Utilities cautioned to act now to strengthen their cyber security defences: Accenture

Unprepared distribution utilities are urged to immediately begin improving their cyber security capabilities given the anticipated future hike in cyber attacks and the fact that most recently polled utility executives say such an attack could interrupt electricity supply, Accenture suggests in a new report.

Of the more than 100 utility decision-makers from 20-plus countries who were interviewed, in excess of four in 10 respondents report cyber security risks “were not, or were only partially integrated, into their broader risk management processes,” notes a statement Wednesday from Accenture, a global professional services company.

Findings are contained in the new report, Outsmarting Grid Security Threats, part of Accenture’s Digitally Enabled Grid research program. Respondents, including those from Canada, are involved in the decision-making process for smart grid-related matters.

“Siloed processes could mean new threats and responses go unidentified or do not receive appropriate senior management scrutiny,” cautions the report. “Utilities need to engage effectively with government and industry forums so that new threats are managed quickly and effectively,” it suggests.

Related: Cybersecurity company discovers malware designed to perform attacks on power supply infrastructure

Although “a typical distribution grid has neither the size of a transmission network nor the same risks of cascading failure,” states the report, “distribution grids have the same vulnerabilities and, as a potentially softer target, could be increasingly subject to attack.”

In all, 63% of those surveyed say they believe their country faces at least a moderate – 14%, significant (more than 20%); 49%, moderate (1% to 10%) – risk of electricity supply interruption from a cyber attack on electric distribution grids in the next five years.

The outlook is even less encouraging for utilities executives in North America, 76% of whom identify this is at least a moderate risk (25%, significant; 52%, moderate).

“A significant number of distribution utilities have much to do in developing a robust cyber response capability,” the survey findings show.

Just 6% of executives for distribution utilities say they feel “extremely well-prepared and 48% well-prepared, when it came to restoring normal grid operations following a cyber attack,” notes the statement from Accenture.

“As highly sophisticated, weaponized malware is being developed, a greater risk to distribution businesses arises from cyber criminals and others who would use it for malicious purposes,” Stephanie Jamison, managing director, Accenture Transmission and Distribution, reports in the statement.

While almost a third of respondents see cyber criminals as the biggest risk for distribution businesses in Asia Pacific and Europe, 32% of respondents in North America consider attacks by governments as a bigger risk than in regions worldwide.

Respondents regard cyber attack-related supply disruption as their biggest concern, reported by 57% of those surveyed, but 53% also cite employee and/or customer safety, and 43% identify the destruction of physical assets.

“Attacks on industrial control systems could disrupt grid reliability and the safety and well-being of employees and the public. Not getting it right could be a brand killer, as well as a real threat for a country and the community,” Jamison cautions.

“A successful attack could erode public trust in the utility and raise questions about the security of all devices along the value chain,” the report emphasizes. “Developing effective strategies to secure smart grids against potential cyber breaches is, therefore, both an imperative and urgently required,” it adds.

Accenture recommends utilities that have not already done so build and scale the cyber defence of their delivery systems. In addition, they “must invest in resilience of their smart grid, as well as effective response and recovery capabilities.”

While the solution will be specific to the utility in question, there are some things all entities should consider as part of upping resilience and response to cyber attacks:

• integrate resilience into asset and process design, including cyber and physical security;
• share intelligence and information as a critical activity that could help create situational awareness of the latest threat landscape and how to prepare accordingly, and
• develop security and emergency management governance models.

With regard to resilience readiness, the survey shows 27% of respondents say they are at or near the highest level of performance for design for protection of key assets; 39% for maintaining resilience readiness; and 37% for cyber-incident recovery.

With regard to response readiness, 24% of respondents say they are at or near the highest level of performance for ensuring stakeholder involvement; 30% for protection and recovery of key assets; and 38% for cyber-response plan.

Clearly, there are positives and negatives related to the increased connectivity of industrial control systems enabled by the smart grid.

The former includes significant benefits for safety, productivity, improved quality of service and operational efficiency; the latter includes risks to the grid, as well as the influence of developments like connected home hubs and smart appliances.

Survey findings indicate nine in 10 (88%) of respondents see cyber security as a major concern in smart grid deployment, while 77% of polled executives regard the Internet of Things (IoT) as a potential threat to cyber security.

Related: Internet of Things spending to reach US$1.29 trillion by 2020, insurance industry to see fast spending growth: report

These threats could include “hacking a large number of home hubs, or smart thermostats that have control over household appliances such as heating and cooling systems. That raises the potential to drive coordinated large-scale changes to energy demand that could destabilize the grid,” the report points out.

“The limited security features of many IoT components mean distribution companies should assume that what can be hacked will be hacked, and should develop appropriate defensive measures to prevent the IoT becoming an attack vector into the grid itself,” the report recommends.

“The current technology landscape for many utilities features control systems that work on old or vulnerable operating systems – commonly without sufficient processing power to run effective virus scans; a lack of encryption or authorization on communications channels – accompanied by limited or no security for end-points such as programmable logic controllers and intelligent end devices,” the report explains.

“So, rather than seeing it as creating additional vulnerability, deployment of the smart grid should be thought of as a key element of the security solution for distribution businesses, offering sophisticated protection to previously vulnerable assets.”

“Deployment of the smart grid could open new attack vectors if cyber security is not a core component of the design,” Jamison cautions. “However, the smart grid can also bring sophisticated protection to assets that were previously vulnerable through improved situational awareness and control of the grid.”

Another issue is that more scrutiny of the smart grid’s broader supply chain is needed. “Suppliers of hardware or services can have their solutions compromised by third parties, providing an easy route into the heart of a distribution business,” the report points out.

In addition, consideration needs to be given to “experience from other sectors, including financial services and retail, (which) shows that attackers have routinely breached infrastructures that were considered 100% compliant with regulations,” the report notes.

“Regulation tends to be too generic and lags actual threat intelligence, making it an inadequate benchmark for effective security,” it adds.

“Recent attacks such as NotPetya, a highly disruptive piece of malware that masqueraded as ransomware, have also demonstrated that collateral damage to unintended targets is an increasing concern,” the report states.

“Irrespective of motive, a successful attack could see large populations suffering major power outages, as well as causing enormous business disruption and economic damage,” it cautions.

“Cyber security must become a core competency in the industry by protecting the entire value chain and the extended ecosystem end-to-end,” suggests Jim Guinn, managing director who leads Accenture’s security practice for resources industries.

Utilities “need an agile and swift capability that creates and leverages situational awareness, and that can quickly react and intervene to protect the grid,” Guinn adds.

Related: Cat Claws