Oct 31 2022

Are Energy and Utility Companies Underestimating the Risk of a Cyberattack?

The industry takes security more seriously now than ever, but more needs to be done.

No industry is safe from cyberattacks these days, but few industries are at greater risk than the energy and utility sector. While cyberattacks have been increasing across multiple industries for many years, E&U companies saw an increase in average weekly attacks of 46 percent last year, according to a study by the cybersecurity firm Check Point.

Considering the critical nature of the sector’s services, there has been a growing push to be better prepared for cyberattacks, especially as ransomware attacks have become more frequent and destructive. But is the industry doing enough?


The State of Cyberthreats in the E&U Industry

Globally, the sector hasn’t always taken the threat of cyberattacks as seriously as it should have, says Brian Wrozek, a principal analyst at Forrester. “It’s been a gradual acceptance,” he says. The past five years, however, have seen an increase in high-profile security incidents and government regulation that is difficult to ignore. “That’s increased their awareness and sense of urgency,” he says.

Two other factors have caused industry leaders to take greater notice of cyberthreats.

The first is the digital transformation of critical infrastructure, which is introducing more internet-connected devices inside energy and utility facilities. While these devices provide numerous benefits to companies and consumers, they also offer many more endpoints susceptible to cyberattacks.

The second factor is the growing convergence of IT and operational technology. In the past, OT systems have been fairly resistant to cyberattack, but that’s changing as those systems become more deeply intertwined with IT networks. That makes a successful attack on OT more likely, and the consequences are more significant because it is the OT that runs the critical equipment inside E&U plants.

This is why 49 percent of energy and utility CEOs questioned in a recent PwC survey cite cyberattacks as among their top three concerns. Nonetheless, the fact that 51 percent of executives don’t rank the threat so highly shows that it may still not be taken seriously enough.

Click the banner below to explore a range of security services for energy and utility companies.

Thin E&U Operating Margins Pinch Cybersecurity Efforts

The truth is it’s not a matter of underestimation or unwillingness so much as logistical challenges around prioritizing cybersecurity, says Wrozek.

“Investment in stronger security controls is still lagging,” he says, but much of that is due to financial constraints. “Budgets are a real challenge in these environments where you have very thin operating margins.”

The cost of hiring expert cybersecurity staff is also a challenge, especially since the sector is also affected by a formidable labor shortage compared with other industries. “The lack of skilled cybersecurity specialists is even more pronounced in this industry,” says Wrozek. “It’s hard to find a combination of cybersecurity, energy and OT expertise.”

What, then, can the industry do?

DISCOVER: How secure is your organization? Find out with a maturity assessment.

How Energy Companies Can Defend Against Ransomware

Much like in other industries, strong preventive and detective controls are crucial means by which the E&U sector can defend itself. To start, organizations should be moving swiftly to deploy zero-trust security architectures if they haven’t done so already. That means implementing multifactor authentication solutions, as well as tighter management of who is granted access to what, for how long and at what level.

Ensuring full awareness of what technology or equipment is connected to what network and whether there are vulnerabilities is also important. Network segmentation also can help ensure that if an IT network is compromised, attackers can’t as easily gain access to OT infrastructure.

Organizations should also monitor for signs of unauthorized access; threat detection solutions increasingly have artificial intelligence capabilities built in. “It’s helpful for attack prevention and detection, threat intelligence and threat hunting,” says Wrozek. “It’s also good for behavior analysis to spot anomalies.”

It’s worth noting that AI can not only help track attacker behavior but also can be leveraged to provide oversight of third-party use, such as how vendors are accessing an E&U company’s networks.

Incident Response Is Critical for E&U Companies

Contending with modern cyberattacks means being prepared for attacks that do happen. More so than in most other industries, energy and utility companies need clear incident response procedures and must practice them, Wrozek says.

Organizations should be ready with emergency response plans that cover a comprehensive range of potential cyberattack scenarios. The more prepared a company is to restore services after an attack, the less leverage the attackers will have. It’s also important that any response plans be reviewed, tested and updated annually to keep pace with the ever-evolving threat.

Bookmark this page for more stories during Cybersecurity Awareness Month.

skynesher/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.