Siemens and the Ponemon Institute released a new report that assesses the global energy industry’s ability to meet the growing threat of cyber attacks to utilities and critical infrastructure connected to the electrical grid. The report – Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat? – details the utility industry’s vulnerability to cyber risk, readiness to address future attacks, and provides solutions to help industry executives and managers better secure critical infrastructure. The results of the report were released at a forum hosted by the Atlantic Council in Washington, D.C. focused on the growing national, economic, and energy security threat that cyber attacks pose to the utility industry.
“The utility industry has woken up to the industrial cyber threat and is taking important steps to shore up defenses,” said Leo Simonovich, Siemens VP & Global Head, Industrial Cyber & Digital Security. “We hope this report help utilities benchmark their readiness and leverage best practices to stay ahead of attackers.”
The study surveyed 1,726 utility professionals responsible for securing or overseeing cyber risk in Operational Technology (OT) environments at electric utilities with gas, solar, wind assets, and water utilities throughout North America, Europe, Middle East, the Asia-Pacific region, and Latin America. It identified key vulnerabilities in energy infrastructure that malicious actors seek to exploit, including common security gaps that are created as utilities rely on digitalization to leverage data analytics, artificial intelligence, and balance the grid with intermittent renewable energy and distributed power generation.
As utilities increasingly adopt business models that connect OT power generation, transmission, and distribution assets to Information Technology (IT) systems, critical infrastructure is more vulnerable to cyber attacks according to the study. The survey results show the risk of cyber attacks on the utility industry may be worsening with 56 percent of respondents reporting at least one shutdown or operational data loss per year, and 25 percent impacted by mega attacks, which are frequently aided with expertise developed by nation-state actors. The vulnerability of critical infrastructure to cyber attacks has potential to cause severe financial, environmental and infrastructure damage, and according to all respondents, 64 percent say sophisticated attacks are a top challenge and 54 percent expect an attack on critical infrastructure in the next 12 months.
“Increasing electrification across a range of sectors is a crucial piece in the decarbonization puzzle, but, as the Siemens and Ponemon Institute report documents, an increase in grid-connected infrastructure creates additional vulnerabilities to cyber attacks. A devastating attack would not only harm the economy, but it could also slow down the rate of electrification. This report provides recommendations to help utilities better address these risks. Getting this right is not only important for the security of our electricity system, but also for achieving our climate goals,” said Randy Bell, Director of the Atlantic Council Global Energy Center.
Most surveyed global utilities say that cyber threats present a greater risk to critical infrastructure – compared to IT systems – and are concerned with unique industry challenges, including ensuring availability, reliability and safety of electricity delivery. Industry-wide, readiness to address cyber attacks is uneven and has common blind spots, especially with regards to the unique cybersecurity requirements for OT, and the importance of distinguishing between security for OT and security for IT. This remains a major challenge for many organizations across the industry. Only 42 percent rated their cyber readiness as high, and only 31 percent rated readiness to respond to or contain a breach as high.
Caught in the Crosshairs: Are Utilities keeping up with the Industrial Cyber Threat? follows two previous collaboration between Siemens and the Ponemon Institute, including Assessing the Cyber Readiness of the Middle East’s Oil and Gas Sector and The State of Cybersecurity in the Oil &Gas Industry: United States.