More than three-quarters of American utility execs are expecting an attack on the grid within the next five years—and are woefully unprepared to deal with it if it happens.
A fresh report from Accenture, entitled Outsmarting Grid Security Threats, included interviews with more than 100 utility executives from over 20 countries. Globally, it found that almost two-thirds (63%) of respondents said they believe their country faces at least a moderate risk of electricity supply interruption from a cyberattack on electric distribution grids in the next five years.
However, proper protection is challenging due to the complexity of distribution electric grids and increasingly sophisticated, well-funded attackers, and many distribution utilities are still under-protected and under-prepared. Only 6% felt extremely well-prepared and less than half (48%) felt well-prepared when it came to restoring normal grid operations following a cyberattack.
When it comes to the kinds of attacks in the offing, interruptions to the power supply is the most serious concern, cited by 57% of respondents. Just as worrying is the physical threat to the distribution grid. About half (53%) of executives cite employee and/or customer safety and 43% of executives cite the destruction of physical assets as their biggest concerns.
“As highly sophisticated, weaponized malware is being developed, a greater risk to distribution businesses arises from cyber-criminals and others who would use it for malicious purposes,” said Stephanie Jamison, managing director, Accenture Transmission and Distribution. “Attacks on industrial control systems could disrupt grid reliability and the safety and well-being of employees and the public. Not getting it right could be a brand killer, as well as a real threat for a country and the community.”
Smart-grid initiatives are bringing these concerns even more into focus. While the increased connectivity of industrial control systems enabled by the smart grid will drive significant benefits in the form of safety, productivity, improved quality of service and operational efficiency, 88% agreed that cybersecurity is a major concern in smart grid deployment.
Distribution utilities are also increasingly exposed by the growth of connected internet of things (IoT) domestic devices, such as connected home hubs and smart appliances. These bring a new risk to distribution companies, which is hard to quantify, with 77% of utilities executives suggesting IoT as a potential threat to cybersecurity.
In Asia-Pacific and Europe, cyber-criminals are seen as the biggest risk for distribution businesses by almost a third of respondents. However, in North America, attacks by governments are considered a bigger risk than in regions worldwide (32%).
“Deployment of the smart grid could open new attack vectors if cybersecurity is not a core component of the design,” added Jamison. “However, the smart grid can also bring sophisticated protection to assets that were previously vulnerable through improved situational awareness and control of the grid.”
The report also uncovered that a significant number of distribution utilities have much to do in developing a robust cyber-response capability with more than four in 10 respondents claiming cybersecurity risks were not, or were only partially integrated, into their broader risk management processes.
In addition, the increasing convergence of physical and cyber-threats requires the development of capabilities that go well beyond simple security-related national compliance requirements, Accenture noted. Utilities must invest in resilience of their smart grid as well as effective response and recovery capabilities.
“Cybersecurity must become a core competency in the industry by protecting the entire value chain and the extended ecosystem end-to-end. Utilities, already well-versed in reliable power delivery and power restoration, need an agile and swift capability that creates and leverages situational awareness, and that can quickly react and intervene to protect the grid,” said Jim Guinn, managing director who leads Accenture’s security practice for resources industries. “Developing this new capability will require ongoing innovation, a practical approach to scaling, and collaboration with partners to drive the most value.”