The impact of cybersecurity on the power industry

The matrix below details the areas in cybersecurity where power companies should be focusing their time and resources. We suggest that power companies invest in technologies that are shaded in green, explore the prospect of investing in technologies shaded in yellow, and ignore areas shaded in red.

Due to the importance of cybersecurity for a company in the power sector, and the fact that just one attack can bring down an entire power network and have cross-sector implications, companies should virtually invest across the entire cybersecurity value chain. Different types of cyber-attacks focus on different sections of the value chain. For example, email security is important for preventing phishing attacks, whereas threat detection and response, which may likely include endpoint detection and response, would be useful for finding and countering malware or zero-day threats.

Cybersecurity has never been more important to the power sector. According to cybersecurity company Hornetsecurity, the energy sector is the primary target of cyberattacks, with 16% of all cyberattacks aimed at the sector in 2020. This means that power companies have to start taking cybersecurity more seriously and invest throughout the value chain.

As we can see from the graph, which displays the leading adopters, vendors, and specialist vendors on pages 44 to 48, there are no power companies or specialist power vendors which focus on chip-based security. This is because of the advanced and capital-intensive nature of semiconductor manufacturing. Investing in chip fabrication and foundry to ensure chip-based security would be a misguided investment given the number of trusted leading cybersecurity vendors, thus, the secure chips are sourced from these leading vendors.

Furthermore, the end-user or consumer is not always in the position to invest in cybersecurity services, such as managed security services, post-breach response services, or threat detection and response, but should be aware and explore them further. Notably, with the proliferation of smart meters around the world, especially in advanced economies in Europe, consumers should pay more attention to ensuring cybersecurity in their homes.

Cybersecurity has risen in importance on the agenda of companies all around the world in the last few years, partly as a result of Covid-19. One of the most drastic and lasting changes resulting from the onslaught of Covid-19 was the immediate switch to homeworking, which has now resulted in many companies adopting a hybrid or fully remote working policy. Companies were forced to speed up their journey to digitalisation.

This sudden increase in demand for digital devices (mainly laptops and tablets) increased the cyber threat worldwide. Digitalisation has increased and become more decentralised as workers are working from home more often. This is a cybersecurity challenge because using a laptop or personal device to access company data leads to greater exposure to cyberattacks, according to the UK National Cyber Security Centre. This is because employees are less likely to run cybersecurity scans and homeworkers use Wi-Fi that is more susceptible to cyberattacks and does not have prevention and detection measures.

The energy sector, due to its greater number of manual workers, has a smaller proportion of homeworkers than other sectors which are IT or service based. However, as the Augmented Reality in Power report showed, companies in the power sector are increasing their digitalisation as a result of Covid-19. Even tasks such as asset management and repair, which usually would have been an in-person task, are being digitalised via the means of augmented reality whereby workers can speak to faraway experts using an AR headset. Therefore, the energy sector is not isolated from the impact of digitalisation, and Covid-19 has accelerated the need for cybersecurity in the sector.

The last few years have seen an increase in tensions around the world, especially between major powers. The Russian invasion of Ukraine has had several geopolitical reverberations, one of which is that businesses are taking cybersecurity more seriously. Due to the strategic importance of the power sector, and the fact that it essentially underpins every other sector, geopolitically motivated cyberattacks are very common. The importance of preventing avcny cyber-related disruption could not be clearer.

The Russia-Ukraine conflict is the most pertinent example of geopolitics influencing cyber-attacks. Russia’s alleged cyber military group ‘Sandworm’ is believed to be responsible for the 2015 attack on Ukraine’s power grid, the 2017 NotPetya global attacks, and most recently, a foiled two-wave attack on Ukraine’s high-voltage electricity substations aiming to shut off electricity for two million Ukrainians. If the attack was successful, it would have been the largest attack since the invasion began in February 2022. These attacks are certainly not limited to Ukraine either.

In April 2022, US intelligence agencies and the Department of Energy warned the power sector of a new ‘custom made’ malware from the ‘Sandworm’ group which is targeting ‘full system access’ to electricity and gas infrastructure across the US. In Europe, German wind energy companies Nordex, Enercon, and Deutsche Windtechnik have been targeted by cyberattacks since the invasion of Ukraine.

Although impossible to prove, it is both likely and logical that these attacks are geopolitically motivated. Since Russia invaded Ukraine, European countries have noticed their dependence on Russian oil and gas as a geopolitical weakness, and many have pledged to wean themselves off Russian hydrocarbons.

To achieve this, promoting renewable energies such as wind power can be seen as a longer-term replacement, which could increase European energy diversification and reduce dependence on Russia. In the case of the March 31 attack on Nordex, pro-Russian ransomware group Conti claimed responsibility.

The need for cybersecurity is self-evident for power companies, which are innately tied to the functioning of a country’s economy. The Russian invasion of Ukraine has seen the threat of such attacks on the sector increase. Utilities should be most alert to the heightened risk of cyberattacks because of the geopolitical situation playing out between Europe and Russia over energy.

One of the core fundamentals of ESG is achieving good governance. To ensure this is met, companies must comply with appropriate legislation in relation to cybersecurity. As cybersecurity has risen up the agenda of companies and businesses worldwide, regulators have taken notice. The power sector plays a critical role in domestic and regional economies. As such, consumers can be targeted through the means of information security breaches but also through the disruption of services, such as electricity or gas.

The EU has noted that, due to the digitised energy system across the bloc, an attack on one nation-state can cause a ripple effect on the energy system of other countries. As such, the EU has adopted cross-sector legislation that includes the NIS Directive (2016) and the Cybersecurity Act (2019). The former ensures that electricity suppliers and transmission and distribution operators must conform to cybersecurity requirements and notifications, with an obligation to respect minimum standards in relation to risk mitigation minimisation.

The European Union Agency for Cybersecurity (ENISA, formerly the European Network Information Security Agency), which advises on cybersecurity matters, has produced guidelines and recommendations for energy companies in relation to cybersecurity, including for smart grid, information sharing, and attacks against time-sensitive services. The Cybersecurity Act (2019) strengthens the powers of ENISA.

The NIS Directive was transposed into UK law in 2018, renamed the NIS Regulations. The NIS Regulations impose a host of new responsibilities on electricity and gas suppliers, which were updated in April 2022, mostly focused on the management of cybersecurity risk and reporting of cyberattacks. The UK’s energy regulator Ofgem mandates the National Cyber Security Centre’s Cyber Assessment Framework, meaning that power companies can be fined or have their licenses revoked if they fail to manage their cyber risk appropriately or prevent or mitigate cyber-attacks.

In the US, the Office for Cybersecurity Energy Security and Energy Response (CESER) has a strong focus on improving preparedness and mitigation of cyber-attacks. The US Department of Energy has a Cybersecurity Risk Information Sharing Program that is a public-private initiative aiming to enhance the ability of the energy sector in identifying threats using advanced sensors and the sharing of information between the state, companies, and third parties.

Moreover, CESER and industry partners have developed the Cybersecurity Capability Maturity Model (C2M2), which aims at cybersecurity capability evaluation for private sector companies. The North American Electric Reliability Corporation (NERC) released standards for Critical Infrastructure Protection (CIP) in 2007, which include large fines for non-compliance. The latest NERC CIP standards address supply chain risk, electronic security parameters, configuration change management, vulnerability assessments, as well as incident reporting and response planning.

In terms of adhering to net-zero commitments while delivering more power to a greater number of people, countries, and companies worldwide must deploy greater digitalisation, including the use of smart grids aiming at improving the efficiency of the electricity grid. Smart grids differ from the traditional grid because the information communication is two-way, consequently, securing the information (which is often sensitive) is more difficult and thus they are more exposed to cyberattacks.

Smart grids are vulnerable to phishing, denial-of-service, malware spreading, eavesdropping, and traffic analysis, with denial-of-service attacks being the most potentially damaging and frequent. Digitalisation, as discussed above, increases the risk of cybersecurity, and thus, any potential increase in deployment of digitalisation must be met with a commensurate increase in cybersecurity capabilities.

Furthermore, successful cyber-attacks have a significant ability to cause environmental damage. This often comes as a result of an attack on critical equipment and warning systems and can lead to gas leaks, oil spills, or other forms of pollution. It is very common for utility companies to use Supervisory control and data acquisition (SCADA) software for controlling their industrial assets, allowing the companies to collect data and control equipment in remote locations. SCADA systems are connected to the internet and thus vulnerable to cyber attackers. These attacks are common; for example, the aforementioned 2015 and 2017 attacks on the Ukrainian power grid as well as the infamous Stuxnet attack, whereby Iran’s nuclear power plants were significantly damaged, used this form of attack.

Without the energy sector, other industries cannot operate. As such, a cyberattack wiping out power can have a catastrophic effect on people, businesses, and communities. For example, the Colonial Pipeline attack in 2021 caused a fuel shortage for everyone in the regional area, which inevitably is detrimental to the local economy and community. Furthermore, customers’ private financial data can be at risk of being accessed by cybercriminals.

For example, Npower was hacked in February 2021, with customers' sort codes and the last four digits of their account numbers stolen; Npower had to release a statement asking customers to check their bank accounts for any fraudulent theft. This significantly impacts both consumers and the reputation of Npower. Risk does not end at financial loss, identify theft is another threat to all companies who store customer data. The Identify Theft Resource Center announced that identify theft increased 23% in 2021 to an all-time high, correlated with an increase in cyber-attack-related data compromises.