The International Energy Agency (IEA) released guidance to policymakers, electric utilities and other stakeholders on how policies and actions could enhance the cyber resilience of electricity systems.
While differing contexts require tailored approaches, several overarching action areas can serve as the basis for achieving more appropriate electricity security frameworks for the future, according to the IEA report. The measures laid out include institutionalizing responsibilities and incentives, identifying risks, managing and mitigating risks, monitoring progress, and responding to and recovering from disruptions.
The electricity system is interconnected with all other critical infrastructure and services. Cyberattacks on electricity systems are therefore a critical threat to every aspect of modern societies. Policymakers, regulators, system operators, and industries across the electricity value chain have important roles to play in enhancing the cyber resilience of the system.
Utilities must implement proper risk management strategies to identify capabilities and risks of their systems from both IT and operational technology (OT) perspectives. In addition, they must establish a clear risk management strategy that can help prioritize areas of work and investment decisions to maximize benefits.
Policymakers must set appropriate responsibilities and incentives for relevant organizations within their jurisdiction. They must designate responsible authorities to set objectives, give direction on measures and assess their implementation. They have also been advised to implement coordination mechanisms between responsible authorities (both within and outside the electricity sector) to avoid conflicts between various regulatory levels.
The policymakers must also incentivize or oblige regulated and non-regulated entities to implement cybersecurity safeguards. Measures should aim to improve outcomes, rather than relying only on compliance-based processes that risk becoming a box-ticking exercise. The level of enforcement needs to relate to how critical the organization is to wider system reliability.
Policymakers need to ensure that operators of critical electricity infrastructure identify, assess and communicate critical risks. Policymakers and regulators are required to ensure designated organizations regularly conduct system-level risk analyses to identify key threat scenarios and system vulnerabilities and facilitate public-private cyber risk information sharing.
Electricity systems are also prone to cascading effects across both digital and electrical systems. As utilities increasingly interconnect their systems for the sharing of operational and planning information, an attack could cascade across their digital networks.
The majority of electricity infrastructure – such as power plants and transmission and distribution systems – have long operational lifetimes, often lasting over fifty years. This has led to most electricity systems, including a mix of recent highly digitalized technologies and analog legacy assets deployed decades earlier.
Older, unprotected OT was often designed without the intent of connecting to networks, leaving them “air-gapped,” and increasingly adapted and connected to IT networks through standardized protocols and additional interface devices. Without adequate security measures and integrated cyber resilience approaches, these connections risk introducing new vulnerabilities to the system.
Power companies are among the most frequently attacked targets, increasingly by nation-state hackers aiming for disruption and even destruction through ICS, according to insights released by Deloitte. One of the most challenging vulnerabilities to address is cyber supply chain risk, given the increasingly far-flung and complex nature of the supply chain.
A survey brought out by Siemens and the Ponemon Institute showed that industrial cyber risk is worsening, with the potential for severe financial, environmental and infrastructure damage. Industry-wide, readiness is uneven and has common blind spots. In particular, the report highlights the cybersecurity requirements for OT, and the importance of distinguishing between security for OT and security for IT. This remains a major challenge for many organizations across the industry.
The research was conducted to gain a clearer picture of utilities’ existing capabilities, levels of preparedness, vulnerabilities, and strategic understanding of their OT cyber risk. Cyber supply chain accountability and ownership are not very well-defined within companies, most CISOs have no control over their enterprises’ supply chain, and they may have little access to supply chain cyber risk intelligence or visibility into suppliers’ risk management processes, Deloitte added.
Effective policies need to look beyond bulk utilities and consider the entire electricity chain, including supply chains, according to the IEA. Supply chain security is an international issue. To demonstrate security preparedness, certification or other similar mechanisms based upon existing international standards need to be institutionalized and interoperable at the global level, where deemed appropriate, it added.