Fitch Ratings assesses that public power utilities’ cyber investment is key to mitigating greater risk

Credit rating agency Fitch Ratings identified that public power utilities should focus on increasing and prioritizing investments in cyber security, including operational technology (OT) and information technology (IT) investments, as well as implementing strong cyber policies and practices. The evaluation evaluates that it is necessary to address the increased risks they face. Additionally, having robust cyber resiliency and risk management measures in place helps to maintain their current ratings.

In general, the power utility sector ‘continues to remain well positioned’ to defend against digital and network infrastructure attacks, the agency detailed in its latest research. Electric utility critical assets have been strengthened through more than ten years of compliance with the North American Electric Reliability Corporation’s (NERC) mandatory cyber hygiene security standards for critical infrastructure protection. 

Fitch Ratings disclosed this week that the sector is also exposed to cyber infiltration through its supply chain due to the reliance on a myriad of equipment and software providers, which add attack vectors for threat actors to exploit. “Significant vulnerabilities could also stem from technical debt (deferred digital maintenance) and overreliance on legacy systems, which are not designed with specific cybersecurity protections or modern authentication capabilities. This may be a particular issue for small and mid-sized public utilities, which are typically not rated by Fitch.” 

“Public power utilities across Fitch’s rated portfolio have reported increased screening efforts, targeted staffing and training, system upgrades, and improved restrictions on vendor access,” the agency added.

“However, the risk landscape for the sector is rapidly growing due in part to the use of artificial intelligence by threat actors, including nation-states,” according to the research. “Also contributing to risk is the growing dependence of the sector on IT assets, industrial control systems (ICS) for grid operations, and smart internet of things (IoT) devices such as smart meters and sensors that increase the accessibility surface. The integration of IT and OT will only increase with greater use of such devices.”

It also estimated that cyberattacks on OT are higher risk than those on IT and are more likely to have a credit impact. “OT encompasses the computing systems that manage industrial operations and prioritize availability and human safety. The vulnerability of critical OT to cyberattacks is amplified if ICS have remote access or remote monitoring capabilities. However, utilities typically take steps to disconnect operating systems from the internet, reducing the risk of OT infiltration.”

Fitch Ratings said that the ability to protect infrastructure from attacks is considered under Fitch’s U.S. public power rating criteria as part of its assessment of management quality and governance, which is an asymmetric credit factor where weaker characteristics may constrain a rating. 

“No public power ratings are currently constrained by cyber preparation issues, as attention to and investments in addressing this risk have been robust in accordance with NERC guidelines,” the research identified. “In the event of a cyberattack, Fitch would assess the effect on financial metrics and performance of halts in service, delays in revenue generation, ransomware payments or unexpected capital costs.”

It detailed that a cyberattack that disrupts power supply or damages the grid poses unique downstream credit risk for other critical sectors such as transportation, healthcare, and water utilities, as well as public safety. A loss of power could result in cascading pressures on utilities and their customers if there are prolonged disruptions to service.

Fitch Ratings said that cybersecurity remains one of the top reliability risks for the sector along with extreme weather and climate events, according to the 2022 NERC annual report. It also noted that the cybersecurity threat landscape continues to evolve given geopolitical tensions, new ICS vulnerabilities, and changing technologies.

Back in May, Fitch Ratings identified that the U.S. Environmental Protection Agency’s (EPA) requirement that all public water systems incorporate cyber risk and resiliency in their periodic reviews will add an increased regulatory and financial burden, which could be ‘onerous for smaller systems and systems with minimal existing cyber infrastructure.’

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.