News
Utilities: Energy & Power, Water, Waste
Vendors

Mckinsey & Company examines energy sector threat and cybersecurity vulnerabilities

November 23, 2020
energy sector threat

Cybersecurity experts at McKinsey & Company recently published an article looking at the energy sector threat and how organizations can address cybersecurity vulnerabilities in operational technology. According to the article, while electric-power and gas companies are especially vulnerable to cyber attacks, a structured approach can significantly reduce cyber-related risks.

According to McKinsey, the number of threats and actors targeting utilities is increasing. For example, a January 2020 bulletin issued by the U.S. Department of Homeland Security warned that critical infrastructure providers should beware of nation-states capable of carrying out disruptive attacks as a deterrent or retaliatory measure. Additionally, cyber criminals are targeting utilities and other critical infrastructure operations for profit.

“While most utilities have become aware of the risks associated with cybersecurity, inconsistencies still exist in their ability to secure funding to invest in OT and IT cybersecurity controls,” the article says. “In many states, regulators lack the dedicated talent needed to review cybersecurity program budgets, which factor into a utility’s billing rates to customers. This results in, at best, a good-faith approach to approving incremental investment in cyber capabilities and, at worst, skepticism from regulators in approving larger rate increases associated with strategic security overhauls. Additionally, certain municipalities offer energy services independent of a major utility. This may alleviate customer concerns with existing energy players in the market, but many of these municipalities remain underprepared or understaffed to ensure the deployment of enough cybersecurity controls to decrease risk.”

McKinsey researchers also noted that utility organizations are currently facing an increasingly expanding attack surface due to geographic and organizational issues such as the decentralized nature of many organizations’ cybersecurity leadership.

“By their very nature, utilities must operate a geographically distributed infrastructure across many sites—121 plants over 94,000 miles of distribution for an average top 25 US power company,” the article says. “That makes it difficult to maintain the necessary visibility across IT and OT systems, much less correlate network activity against physical security systems, such as badge access logs and server room surveillance feeds. This challenge is heightened in developing regions of the world and in large-footprint, low-energy-return production sites such as solar farms, where our colleagues have found that the cost of robustly securing a site and powering additional cyber and surveillance infrastructure could exceed any revenue realized from site operations.”

Additionally, the McKinsey article indicates that the energy sector threat stems from its dependence on both physical and cyber infrastructure. Disruption of either of these systems can result in loss of power, destruction of equipment, and damage to devices throughout the grid.

“Other concerns involve critical equipment in the OT sphere and the telecommunications networks being used to communicate between OT sites and even across providers,” the article says. “For example, operators may trust data from safety and transport monitoring systems used to regulate the flow of electricity or gas without further manual validation or strong data integrity regimes. Data tampering could cause dangerous overages (potentially damaging equipment) or outages without tripping the built-in fail-safes designed to mitigate such impacts. Because these systems do not directly contribute to utility value streams, they may become targets of cost cutting (e.g., consolidating safety and control systems onto one platform, increasing the risk of compromise to both) and are not high priorities for upgrading beyond required standards.”

In order to address these vulnerabilities, McKinsey recommends a structured approach that applies communication, organizational, and process frameworks. To read their suggestions, check out the full article.

Rebecca Addison
Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation