The utilities sector, as with virtually every other industry, is undergoing thorough technical disruption. Advancements in analytics and end-user technologies offer a world of opportunities for utility companies—and all this before 5G connectivity goes mainstream.
But as new technology provides business opportunities, it also opens up a new world of risks, often unmanaged in more traditional businesses such as utilities.
With the adoption of more connective technologies—especially those that are closer to the end-user in the distribution chain, such as smart meters—this creates more avenues for sophisticated cyberattacks. A recent survey of utility companies from Siemens and the Ponemon Institute notes that cyber risk “is worsening, with potential for severe financial, environmental, and infrastructure damage.” Moreover, when it comes to protecting themselves, industry players tend to be unprepared, or even myopic. The World Economic Forum highlighted this lack of preparedness in its 2019 report, stating, “…security of the Internet of Things was paramount to the success of Industry 4.0.”
A digitized, consumer-driven grid is certainly the future of utilities, but companies have no choice but to prepare for the increased potential for exploitation. Cybersecurity, then, should be one of the key pillars to consider ahead of these digital transformation initiatives.
Getting Ahead of Cyber Threats
Regulators have tried to keep pace with these changes as quickly as providers have. For example, the U.S. Department of Energy has already released its ES-C2M2 guidelines to help find a common starting point for utility companies. For almost two decades, utilities have had to comply with the Critical Infrastructure Information Act, but new regulation significantly increases the burden of compliance-focused on the new edge devices. Senate Bills 327, specific to California, sits alongside the new Californian Consumer Privacy Act (CCPA) while Senate Bill 734 amplifies the NIST 800-82 standard with the Cyber Security Framework to enshrine the need for security and privacy by design.
This regulation hints at one of the larger challenges of addressing cybersecurity in the utilities sector: digitalization has created a need to horizontally align a vast array of connected devices—many of which are outside utility companies’ control—under one security framework. Providers must account for the entire connected utilities value chain, from power generators to smart refrigerators, all with no clear accountability for owning the cybersecurity and compliance burden. The question remains: where does the handshake take place between the device manufacturer and the utilities provider?
To address these risks in the most efficient way possible, utility companies can start by measuring their competence in these key focus areas:
1. Securing smart meters.
Even with all their potential benefits, smart meters make for a particularly vulnerable asset because they’re a primary touchpoint between consumer and provider. There’s currently no industry-wide standard for smart meter security, so every utility company must take its cybersecurity infrastructure into account while drafting up a plan to make these devices as secure as possible. As a result, adherence to new IoT Security regulations often occurs in a disjointed and individualistic manner. This process bears no resemblance to other leading economies where industry-wide agreements ensure a standardized and unified approach to solving the industry-wide paradigm.
2. Bringing consumers into the fold.
Another major disruptor in the digitalized utilities industry is more consumer-generated power production. As end-user generation devices such as solar panels become increasingly integrated into the grid, they’ll need to be secured, as well.
Utility companies should deliver clear standards and pursue collaboration with customers to ensure all potential entry points to the grid are secure. In doing so, utility companies will also have to consider the end-to-end responsibility for security management. For example. the individual households installing these devices are unlikely to deploy adequate security controls to meet enterprise demands. Therefore, overlay security solutions will be required to protect enterprise-managed assets.
3. Staying up-to-date on information technology security.
While preventing new cyber threats is critical, focus shouldn’t move away from current risks. Utility companies should make sure IT infrastructures have the necessary safeguards to handle the technological demands of a more connected grid with minimal risk.
Remember that innovative security solutions such as biometrics or embedded pattern recognition will soon become the industry standard. Companies have no choice but to ensure they are secure—this will lead utilities organisations to enhance previous physical security regimes to become cyber-physical in focus.
Cybersecurity is just one pillar for utility companies to consider during a holistic digital transformation. For more insights, read Wipro’s deep dive on Smart Grid and Utilities Transformation or contact us today for expert insight on how you can secure your operations.