Electric utility executives experience a number of headaches when it comes to data. Forbes reports that electric utilities possess 194 petabytes (that is, one million gigabytes) of data—as of 2009. Now, utility execs are searching for new methods and solutions to manage this incoming flux of data. However, data management is only one part of the problem. Data security is another matter altogether.
Skilled hackers continue to refine their methods to infiltrate the data security of electric utility operating systems. PwC recently released a survey that shows that the average number of detected incidents has increased six-fold (more than 7,000 occurred within the last year). What is unfortunate is that current and former employees are the most cited culprits causing these security incidents.
Consequently, 25 percent of utility executives have already implemented a specific security strategy to combat these impending threats. This strategy involves the convergence of information, operational, and consumer technologies. An additional 27 percent of utility executives are currently working on their own strategies. Collectively, North American electric utility executives who understand the value of implementing a cybersecurity strategy can work together proactively instead of scrambling reactively to a potential threat.
While the aforementioned percentages appear promising, PwC’s 2015 Global State of Information Security Survey shows that risks are rising faster than the utility’s readiness to implement security strategies. Another PwC study reports that many boardroom directors (65 percent) want an increased focus on cybersecurity. However, a great divide exists between what needs to happen and what is happening.
What is happening is that utilities’ efforts to address cybersecurity risks are slowing down. In this past year, 54 percent of power and utilities companies have established a unified security and controls and/or an enterprise risk management framework to address cybersecurity risks. Last year that number was 61 percent.
Additionally, efforts to maintain security awareness training for employees within the organization have declined 47 percent. Training for personnel on privacy policies has declined to 43 percent. Utilities and regulators have to move away from the “It cannot happen to me” mentality on cybersecurity as a whole. Eugene Kaspersky, CEO of global IT security firm Kaspersky Labs says that compared to other critical infrastructures (communications, healthcare, financial services, among others), the energy sector is the most important—and the most vulnerable.
The U.S. National Security Agency (NSA) warns that several foreign governments have already hacked into the U.S. energy, water, and fuel distribution systems. Furthermore, the U.S. Department of Homeland Security issued an ICS-CERT report in May 2014 warning of several known attacks against U.S. utilities in the first quarter of that year.
THE BOTTOM LiNE
Example after example and stat after stat, proof is available that utilities as well as regulators must take cybersecurity risks seriously. A Unisys study revealed that 64 percent of security executives at utilities from various industries anticipate one or more serious attacks within the next year. Awareness is present; more focus on action is necessary. ET