Utility Broadband 3
Energy & Utilities

The cyberthreat against the utility sector: IT and OT security must be evenly prioritized

As a sector critical to society, the utility sector is particularly vulnerable to become a target of cybercrime. Consequently, new legislation and compliance demands are being imposed upon the sector. But are these new mandatory minimum-security requirements enough to match the cyberthreats?

Like other industries and economic sectors, the utility sector faces a security threat unlike anything that has come before. Not only are the threats constantly changing and the attacks becoming ever more complex, but the potential impact is far greater than at any time in our history. Utility companies operate across a sector critical to society – a sector where cyberattacks can potentially paralyze not only the company, but large parts of society as well.

Among many others, this is the primary reason why the utility sector is confronted with niche directives from the EU as well as with new Danish ordinances and compliance demands. It is an attempt to ensure that the sector is capable of resisting the cyberattacks and threats aimed at undermining it.

Legislation must be considered a minimum standard
While the new legislation is a step in the right direction, more needs to be done, if you ask Esben Kaufmann, Associate Vice President at NNIT:

- Complying with the ordinances and legislation isn't enough on its own to resist cybercrime. The compliance demands are broad and not sector-specific, and the reality of every individual company is certainly not taken into consideration – no matter if the company provides fiber-optic internet, wind-generated electricity, or waste-management services. Therefore, individual company security has to go beyond basic government requirements.

In short, the official guidelines should be interpreted as absolute minimum standards. Nothing more.

- Sadly though, reality often turns out different; lots of utility companies see the requirements as a comprehensive checklist designed to meet all their security needs. For many others, simply meeting the minimum requirements is a huge task. But with that said, the mandatory minimums are far from enough for the individual company, says Esben Kaufmann.

Cybersecurity lagging in the utility sector
To really understand the new reality which the utility sector is struggling with, you will have to take a glance at the developments in the sector over the last couple of years. Esben Kaufmann’s evaluation is that the utility sector is one of the most immature sectors when it comes to IT security. And this is really a paradox because it is simultaneously one of the most vulnerable sectors. Among its biggest challenges is that security has traditionally not been a core business area. Because of that historic disadvantage, it is difficult for most companies in the utility sector to keep track of such safety-related developments.

- Roughly said, we are dealing with a sector which traditionally has been very focused on its operations, and this without connecting to the internet. Operations has always been, and still is, the main focus for many utility companies. And then, when you transfer large parts of the business to the internet to scale the operations and optimize the efficiency via central management, you end up in a new reality where safety is both about OT and IT. Often companies still have IT systems which are mostly designed to focus on operation security, rather than IT security, and that's where the problem occurs.

The new reality of the utility sector: From operation to data
At the same time, the evolution of digital technology has made it possible for many actors to expand and complement their core businesses with digital services:

- Both the distribution and production departments are increasingly using data they collect to offer digital services on top of their traditional services and core business areas. By doing so, they expose their system to new kinds of threats, and they are being exposed in a way they have not been before, explains Esben Kaufmann.

The need for a new mindset and priority
The increased and fundamentally different exposure requires companies to embrace a new, often demanding mindset. It is no longer enough only to focus on the safety of operations. The challenge for most utility companies, however, is that there is still an all-consuming focus on operations, no matter the size or business.

- Many of the employees who now have security responsibilities come from an operational background. They think like engineers who follow technical requirements for operations. Suddenly, they are introduced to niche directives and executive orders, compliance requirements and safety plans, and IT security becomes an add-on instead of something that is implemented throughout the business. But IT security should have an independent focus area with a mandate to make decisions and engage the business. Otherwise it is too easy to prioritize operations and production over security, explains Esben Kaufmann.

The security plan must be updated continuously
It often comes down to the fact that competencies and knowledge simply do not match the complexity of the security threat:

- I meet a lot of companies who think they are well prepared for a possible cyberthreat. But due to the fact that employees responsible for IT security often come from another background, companies are not as prepared as they think. And it is a problem. Having the right background and knowledge is absolutely crucial when sitting on infrastructure at such a critical level, says the security expert.

Esben Kaufmann adds that many companies already have a large security team, but size won't make it optimal.

His recommendation is therefore clear:

- IT safety contingency plans must receive higher priority. A lot of companies work with contingency plans for physical operations, but not for IT. To become less vulnerable, your documentation must be in order and you need clear guidelines on how to restore broken systems. The cyberthreat evolves at lightning speed. Therefore, one should continuously look into and evaluate whether one's preparedness is adequate and whether one can internally continue to upskill and attract the right competencies needed to maintain the necessary level of security, concludes Esben Kaufmann.

At NNIT we have the right competencies - employees who are experts in the utility sector and capable of helping you with security assessment, counseling, and implementation of IT security and compliance.