Because of the highly dynamic technology and threat environment, cybersecurity has its tentacles in nearly every aspect of the electric industry, from assessing ongoing threats to identifying and mitigating system vulnerabilities, commissioning new devices that monitor air quality, and securing weather stations.
As if that weren’t enough, cybersecurity experts in the electric sphere are responsible for maintaining compliance with the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) standards.
Long story short, the industry’s cybersecurity professionals have their hands full. But Black & Veatch’s 2022-2023 Electric Report — expert analysis of a survey of about 250 U.S. electric sector stakeholders — illustrates that these professionals are rising to the occasion, performing regular cybersecurity assessments, showing awareness of the latest threats, and exploring new technologies and platforms to modernize their organizations.
Responding to the threat landscape
When asked about the top challenges facing the electric industry today, a relatively low number (18 percent) of respondents selected cybersecurity — a promising sign that the majority of respondents feel they could have cybersecurity under control. This might be due in part to the high number (45 percent) of respondents stating that the last cybersecurity assessment was done in 2022 or is currently being conducted.
Cybersecurity assessments are not a one-size-fits-all endeavor. But this high number of positive responses — coupled with that 46 percent of respondents are in the implementation phase of their security plans — demonstrates that cybersecurity professionals are cognizant of and responding to the current threat landscape.
Phishing (79 percent) and ransomware (67 percent) took the top two spots as the cyber threats drawing the most concern among respondents (Figure 28).
When asked to assess their confidence in recovering from a cyberattack, just one-quarter reported they were “extremely confident,” with 47 percent “somewhat confident.” (Figure 29). Low confidence levels may point back to maturing incident response plans using a variety of incidents, including the top-cited concerns about phishing and ransomware.
It’s no secret that cloud computing is here to stay. Organizations of all sizes now understand that cloud technology allows for increased agility, collaboration, and ability to scale, among a host of other advantages. The electric industry has taken note; 58 percent of respondents are considering the adoption of cloud environments to modernize their organization (Figure 30). However, questions remain about Supervisory Control and Data Acquisition (SCADA) in the cloud, as well as using the cloud for operational technology (OT) environments.
When it comes to modernization, electric sector cybersecurity professionals also have their sights on the adoption of emerging technologies. One-third — 32 percent — reported that they are considering the use of the internet of things (IoT) — a somewhat high number considering IoT technologies are vastly different from the traditional, regimented structure of the electric utility. On a similar note, 47 percent are considering the adoption of software-based platforms for protective equipment. Additionally, the Department of Energy recently published the National Cyber-Informed Engineering (CIE) Strategy to develop a reference architecture for electric energy OT, which has the potential to be a game changer for industrial control system cybersecurity in the electric sector.
While it’s clear that utilities are making moves to modernize, 72 percent of respondents don’t know if their utility is aware of and considering a Zero Trust architecture. Given that Zero Trust is still an emerging security framework, the uncertainty here may point to the fact that 21 percent of respondents listed an aging workforce as one of their top concerns. Many utility professionals who have been in the industry for decades and are nearing retirement simply may not know what Zero Trust is or how to implement it, illustrating the potential for Zero Trust architecture to be adopted more broadly as the sector continues its modernization.
As a traditionally regimented industry, the electric sector is showing signs of a digital transformation. Cloud adoption and emerging technologies such as IoT are entering the industry at high rates. With new technology comes new vulnerabilities, and while the sector has security plans and regular assessments in place to mitigate those threats, confidence in surmounting attacks remains low.
Questions remain about SCADA in the cloud, Zero Trust adoption, and the regulatory environment. But opportunity abounds for those who continue to embrace technology in safeguarding their systems and ultimately transforming the electric sector.