A successful cyberattack against the electric grid could have enormous consequences that would ripple throughout other industries. In a January 2019 report, “Managing Cyber Risk in the Electric Power Sector,” Deloitte notes that energy is one of 16 critical infrastructure sectors identified by the U.S. government as so vital that its incapacitation would have a “debilitating effect” on national security, the economy, health and safety.
“The power sector is seen as uniquely critical for the ‘enabling function’ it provides across all critical infrastructure sectors,” the report notes. “If the power went out across a large region for an extended period, highly dependent systems — such as financial, communications, transportation, water and sewer networks — would be severely impacted, leaving the population immobile, incommunicado and in the dark.”
It’s alarming, then, that cyberattacks against the energy sector are growing in both number and sophistication. Deloitte identifies energy as among the top three sectors targeted for attack in the U.S., quoting U.S. Energy Secretary Rick Perry as saying that attempted intrusions are “happening hundreds of thousands of times a day.”
Attackers Are Targeting Industrial Control Systems
Perhaps the most alarming aspect of the increase in cyberattacks against the energy sector is that hackers no longer seem content to pursue monetary gain alone. Whereas attackers previously targeted utilities’ IT networks mainly to steal data or launch ransomware, Deloitte notes that hackers are increasingly attacking industrial control systems (ICS), potentially laying the groundwork to do physical damage to the grid.
This isn’t merely an academic concern. Deloitte lays out the evolution of ICS attacks over the last decade — including the 2010 Stuxnet attack that irreparably damaged centrifuge equipment at Iranian nuclear facilities, a December 2015 attack that turned off power to 230,000 residents in Ukraine and the 2017 Trisis/Triton attack aimed at triggering an explosion at a petrochemical plant in Saudi Arabia.
The report notes that mitigating risk has become even more challenging as energy suppliers increasingly converge their information technology (IT) and operational technology (OT). “Power companies purchase information, hardware, software, services and more from third parties across the globe,” the report states. “And threat actors can introduce compromised components into a system or network, unintentionally or by design, at any point in the system’s life cycle.”
How Utilities Can Strengthen Their Cybersecurity
Deloitte identifies a number of steps that utilities can take to manage cyber risk across the enterprise and up the supply chain.
First, within the enterprise, energy suppliers should identify and map assets and their connections, prioritizing them by degree of criticality. Next, utilities should determine whether any critical assets or networks have well-known vulnerabilities (such as unchanged default passwords) that can be exploited. Then, power companies should assess the maturity of their controls environment for proactively managing threats, before finally building a framework — incorporating people, processes and technology — to protect critical assets.
To manage risk in the supply chain, the report suggests building safeguards into the procurement process. For example, utilities should obtain or conduct supplier risk assessments, ask suppliers to provide summaries of their security features and require suppliers to respond to cyber security questionnaires.
Finally, it’s critical for energy suppliers to engage with industry peers and government agencies on cybersecurity, and also to innovate and deploy new technologies to manage cyber risk.
“New tools are increasingly available, and the capability to monitor networks in real time, discover threats, and address them is also advancing rapidly,” the report states. “If electric power companies seize these opportunities, they can reduce risk significantly for themselves, the power sector, and, given the critical nature of the service they provide, society as a whole.