Increasing attacks highlight the critical need for enhanced cybersecurity for energy and utilities companies. AI introduces solutions and risks while evolving regulations aim to mitigate challenges. We discuss our thoughts on three utility cybersecurity trends in this blog.
The need for energy and utility organizations to focus on cybersecurity has never been higher. Recent attacks within the utility and energy sector have included large-scale data breaches and remote disabling of grid infrastructure.
In fact, according to research from Skybox Security, 87 percent of utilities have experienced at least one security breach in the past 36 months — a staggering figure. Headlines about threats such as the Volt Typhoon continue to emphasize the importance of cybersecurity awareness and policies to protect our nation’s critical infrastructure.
While an increasingly digital world offers many benefits for energy and utility organizations — including improvements in customer satisfaction and power delivery, enhanced operational efficiencies, and more efficient management of resources — grid modernization also increases the potential exposure to cyberattacks.
To help prepare for this new landscape, we discuss the three trends and influencers for 2024 and what your organization can do to stay secure.
Increased Focus on AI Solutions and Their Security Needs
Artificial intelligence (AI) presents a unique opportunity to expand an organization’s cybersecurity capabilities. However, AI also introduces new challenges to creating a safe and secure environment.
The opportunities AI affords are immense. Predictive analytics can optimize asset maintenance schedules. AI-empowered smart grids can dynamically adjust energy distribution based on real-time demand, enhancing reliability and reducing waste. AI-driven customer service solutions can personalize interactions, leading to greater satisfaction and loyalty.
Moreover, AI can automate and enhance the capabilities of cybersecurity teams. For example, AI can counter today’s hackers’ advanced methods, including living-off-the-land (LOTL) techniques. LOTL uses built-in network administration tools rather than malware to gain access to critical infrastructure. By using AI and machine learning, organizations can better detect abnormal activity and patterns on a previously impossible scale.
However, innovation is not without risk. AI introduces cybersecurity challenges within the utility sector because it relies on vast amounts of sensitive operational, infrastructure and customer data. One major concern is the potential for malicious actors to exploit AI algorithms, leading to data breaches or system manipulations.
As AI systems become more interconnected with critical infrastructure, they create additional entry points for cyberattacks, especially through third-party software and vendors. Finally, the rapid evolution of AI may outpace security measures developed specifically for this industry, leaving utilities especially vulnerable to potential threats if they do not adequately prepare and monitor activity.
How can utilities mitigate the risk of AI adoption within their organizations? Here are a few actionable recommendations:
- Risk Assessments: Conduct comprehensive security risk assessments within each AI implementation — both at the start of a project and on an ongoing basis. Assessments should include penetration testing and code reviews.
- Data Controls: Data powers AI implementations. Ensure you implement robust encryption and access controls. Secure data transmission is one of the most critical components of allowing only authorized team members to access your data.
- Training: Invest in AI-specific cybersecurity training for your security and development teams.
Increased Regulations Present Challenges and Opportunities
Regulators have made great progress in better defining cybersecurity requirements for the energy and utilities industry over the past few years, and we anticipate this trend to continue. Recently, we saw the National Institute of Standards and Technology (NIST) issue its Cybersecurity Framework 2.0 framework, continued updates to NERC CIP, the National Association of Regulatory Utility Commissioners (NARUC), and the Department of Energy (DOE)’s creation of cybersecurity baselines for electric distribution systems and distributed energy resources (DER), as well as the White House Cybersecurity Strategy plan, as only a few examples.
Not only will the regulations continue to become better defined, but new types of organizations will have to meet more stringent standards, including renewable energy companies, assets traditionally defined as “low impact,” the water utility sector, and small utilities. Despite the obvious benefits of implementing these standards, organizations may face several challenges when attempting to implement them:
- Lack of Talent and Budgets: Recruiting individuals who understand and can implement these new regulations may be challenging for smaller organizations with limited budgets and fewer resources to build robust, in-house security teams.
- Confusion Around Applicability: While the baselines established by NARUC and the DOE provide a strong resource for state public utility commissions, utilities, and DER operators and aggregators, confusion still exists around applicability. Moreover, adoption has been inconsistent because the guidelines are recommendations, not requirements.
- Industry Pushback: Due to cost and implementation concerns, the industry has resisted establishing nationally mandated standards. For example, the Environmental Protection Agency (EPA), facing challenges from state attorneys general and water associations, pulled back from mandating cyber risk assessments for water utilities in 2023.
Despite these challenges, companies should proactively prepare to meet these guidelines to protect assets, even if not federally mandated.
Looking forward to the next few years, our Cybersecurity team anticipates further regulatory changes, including enhanced security standards for critical infrastructure, a focus on information sharing across governmental agencies and companies, and continued expansion of data privacy regulations.
Supply Chain Security Ramps Up
Utilities increasingly rely on third-party software vendors to support their critical functions. In 2020, the SolarWinds hack, a sophisticated cyberattack targeting SolarWinds’ Orion platform used for network monitoring, rocked the industry. The breach allowed hackers to infiltrate organizations worldwide that rely on SolarWinds for infrastructure management, including as much as 25 percent of the utility industry.
The event exposed vulnerabilities in utility cybersecurity policies and illuminated the need for robust security guidelines not only within the utility itself but also with its third-party software providers.
To protect organizations against potential vulnerabilities, utilities must consider:
- Vendor Vetting: Organizations should conduct regular and thorough assessments of third-party software vendors and their security protocols before and during the procurement process. You should review security certifications and SOC reports as part of the auditing process. Moreover, contracts and MSAs should outline clear requirements around protocols that the organizations must follow to remain compliant and set a standard for incidence management and reporting. Finally, account for insurance and liability clauses in contracts, including the provisions related to cybersecurity insurance requirements. NIST maintains a useful checklist of questions to ask your third-party software providers as part of the procurement process.
- Regular Audits: Organizations should conduct regular security audits and perform penetration testing to identify and address potential vulnerabilities.
- Access Management: Implement robust security features for software access, including multifactor authentication, encryption and network segmentation. Have these protocols in place for both employees and contractors.
- Training: Make sure your employees and contractors receive regular cybersecurity training and education.
- Ongoing Review and Governance: Establish a governance framework for overseeing the security of third-party software. Conduct regular reviews with the vendor to ensure ongoing compliance.
- Focus on full network security: Traditionally, utilities managed their applications on-premises. However, the shift to the cloud, the high use of third-party contractors, and the increase in the number of remote workers have expanded the complexity of network security. Cybersecurity teams must implement policies to ensure that they can monitor their full infrastructure.
Conclusion
Cybersecurity will continue to be one of the top focus areas for energy and utility organizations. Proactive planning and continuous monitoring are your best methods of ensuring your organization’s security.
Our on-demand webinar showcases the importance of a comprehensive penetration test – beyond simply meeting compliance requirements – through a live network attack simulation.
For more information on smart vendor security, read our CEO Larry English article Smart Vendor Security Is Key to Avoiding a Data Breach in 2024 or reach out to talk to a member of cybersecurity team. Contact us
