prepared in their organization’s ability to identify the cyber threat, while 37% were not confident they could contain the impact of a cyber attack on strategic operations.
The cyber threat is growing, as hackers become more sophisticated and advanced in their capabilities. And they have chosen utilities as one of their favorite targets. In a recent report on the topic, the U.S. Department of Energy (DOE) observed that the growth of digital technologies on the grid "has created a large attack surface and new opportunities for malicious cyber threats." At the same time, the DOE noted, "the frequency, scale, and sophistication of cyber threats have increased, and attacks have become easier to launch. Nation-states, criminals, and terrorists regularly probe energy systems to actively exploit cyber vulnerabilities..."
Just recently, Duke Energy–one of the larger U.S. utilities with 7.6 million accounts—acknowledged that it dealt with over 650 million attempted cyberattacks in 2017, and Connecticut utility Eversource estimates that they fend off about a million probes a day. It appears that no utility is exempt, as even small cooperatives have been targeted.
What to Do?
The challenge of dealing with cyber security is bewildering, and requires investments in talent, processes, and technology that utilities are just now beginning to understand.
Utilities need to develop a full understanding of the threat and potential implications for their infrastructures and civil society. They must also understand the increasing interdependence—and associated vulnerability—with the natural gas and communications networks. And they must develop a series of strategies and investments, assigning priorities to each based on risks and rewards.
Fortunately, there is an emerging set of tools and technologies that can help. At the national level, for example, the Cybersecurity Risk Information Sharing Program (CRISP) offers utilities a forum for immediate sharing of cyber threat data, and for analyzing this information with the assistance of U.S. intelligence. Deploying technologies originally utilized to defend the DOE,
CRISP assists utilities in identifying "malicious traffic" within their IT systems and delivers cyber alerts. To date, 26 utilities—accounting for 75% of U.S. electricity customers—are engaged in the CRISP program. Many additional technologies are currently being developed and tested.
One critical security element in the cyber landscape—and high on the priority list—must be the development of secure communications capabilities, since connectivity with assets is a main avenue for network infiltration. This is an area that utilities must take steps to harden, starting first with the most critical assets.
Technology that minimizes or eliminates attack surfaces—making them invisible or extremely difficult to compromise—are of increasing value to the electric utility and should be part of the toolkit. Dispersive Networks’ approach addresses security in new ways, securing every endpoint and ensuring data is not compromised and entire systems are not compromised.