A previous version of this article was published on the Northwest Public Power Association website.
Cyberattacks are now a normal threat to utilities everywhere. For many organizations, it’s no longer a question of whether they will be compromised but when they will be compromised.
In its 2023 IC3 report, the FBI stated losses from cybercrime reported by companies totaled $12.5 billion. In 2024, the global average data breach cost increased to an all-time high of $4.88 million.
High-profile enterprise hacking leads to the loss of important data, customer confidence, and hundreds of millions of dollars in legal fees, notification costs, and technology remediation.
Because of this, executives at organizations of all sizes are now paying more attention to their entities’ vulnerabilities when it comes to cybersecurity. Investors and boards of directors are increasingly holding management accountable for cybersecurity, customers and partners are demanding adequate cybersecurity controls are in place before conducting business, and states and regulatory bodies are legally mandating cybersecurity.
Utilities are core to our national infrastructure and provide the stability behind everything we do — and are no exception to the dangers of cybersecurity breaches, so being prepared with strong cybersecurity practices is crucial.
Dangerous trends and increasing threats
In an evolving cybersecurity environment, new potentially dangerous trends are always on the horizon, but a few stand out as the most threatening.
Emerging technology
The rapid proliferation of new technology, including AI, along with a wide array of mobile devices and cloud-based solutions provide hackers with many more entry points to attack.
Many utilities are switching from old systems to cloud or hybrid cloud, and are undertaking digital transformations, while trying to protect and organize their data.
Digital transformation can help facilitate security, analytics, and make things easier to orchestrate. However, it can be used as an enabling tool by hackers to find gaps and automate attacks.
International threats
Economic espionage, or cyberespionage, isn’t limited to borders. It isn’t uncommon for overseas companies to target entities with significant importance to our nation’s infrastructure, such as the electric power grid or water supply.
While the act itself isn’t necessarily something new, there are now organized and contracted teams leading the attack.
Shortage of IT risk and compliance talent
As more breaches occur and costs rise, it’s hard for both the public and private sectors to keep up with the latest malware patches and keep an eye on the ever-changing dangerous landscape.
It’s estimated 90% of organizations will suffer critical tech skills shortages in the next two years. There are not enough skilled cybersecurity workers to defend against threats, which cybercriminals have been able to target and leverage.
Attack types
Attackers are increasingly sophisticated and have more access points to networks. Even with stronger security defenses, organizations are still at a disadvantage in the fight against hackers.
Sophisticated attacks usually begin with spear phishing. A social engineering attack, spear phishing preys on the psychological willingness of employees to divulge confidential digital information.
These attacks typically involve an email from a hacker who impersonates an individual or business the target knows. The target is usually an employee who may be susceptible to giving up desirable information, such as their system password, company account details, or other private information.
Ransomware
Also known as scareware, this software allows hackers to access an employee’s computer, encrypt sensitive data, and then demand some form of payment to decrypt it. Often beginning with a spear phishing attack, it infects the system and can propagate from there.
Common defense strategies
To protect organizations against these attacks, a combination of administrative and technical controls should be employed prior to the attack.
Administrative controls
End-user security awareness training
Internal process controls: have at least two sets of approval for requests that meet a certain threshold and confirm any changes to vendor payment information directly with the vendor
Vendor risk management: ensure all third-party vendors comply with the institution's security standards and undergo regular security assessments
Disaster recovery and business continuity plans
Technical controls
Conduct frequent backups and snapshots of databases
Test backups for key systems
Maintain network segmentation
Update antivirus and system software through frequent patching
Implement near real-time monitoring services, such as a firewall information network
Cybersecurity rules and programs
Multiple agencies are involved in providing cybersecurity rules across the utilities sector. Numerous federal agencies have published guidelines for the respective utility sectors they oversee. While the regulations are not perfectly consistent, the requirements overlap.
The National Institute of Standards and Technology (NIST) has published the Cybersecurity Framework (CSF), which was originally developed to help organizations within the energy, communications, and healthcare sectors build effective cybersecurity programs.
Below are some items organizations should consider as cybersecurity programs are implemented, operated, and maintained.
Continued operations
Once the initial program is defined and implemented, allocate personnel and resources to ensure the program continues to function.
There will be critical components of the program that need to operate continuously, and some that will operate on a regular basis. No matter the control or requirement, maintaining the state of operations will help mitigate the likelihood and impact of a cybersecurity incident.
Problem management
All cybersecurity programs require management and upkeep. Each program should have processes to self-identify and correct problems, as well as regular checks for internal and external vulnerabilities through routine system scanning, penetration testing, and control assessments. Each of these provide feedback loops on how well the cybersecurity program is operating and where there are potential weaknesses.
It's not enough to identify issues, they also need to be resolved. Using a corrective action plan process is critical. Utilities should track identified issues, prioritizing remediation based on the severity of the risk.
In addition, organizations should plan for tabletop tests of their incident response, business continuity, and disaster recovery plans. During a tabletop exercise, a scenario is drafted and presented to the response team to evaluate possible responses to follow through to resolution.
Often, teams will identify gaps in their response plans and can use those lessons learned to update the respective plan. If each plan can’t be tested annually, consider a rotation schedule so each is tested on a regular basis.
Last, all cybersecurity plans should be updated, reviewed, and approved each year. Cybersecurity risks change quickly and often. However, organizations can be prepared to handle these scenarios with a well-built cybersecurity plan.
