This is one of four articles related to the 2021 State of the Electric Utility Survey Report. To see the other articles and download the report, visit our State of the Electric Utility landing page.
Power companies are more focused than ever on cybersecurity, and experts say results of Utility Dive's 8th annual State of the Electric Utility (SEU) survey show an industry working to better secure the grid. But they also say the responses reveal cause for concern — including the potential for misplaced utility efforts and under-investment in emerging technologies
"Overall, the U.S. electric power industry is doing a good job of addressing known cybersecurity threats," said independent utility security consultant Tom Alrich. But he also questioned the focus many utilities have on securing information networks amid a growing threat to operational technology and industrial control networks.
Security efforts focused on the "front door" of network security will be "quite inadequate at preventing attacks coming through the back door, namely through suppliers of software and hardware that can touch the grid in some way," Alrich said.
Four out of five survey respondents say their organizations are training all employees in safe email use, how to spot phishing attempts, and similar skills in order to improve security posture. On the one hand, that's good. Utilities face a near-constant barrage of phishing attempts and "any education is always a good thing," said Jerry Ray, chief operations officer at cybersecurity company SecureAge.
But Ray also said utilities' focus on training employees puts responsibility in the wrong place and underestimates the sophistication of the threat. "They are foisting responsibility on employees that were hired to do something else," he said.
"When it comes to recognizing phishing emails or having some type of security discipline, that's already been taken into account by attackers," said Ray. Behind any sophisticated effort, he said, are bad actors well aware of what low-level countermeasures must be avoided. Hackers turn this into a game of numbers.
Hackers "only need one point of failure — and it's ok to try 99 others because there's so little cost to the attack," said Ray. "When I see things like employee training, and particularly any type of employee awareness, all of that is doomed to fail."
The solution isn't to force employees to be ever-more vigilant, but for utilities to deploy data encryption and other tools, said Ray.
No amount of employee training will eliminate the occasional mistake, said Tobias Whitney, vice president of energy security solutions at Fortress Information Security. "If you're relying purely on training, that's going to be woefully inadequate," he said.
Utilities are deploying tools and taking other steps. In the SEU survey, 57% of respondents identified increased spending on digital operations and security. Some experts say that may not be high enough.
"Given the increased scrutiny, you'd like to see that number higher," said Whitney. But, he added, that doesn't mean utilities are not spending — they may have already made security investments.
Likewise, said Whitney, the number of utilities (55%) who said they are utilizing systematic and prompt patching for existing systems should also be higher. "That's concerning, frankly," he said. "There may be a lack of automation for managing large quantities of assets."
Utilities "may not fully recognize how they can leverage the use of third party security providers."
VP of Energy Security Solutions, Fortress Information Security
Those concerns were echoed by Nick Cappi, vice president of product management and technical support for cybersecurity firm PAS.
"From a security perspective" the 55% response figure for systematic and prompt patching is "very concerning," Cappi said in an email. "The goal of any security program should be to reduce risk. One of the key ways we can do this is via patching, either from a risk mitigation or remediation standpoint. When only ~50% of the people surveyed say they have a systematic approach to patching we as an industry should be concerned," he said.
And more of utility spending should be going to cloud-based assets, according to Whitney, to allow them to leverage third-party providers' expertise. In the SEU survey, just 38% of respondents identified accelerating cloud adoption to leverage cybersecurity capabilities as a step being taken.
"This appears to be an opportunity for the industry," said Whitney. Utilities "may not fully recognize how they can leverage the use of third party security providers."
Outside security consultants are necessary for the electric sector, said Grant Geyer, chief product officer at Claroty, because of the "chasm" in technology knowledge between attackers and their victims.
"I would like to see more electric utilities leveraging the knowledge base of savvy security firms to help accelerate a smart implementation of organizational and technical safeguards," said Geyer. "Engaging with a cybersecurity firm can help ensure a risk assessment is done so resources can be applied to the top risks."
Geyer said it is a very good sign that 54% of respondents to the SEU survey said they were holding briefings for executives, boards and managers on cybersecurity risks to the power system. He said the response shows a "positive trend in terms of driving awareness with the board, awareness of the challenges and potential risks" and that utilities are creating a "culture of risk management."