The digital transformation of the power sector brings with it promises of innovation and value creation, with new business models, greater efficiency and improved service delivery. However, the introduction of information technology to power generation, transmission and distribution systems must also pose challenges for the industry, including the risk of cyber attacks.
According to the 2018 Global Risk Report from the World Economic Forum (WEF), the number of cyber attacks in different sectors of the economy, as well as their impact on organizations, has increased in recent years. The number of security breaches reported by companies has doubled over the past 5 years and the estimated cost to organizations over the next 5 years could be as high as $ 8 trillion.
The 2019 Global Risk Report again pointed to cyber attacks as one of the key risks for the coming years, further indicating a growing trend toward attacks on critical infrastructure sectors such as electricity. This increase in attacks on the energy sector is related to the increasing adoption of digital technologies such as Internet of Things (IoT), which add vulnerabilities to systems, increasing their exposure to attacks.
For example, Smart Grids use smart meters that record electricity consumption and send data in real time directly to utilities over the Internet. While Smart Grids bring benefits to utilities and consumers, on the other hand, from an information security standpoint, they increase the attack surface of the electrical system.
Energy organizations can be the victims of both general cyber attacks that do not target a specific company or industry, or very specific attacks that target the electrical system or a specific industry company. The consequences of these cyber attacks range from data theft and billing fraud to damage to infrastructure equipment, which can even compromise the power supply.
In 2017 WannaCry, a ransomware that encrypts computer data and requires ransom payments, reached more than 300.000 computers, affecting individuals, businesses and compromising the operation of telecommunications, banking, financial, government and energy systems in over 150 countries.
In addition to the risk for each specific company, the interconnection of the electrical system can multiply the damage caused by a cyber attack. A well-coordinated attack, focused on the weakest links from a security standpoint, can cause a domino effect by amplifying the damage dimensions. Such an attack could disrupt the power supply of an entire country, causing disruption to society, with impacts on vital services such as schools, hospitals and public safety, to name a few.
The first reported cyber attack to black out the power grid occurred in Ukraine in December 2015. The hackers were able to compromise the systems of three power distribution companies and disrupt the electricity supply to end consumers for several hours.
The malware used in the 2015 Ukraine attack, known as Black Energy, shut down 30 power substations, causing a blackout for 230.000 people.
In 2017, Ukraine’s electricity system was subjected to a new attack, albeit with smaller impacts than in 2015. Although there is no proof, Ukrainian authorities attribute these attacks to Russian hackers motivated by geopolitical tensions between the two countries.
In 2018, the US Department of Homeland Security reported Russian hacker attacks targeted at critical US infrastructure areas, including the nuclear and power sectors. The hackers gained access to the control rooms of the American power plants, but there was no interruption in the power supply.
In response to attacks on the electricity sector, international institutions have created recommendations and regulations to improve cybersecurity in industry organizations, such as the NIST Cybersecurity Framework in the US and the NIS Directive in the European Union.
Regulatory initiatives provide a benchmark for industry organizations , however, according to the Cyber Resilience in the Electricity Ecosystem (a WEF guide published this year to guide industry boards), simply complying with these standards does not necessarily ensures the safety of these organizations.
Fast digitization of the electricity ecosystem creates a very dynamic scenario, with new types of attacks emerging every day, so that regulations are unlikely to be able to address the latest risks. Thus, according to the WEF, it is important for organizations to take a strategic approach to managing cyber risks.
The WEF also emphasizes that responsibility for cyber security should not be delegated solely to the information technology departments of these organizations. Cyber risks should be dealt with systematically, integrated with other business risks, and be on the agenda of the entire board of organizations.
For this reason, WEF has produced the Cyber Resilience in the Electricity Ecosystem guide to guide boards of directors to improve cyber security for power companies. The guide lists 10 general cyber governance principles that can be applied to any organization (including utilities), and 7 specific principles for utilities.
Below is the list of 7 specific principles recommended by the WEF to promote cybersecurity in power sector organizations. The complete list (including the 10 general principles) and a more detailed description of each principle can be found in the Cyber Resilience in the Electricity Ecosystem document available online.
Cybersecurity Principles for the Electricity Sector
- Cyber Security Governance
The Board should require implementation of broad cyber governance, including information technology (IT), operational technology, physical security and digital transformation, ensuring interoperability within the organization and alignment across the entire ecosystem.
- Design Security
The board should promote a culture of safety by design, requiring management to
implement and monitor this culture.
- Going beyond compliance
The board must ensure that its cyber security stance goes beyond simply complying with rules and regulations, seeking comprehensive risk management and having the necessary funds and resources.
- Assessment and prioritization of systemic risk
The board should ensure that company management understands the organization’s interdependencies within the ecosystem, reporting systemic cyber risks to the ecosystem, and planning and prioritizing security efforts appropriately.
- Corporate Responsibility for Cyber Security
Management should encourage company management to consider the cyber risks that the company, its culture and security practices may impose on the ecosystem, identifying how those risks can be mitigated.
- Collaboration with the entire ecosystem
Management should empower management to create a collaborative culture, set strategic objectives around information sharing, and understand and mitigate cyber risks in the ecosystem. The board must also actively collaborate with industry peers and policy makers.
- Ecosystem-wide cyber security plans
The Board should encourage management to continually create, implement, test and improve collective cyber resilience plans and controls with other members of the ecosystem. These plans should properly balance preparedness and protection with responsiveness and resilience.