19 July 2019
Time for utilities to rethink cybersecurity

The energy industry has become one of the main targets for cybercriminals. Many of us remember the severe incident that hit the most important Ukraine power grid in 2015 or several recent attacks to electrical grid providers in the US. In 2018, cybercrime costed utilities about 17.8 million dollars, says a research paper by Accenture and Ponemon Institute.

From phishing emails and malware to side-channel attacks, from data breaches up to complete plant shut down, cybercriminals have raised the bar and are now able to plan targeted attacks, violating any unprotected layer, including employees or customers. They are also very well equipped to manage multi-dimensional attacks, thus hitting hardware and software, endpoints and servers, as well as processes and resources. We need to consider that stealing money might not the primary criminal goal: sometimes attacks are aimed at disrupting critical public services, causing panic, destabilising people and governments.

In this perspective, utilities are quite a natural, easy target. As asset-intensive businesses, they accelerated the implementation of smart digital technologies to control and remotely manage connected stations, equipment and field devices. Innovations such as smart grids turn power grids into data networks, which are more vulnerable to external threats and can be maliciously accessed.

When hacking these networks, cybercriminals would quickly come to production-related data such as generated power, plant structure and machinery and customer-related pieces of information such as energy consumption of businesses and households, bills, personal data both of which are particularly sensitive. This represents an attractive, remunerative asset that offenders might use to threaten operations, security and privacy.

The challenge for utilities – and their technology consultants – is to create and disseminate a new culture of security, integrating infrastructural efforts to protect plants and systems better, while educating staff and end-users around cybercrime prevention.

In today’s digital world, no organisation is 100% immune from cybersecurity risks, but energy companies dealing with critical assets and resources need to be especially aware of threats and adopt all necessary countermeasures.