Utility Companies: Is the Perfect Storm Brewing?

For utility companies, breaches have become increasingly common. It’s been reported that as many as 87% of utility companies have experienced at least one breach over the past thirty-six months. For hackers, utilities include the perfect mix of elements to create an impactful cyberattack:

• A utility company’s data available is both substantial and valuable. Utilities employ a large staff and a high number of third-party partners, as well as manage a substantial customer base. Not only does this give hackers more data to collect, but it also creates an expansive attack surface to the company’s network and systems.
• Utilities are more likely than other industries to pay hackers a ransom to recover their data. They’re also paying higher and higher figures, up 30% year-over-year, according to this Utility Dive article.
• As utility companies adapt more and more digital technology to run their physical operations, these systems become more efficient AND more vulnerable. The increase in efficiency that introducing digital technologies brings to operations also crates new security challenges.
• Despite the warning signs, many within the industry still don’t consider cybersecurity a priority. A recent survey found that only 24% cited “cybersecurity and physical security” as an issue that was important to their organization. When organizations fail to set operational requirements and don’t train their employees and partners to adhere to information security best practices, the likelihood of an attack increases.

Given these factors, it’s no surprise that in 2020 IBM ranked the energy industry in the top 3 most targeted industries. The United Kingdom’s National Grid Electricity System Operator (ESO) confirmed a cyber-attack on an electricity provider’s internal IT systems in 2020, where luckily electricity supply was not affected. More recently, Russian hackers have been probing Texas’ energy infrastructure for weak points in digital systems. Since February’s Russian invasion of Ukraine, energy facilities in Texas have seen an increase in the number of hacker-led probes. The reason for the increase? With countries in Europe dependent on natural gas from Russia, the US has worked to help wean Europe off Russian gas by increasing natural gas exports to the continent. A successful attack on key Texas energy facilities could take the nation’s second largest exporter of natural gas offline, which could force Europe’s hand in deciding between blackouts or purchasing energy supply from Russia.

Another “this could have been way worse” scenario unfolded in August of 2022 when a company that supplies water to more than 1.5 million people in the United Kingdom disclosed it was attacked in an incident that highlighted the dangerous vulnerabilities of the utility’s infrastructure. The attack resulted in a disruption of services, but thankfully it didn’t impact the water supply itself, even though the group responsible claimed it had gained access to the system that controls the level of chemicals in the water. Although not in the power sector, this utility example helps illustrate the devastation that could result if the controls of a power facility fall in the wrong hands.

Why Conditions Are Favorable for a Breach

One of the most complicated factors in keeping utilities secure is their dependence on third parties. Most utilities operate with a very large contingent workforce (many are as high as a 75% contractor to 25% employee mix.) This creates a constant churn between on- and off-boarding non-employees that increases the likelihood of a breach. With a reported 51% of organizations experiencing a breach caused by a third-party (contractors, suppliers, partners, contingent workers, etc.), many utilities are now realizing that they need to improve their third-party lifecycle management processes in order to reduce risk.

Historically, utilities have focused their security risk management at the third-party vendor level. Regulators demand that utility companies thoroughly assess all outside organizations they work with, their security postures, and their known vulnerabilities during the vendor selection phase to be compliant. These utilities, however, often fail to adequately vet the risk of the individual users who require access to their systems. This is a serious security gap as they have little understanding of the risk that each person poses to their organization, leaving them vulnerable to a third-party breach.

Identity at the Eye of the Storm

The increase in the number of remote workers and dependence on third parties means more users are accessing organization systems from several different places. For utilities, the network is no longer the perimeter; identity is the new perimeter.

Complimenting a strong vendor approval process with a third-party identity risk solution will address the common security gaps currently plaguing utility companies. Proper investment and integration of improved identity controls can ensure:

• Swift and accurate onboarding, offboarding and reverification of a user’s identity.
• Timely removal of a non-employee’s access (physical or digital) due to termination, job change, or transfer.
• Evaluation of risk at the individual identity level.
• Audits are a cinch with a clear view of the individual identities with access to systems, platforms, and facilities.

For many utilities, the convoluted and manual nature of current third-party identity lifecycle processes leads to a lack of visibility into all access, both internal and external, at the identity level. This leaves utilities spending excessive amounts of time and money managing a process that is not only inefficient but exposes them to greater cybersecurity risk and the likelihood of failing regulatory requirements. (You can read more about the most common third-party NERC CIP compliance challenges here.)

What happens if utilities don’t act fast enough? More breaches where data is taken, vital information of employees and customers are stolen, money is lost, and reputations suffer. Bad, yes, but nothing compared to the worst-case scenario — the perfect storm where tens of millions of people are without electricity for weeks at a time, threatening virtually every part of modern life. There’s a lot on the line, and utility organizations need to work quickly to ensure that their facilities are secured.

To learn how utility companies can successfully manage third party risk, click here.