Cybersecurity experts at McKinsey & Company recently published an article looking at the energy sector threat and how organizations can address cybersecurity vulnerabilities in operational technology. According to the article, while electric-power and gas companies are especially vulnerable to cyber attacks, a structured approach can significantly reduce cyber-related risks.
According to McKinsey, the number of threats and actors targeting utilities is increasing. For example, a January 2020 bulletin issued by the U.S. Department of Homeland Security warned that critical infrastructure providers should beware of nation-states capable of carrying out disruptive attacks as a deterrent or retaliatory measure. Additionally, cyber criminals are targeting utilities and other critical infrastructure operations for profit.
“While most utilities have become aware of the risks associated with cybersecurity, inconsistencies still exist in their ability to secure funding to invest in OT and IT cybersecurity controls,” the article says. “In many states, regulators lack the dedicated talent needed to review cybersecurity program budgets, which factor into a utility’s billing rates to customers. This results in, at best, a good-faith approach to approving incremental investment in cyber capabilities and, at worst, skepticism from regulators in approving larger rate increases associated with strategic security overhauls. Additionally, certain municipalities offer energy services independent of a major utility. This may alleviate customer concerns with existing energy players in the market, but many of these municipalities remain underprepared or understaffed to ensure the deployment of enough cybersecurity controls to decrease risk.”
McKinsey researchers also noted that utility organizations are currently facing an increasingly expanding attack surface due to geographic and organizational issues such as the decentralized nature of many organizations’ cybersecurity leadership.
“By their very nature, utilities must operate a geographically distributed infrastructure across many sites—121 plants over 94,000 miles of distribution for an average top 25 US power company,” the article says. “That makes it difficult to maintain the necessary visibility across IT and OT systems, much less correlate network activity against physical security systems, such as badge access logs and server room surveillance feeds. This challenge is heightened in developing regions of the world and in large-footprint, low-energy-return production sites such as solar farms, where our colleagues have found that the cost of robustly securing a site and powering additional cyber and surveillance infrastructure could exceed any revenue realized from site operations.”
Additionally, the McKinsey article indicates that the energy sector threat stems from its dependence on both physical and cyber infrastructure. Disruption of either of these systems can result in loss of power, destruction of equipment, and damage to devices throughout the grid.
“Other concerns involve critical equipment in the OT sphere and the telecommunications networks being used to communicate between OT sites and even across providers,” the article says. “For example, operators may trust data from safety and transport monitoring systems used to regulate the flow of electricity or gas without further manual validation or strong data integrity regimes. Data tampering could cause dangerous overages (potentially damaging equipment) or outages without tripping the built-in fail-safes designed to mitigate such impacts. Because these systems do not directly contribute to utility value streams, they may become targets of cost cutting (e.g., consolidating safety and control systems onto one platform, increasing the risk of compromise to both) and are not high priorities for upgrading beyond required standards.”
In order to address these vulnerabilities, McKinsey recommends a structured approach that applies communication, organizational, and process frameworks. To read their suggestions, check out the full article.