In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyberthreats. First is an increased number of threats and actors targeting utilities: nation-state actors seeking to cause security and economic dislocation, cybercriminals who understand the economic value represented by this sector, and hacktivists out to publicly register their opposition to utilities’ projects or broad agendas. The second vulnerability is utilities’ expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of many organizations’ cybersecurity leadership. Finally the electric-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters,” the commandeering of operational-technology (OT) systems to stop multiple wind turbines, and even physical destruction.
To answer these challenges, we apply our work in more cyber-sophisticated industries (e.g., banking, national security) and our on-the-ground international experience with utilities at various stages of technological sophistication to propose a three-pronged approach:
- Strategic intelligence on threats and actors before attacks on the network. Companies must move beyond reactive measures and take a forward-looking approach to security that integrates the security function into critical decisions about corporate expansion and the accompanying increase in infrastructure and geographic complexity. In parallel, leaders must develop security-minded plans to address “known unknowns” as attackers continue to find and utilize new attack vectors.
- Programs to reduce geographic and operational gaps in awareness and communication, […]