Energy and utilities sector faced with cybersecurity risks

The energy and utilities (E&U) industry has been facing an increase in cyberattacks in recent years. These attacks have caused businesses to shut down for weeks as they recover, significantly impacting customers, employees and suppliers. Unfortunately, many E&U leaders don’t know where to begin when assessing and improving their cybersecurity capabilities. In order to help our E&U clients, Baker Tilly has developed the following list of common issues impacting the E&U industry as a starting point to improving your cybersecurity posture and readiness to respond to a cyberattack.

Service disruption

Listening to our E&U clients, one of their highest concerns is related to an outage or disruption in their services. When you consider the impact a cyberattack can have on the availability of services, it becomes a top-of-mind issue. The E&U industry deals with a variety of factors that increase the risk of service disruption, whether due to legacy technology, physical security concerns or Internet-of-Things (IoT) devices. A lapse in security in any one of these areas can cause significant impact to the availability of services.  

Recently, we have also seen increased concern from government officials about a cyberattack from nation state actors aimed at disrupting E&U services. E&U organizations should implement a comprehensive risk management program to address these concerns, including asset inventories (hardware and software), risk assessments, baseline security configurations, patch management, vulnerability scanning and incident response planning. Proactive security measures are required to minimize the likelihood of a successful attack but being prepared to respond to an attack is just as important to minimize the impact on services.  

Industrial control systems and IoT

Industrial control systems (ICS) and IoT devices have proliferated over networks in recent years and have increased operational efficiency; however, with all the positives also come risks. E&U organizations that utilize these new capabilities should assess the risks they may introduce into business operations. Network connected equipment should be deployed on segmented networks that are protected through firewalls and cannot be directly accessed from the back-office corporate network. Devices that need internet access for monitoring or updates should be tightly controlled through firewall rules, only enabling the specific services and ports that these devices need to function. Far too often organizations don’t properly segment or protect these networks and pay the price when a cyberattack occurs as operations grind to a halt and services outages occur. Ransomware attacks specifically target these networks as it makes the business more likely to pay in order to resume their operations as quickly as possible.