Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/1485723
20 | DECEMBER 2022 | UTILITY WEEK Technology Download report A threat without borders A new Utility Week report – in association with Cisco – examines what utilities are doing to strengthen the resilience against cyber attacks and explores whether they are going far enough. A s utilities become more intercon- nected and embrace the digitalisa- tion of business processes, the risk of cyber-attack grows exponentially. Tasked with operating critical infrastruc- ture and ensuring customers receive vital services, water and energy companies must make di cult security decisions in the face of increasingly sophisticated and unrelent- ing bad actors. According to Utility Week research pub- lished in May 2022, the threat of a serious cyber-security breach is the number one risk factor for utilities. Nearly eight out of 10 (77%) regarded a serious cyber-security breach as a high-risk factor and 85% said this would have a major impact on the business. The survey of senior managers in utilities found that as water and energy sectors look to digitalise and introduce more devices on to their networks, such as monitors and sen- sors, the risk will only increase. Transition- ing to open data will undoubtedly increase security risks. In recent years, there has also been a worrying increase in cyber-attacks resulting from vulnerabilities within supply chains. Widely publicised incidents – including the SolarWinds attack which saw hackers carry out a highly sophisticated cyber intrusion that penetrated thousands of organisations including multiple parts of the US federal government – have exposed the security weaknesses that pose a signi‰ cant threat to organisations. Supply chain attacks have the potential to inŠ ict catastrophic disruption across mul- tiple businesses, with costly consequences both in terms of ‰ nances and reputation. Alarmingly, government data shows just over one in 10 businesses currently review the risks posed by their immediate suppliers (13%), and the proportion for the wider sup- ply chain is just 7%. Despite these concerning ‰ gures, utili- ties are striving to improve the resilience of critical infrastructure against potential bad actors. But are they going far enough? Util- ity Week has partnered with cyber-security expert Cisco to produce this report, A Threat Without Borders: Understanding the Cyber Risk Facing Utilities, which explores the e" orts currently being made by utilities to drive cyber-security, covering key topics including how the cyber-risk landscape is changing as utilities become more digital- ised and the main challenges facing current cyber-strategies. The report also questions what role regulation should play in strength- ening utilities' cyber-resilience, as well as what lessons should be learnt from previous cyber-attacks on critical infrastructure. How is the cyber-security landscape evolving? Cyber-threat actors represent a serious risk to all businesses. However, the critical nature of utilities' operations makes the indus- try a particularly alluring target for those seeking to exploit network vulnerabilities and disrupt supply. So how is the risk land- scape shi— ing and what are the main chal- lenges and opportunities for utilities when it comes to improving resilience against cyber-attacks? As the digitalisation of the industry gath- ers pace and systems become ever more connected, de‰ ned boundaries between companies are becoming increasingly blurred. This shi— creates new opportunities for hackers to target weaknesses in the sup- ply chain. Marsha Quallo-Wright, National Cyber- Security Centre (NCSC) deputy director for critical national infrastructure, agrees that the "cyber-risk landscape is always evolving and the attack surface increasing". "As our world becomes more connected, it's vital that we ensure strong cyber-security principles are being built into the design of new products and services so organisations can reap the bene‰ ts of emerging technolo- gies," she says. Quallo-Wright adds that the shi— towards digitalisation has reshaped how and where companies work, especially in recent years due to the Coronavirus pandemic. "While working online creates positive opportuni- ties for productivity, it also presents cyber- security challenges that must be managed," she says. One water chief information o cer says that as their business's digital footprint has increased to meet the needs of employees and customers across a range of channels and devices, the cyber-threat has increased accordingly. They add: "Digitisation itself is frequently an e ciency play. It delivers that, but you still need to be able to run the business if you are hacked, which means you need to be able to revert to paper-based processes some- how in an emergency. I think a lot of organi- sations overlook that." Mark Jackson, national cyber-security advisor at Cisco, agrees that companies must dedicate more time and resources to plan their response to a worst case scenario incident. "I still think there is a lot of complacency out there in the industry because compa- nies think it will never happen to them, or an incident won't be as bad as X," he says. "Every one has to understand that there is a worst-case scenario and they have to really cement those incident response plans on a regular basis." What lessons should utilities be learning? Cyber-threat might be high on the agenda for utilities, but there are clear disparities across companies in terms of their approach to security and their understanding of risks. Utilita's head of IT security, Jonathan Far-