Utilities in the United States face a growing threat from ransomware attacks, which create financial incentives for hackers beyond potential disruptions to the power grid. In response, energy companies are making security a priority — and increasingly see it tied to their own corporate culture and bottom line.
A new survey from cybersecurity firm Mimecast found more than half of energy sector respondents were impacted by ransomware in the past year, and almost three-quarters say it is "inevitable or likely" they will suffer from an email-borne attack this year.
Hackers "focus on [return on investment] just like everyone else," Matthew Gardiner, Mimecast’s cybersecurity strategist, told Utility Dive.
A June attack on multinational energy company Enel Group is evidence of the ransomware trend — as well as how companies can counter the threat.
Cybersecurity begins with the board
While the North American Reliability Corp. develops rules and regulations that set baseline security protocols, experts say a compliance-based approach does not go far enough and utilities must be incentivized to roll out best practices that can keep pace with rapidly changing threats.
Security is most effective when it begins with organizational leadership, according to the World Economic Forum (WEF).
Addressing the growing threat will require organizations to focus on security as a business continuity and resilience issue — with boards of directors ideally suited to instill a "culture of shared cyber-risk ownership," according to a June WEF report.
"Only the board of directors can instill the cultural shifts and motivate the organizational shifts that must take place to ensure cyber resilience," WEF concluded in its report.
The report lays out a host of recommendations for cyber resilience. Among them: Assign primary oversight of security to a permanent board committee and assign accountability to a senior corporate officer who "is charged with responsibility for governance and oversight of cybersecurity strategy across the IT and OT environments."
Mimecast's Gardiner sees a growing trend of security-minded executives sitting on boards, similar to audit committees whose members include financial experts.
Enel Group was highlighted by WEF as an example of a company that has established a security culture — it established a Cyber Security Risk Committee with its CEO acting as chairperson.
That didn't stop the company from suffering a cyberattack last month — but Enel officials and cyber experts say the company's approach to security may have helped it escape the incident relatively unscathed.
Enel's security culture mitigated ransomware attack, say experts
"Despite an insidious and potentially very damaging attack, the speed and effectiveness of Enel's response ensured that the impacts on business processes were irrelevant," an Enel spokesperson told Utility Dive in an email.
Enel identified the ransomware attack on June 7, following a disruption to its internal IT network. The company said it temporarily isolated its corporate network and restored it the following day. "Temporary disruptions" to customer care activities were possible during the downtime, but the company said the impact stopped there.
Enel said no critical issues concerning the remote control systems of distribution infrastructure and power plants were registered, customer data was not exposed and all internal IT services "were rapidly and efficiently restored, allowing all business activities to run smoothly."
Enel credits its response to efforts begun in 2016 when the company adopted a "structured and systemic approach on cyber security" that included establishing an organizational and procedural framework that set roles and responsibilities for all involved with security. The CEO-chaired committee "has the dual purpose of aligning cyber intervention priorities with corporate strategies," the company said.
"The recent increase in the frequency of attacks on utility sector players underscores the absolute need for this industry to make a change of pace in the active management of cyber risk," the company said.
Enel's work on cybersecurity is "a good example of embedding security strategy with business strategy," Matthew Selheimer, chief marketing officer at cybersecurity firm PAS Global, told Utility Dive. But he disagreed with the WEF report's conclusion that only the board of directors can motivate the corporate culture shifts needed to ensure security.
"Leaning solely on the board of directors to instill cultural shifts and motivate organizational shifts towards cyber resilience can create its own issues," Selheimer said. "Driving [security] solely from the board down can lead to a minimal effort to 'check the box' in order to meet the board requirements."
Pairing security compliance with financial incentives
"Cyber resilience is made much stronger when it is linked to specific business objectives," Selheimer said, including reliability of operations, profitability or the ability to drive competitive advantages through digital transformation. "To make this viewpoint pervasive, board sponsorship helps, but having senior executive sponsorship and oversight by the [Chief Information Security Officer], [Chief Information Officer] and the head of operations is key."
While Enel could not prevent the attack, Shawn Wallace, vice president of energy at IronNet Cybersecurity, told Utility Dive it appears the company's security efforts spared it from potentially-expensive losses.
Enel "has moved to a posture of resilience (as opposed to compliance or risk mitigation) and I have to believe this was a contributing factor in their ability to prevent the attack," Wallace said in an email. Having the right corporate governance and culture "will determine if a company views cybersecurity in terms of resilience. Organizations need a champion, be it on the Board of Directors or another senior leader, to carry this forward. Otherwise, they are bound to revert to just compliance."
Federal regulators have recognized this, and are considering steps to give utilities financial incentives to implement stronger security on top of what is required by critical infrastructure protection standards. Last month, the Federal Energy Regulatory Commission issued a white paper contemplating transmission incentives for utilities making voluntary cybersecurity improvements.
"Although regulation is helpful, compliance does not mean a system is secure forever," Joe Saunders, founder and CEO of RunSafe Security, told Utility Dive. "Technology changes faster than regulations adapt, so the best companies will adopt a culture that values security. ... It is also important to rethink software development and deployment practices, aligning development with operations and building security into products while not just relying on perimeter defenses."
According to Enel, the recent increase in the frequency of attacks on utility sector players "underscores the absolute need for this industry to make a change of pace in the active management of cyber risk."
Companies must organize themselves "not only internally, but also by participating in multi-stakeholder initiatives, with public and private players, in order to create an ecosystem which is secure by design on products and processes," Enel said.