The power sector in the the United States faces a growing cybersecurity threat from increasingly sophisticated hackers, but a new survey from Utility Dive shows companies generally believe they are well prepared. And experts concur, pointing to rising spending levels related to security, the expansion of security standards and information sharing across the industry.
But despite industry confidence, Utility Dive's 2020 State of the Electric Utility (SEU) survey reveals there is still much work to be done and state and federal regulators are stepping up to help energy providers address the threat.
"Utilities take security very seriously," Alex Santos, CEO of Fortress Information Security, told Utility Dive. "They have the right people in place and are getting support from upper management, whether with dollars, resources or attention."
Almost two-thirds of respondents to the SEU survey indicated their organization has increased its budget for digital operations and security. But while 62% say they have qualified personnel and updated systems in place, 38% still have issues that need to be addressed.
While specific figures are hard to come by, a new report from Navigant bears out findings that security budgets are on the rise.
Navigant on Tuesday issued a report estimating the global market for energy IT and cybersecurity software and services will surpass $19 billion in 2020 and reach more than $32 billion in 2028. Only about 7% of that is security related, said Navigant research analyst Michael Kelly. But the security component is growing faster than the overall anticipated 6.6% growth rate.
The utility sector has seen an increase in security spending since 2015, when Ukraine's electric grid was hit by a cyberattack that led to a lengthy blackout for almost 250,000 people.
"The Ukraine event certainly woke the industry to the potential impacts of a large-scale event," Kelly told Utility Dive.
The Edison Electric Institute (EEI), which represents investor-owned utilities (IOUs), does not track actual cybersecurity spending. But "anecdotally, the trend line is definitely increasing," Scott Aaronson, the industry group's vice president of security and preparedness, told Utility Dive.
"And it's not just cyber, but critical protection budgets generally," Aaronson said.
Some of that spending is going towards in-house talent, along with partnerships, vendors, suppliers and contractors. "We're thinking about protection of the grid in a more holistic way," Aaronson said. "Security budgets generally are increasing."
In Michigan, regulators have developed rules to ensure close collaboration between the Public Service Commission and energy providers. An interconnected electric grid, increased asset digitalization and materials sourced internationally "really presents some risk," Chairman Sally Talberg said during a Utility Dive webinar on Wednesday to present the SEU results.
Michigan has put in place rules for small and large gas and electric utilities, Talberg said. "Our technical staff meets with them to examine their plans, their mitigation methods, their funding for these programs, to protect against cyber risk." The commission has also instituted incident reporting rules "to protect this information so we have more of a free flow discussion with regulated utilities and can support them in addressing this risk," she said.
Security experts say the utility sector is focused on keeping hackers at bay, despite growing threats.
"Overall, cybersecurity is a topic utilities take incredibly seriously. I don't think you'll find an IOU or muni that isn't paying attention, and they are always looking at what is the right level of investment," Sharon Chand, a principal with Deloitte & Touche's cyber risk services, told Utility Dive.
Chand said her research broadly shows utilities increasing both cybersecurity headcounts and budgets, but she acknowledged there are limits on their resources. "Utilities are always focused on value to shareholders," she said. "There is not an unlimited pool of dollars to pull from. Sometimes looking for efficiencies is the right answer."
Those efficiencies can come in many forms, including information sharing between utilities and Robotic Process Automation (RPA), where automated processes in the form of bots, machine learning and artificial intelligence take a lead role in protecting the electric grid.
A key area for RPA is managing network access certifications, said Chand. Machines can take on the task of monitoring access "cheaply, efficiently and, one could argue, more effectively," she said.
The growing use of RPA can also help the energy sector deal with a cybersecurity workforce shortage, said Chand, which "utilities can sometimes feel more acutely."
"It may be hard for a muni in middle of the country to compete for top talent," said Chand. "We see utility clients today with bots helping to operate controls, control monitoring, and achieve efficiencies. There is also a focus on artificial intelligence, though she sees "more opportunities in the future" as the technology matures.
Cybersecurity spending is outpacing IT spending, especially at utilities and telecommunications firms, according to James Evelyn, vice president of compliance solutions for security firm Force 5.
"The bulk of the spending seems to be in staffing. A lack of qualified cybersecurity professionals that can implement and maintain security systems is driving staffing costs," Evelyn told Utility Dive. While regulations are forcing the implementation of security technology, "utilities are struggling to correctly implement and maintain these technologies to ensure their effectiveness."
Leveraging vendors’ services helps bring expertise and resources to "complete the missing pieces of their defense programs," Evelyn said.
Aaronson said a trend in the last decade has been for utilities to hire Chief Security Officers from the law enforcement community. "It's how you approach any risk ... you look at what the priorities are, and resource them accordingly," he said.
Standards ≠ security
Another key to improving cybersecurity in the utility sector is a growing focus on standards, in particular Critical Infrastructure Protection (CIP) standards set by the North American Electric Reliability Corp. to help ensure the reliability of the bulk power system.
"Not every organization is in compliance 100% of the time, as CIP audit violations attest, but many utilities have significantly increased their annual NERC budgets in an effort to increase compliance," Force 5's Evelyn said. The six regional entities "are also coming alongside NERC to help the utilities in each region develop and maintain a culture of compliance."
But experts also warn that compliance is not synonymous with security, which Utility Dive's annual survey also reflects.
"In 2020, an overwhelming majority of participants (84%) said they believe their organization is now fully or mostly prepared to address cyber threats," SEU2020 found. But a smaller number, less than 60%, "believe their organization is in or approaching compliance with government cybersecurity mandates."
"I'm not surprised by the survey results. You need to decouple security from compliance," Shawn Wallace, vice president of energy at IronNet, told Utility Dive in an email.
Wallace views NERC's CIP standards as a compliance program mostly centered around asset identification, policies and procedures. "A utility can have a robust cybersecurity program and still be out of compliance with NERC CIP; the same is true for the opposite. You can't be trapped into believing that because you have a strong NERC CIP compliance program that your security is good to go."
Aaronson agreed, saying the utility sector "can't pretend compliance equals security."
"The CIP Standards are important for creating a foundational level of security, but compliance with standards is never enough to be secure," he said.
NERC does not release statistics regarding compliance with CIP standards, but does conduct regular audits of utilities through its Compliance Monitoring and Enforcement Program. If instances of noncompliance are found, a mitigation plan is developed and violations may be assessed. The violations, including fines when appropriate, are filed with the Federal Energy Regulatory Commission.
Regulation creates "a minimum acceptable standard, a floor to minimize the number of weak links," Santos said. But he added that the power sector tends to be ahead of standards.
"Utilities have become one of the more secure industries," Santos said. "They have a high security IQ, and are ahead of compliance in many ways. Regulated industries overall have better security than non-regulated, so it is important to have these safeguards."
NERC critical infrastructure standards are useful, according to Greg Conti, senior security strategist at IronNet, "but with any such program, compliance doesn’t mean an organization is fully prepared."
"The key differentiator is how companies innovate and implement cybersecurity on top of baseline standards," Conti said. Large utility companies can lack sector-wide visibility of threats, he said, while smaller municipal and cooperative power companies have limited cybersecurity budgets and fewer staff.
"I’d like to see all members of the sector defend more as a team rather than as individual enterprises to complement NERC compliance," Conti said. He pointed to the Electricity Information Sharing and Analysis Center, mutual support agreements and inter-company collaboration, as areas where the industry is making progress.
"I believe a team-based approach that complements and transcends compliance is absolutely necessary," Conti said.
While the electric sector is well-acquainted with the concept of "load balancing," Santos said the same phrase and idea also applies to risk.
"The utility industry in particular takes care of itself from the perspective of large companies trying to partner with smaller companies," said Santos."Share the risk, share the burden. The industry is extremely collaborative."
Santos said he has worked in a variety of sectors, including health care and finance. "Utilities are by far the most collaborative of any industry, bar none, whether it is a hurricane [response], spare parts or security."
For additional information from the "State of the Electric Utility" Survey, listen to Utility Dive's webinar.