Health and Healthcare Systems

Why COVID-19 is making utilities more vulnerable to cyberattack - and what to do about it

Lightning strikes over a power station during a storm in the city of Ashkelon October 28, 2015.

Lightning strikes over a power station during a storm in the city of Ashkelon, Israel, October 28, 2015. Image: REUTERS/ Amir Cohen

Leo Simonovich
Vice-President; Global Head, Industrial Cyber and Digital Security, Siemens Energy
  • Remote working is creating novel cyber-risks for utility companies.
  • Attackers will seek to exploit new weak points in organizations' infrastructure.
  • Here are four steps CEOs and boards should take to shore up their defences.

In the energy industry, crisis moments like COVID-19 focus attention on two things: how to keep people safe, and how to continue to supply power to customers. Right now, that means working remotely is the number-one priority for utilities, but this reality also exposes the energy industry to new cyber-risks coming both from inside and outside the walls of its cyber defences. Lives are on the line; companies need to protect their workers and avoid outages.

Utility CEOs and board members face a unique blend of cyber and safety risks. By accessing critical plant production and grid networks from homes, employees raise the risk of a possible second-wave crisis: rolling outages and safety events at a time when keeping the lights on matters most. Attackers will attempt to exploit the rush to remote systems, understaffed facilities and new ways of working.

Have you read?

To avoid an impending cybersecurity crisis, utility leaders need to shift their focus towards making remote work increasingly secure, operationally viable and resilient. Boards and CEOs must move quickly to ensure the safety of employees while protecting the entire energy value chain from attack.

Balancing this new risk matrix requires four broad steps: Understanding the new cyber-risk, establishing baseline defences, building interoperable defences with partners, and resetting overall architecture to accommodate this new reality.

1. Understanding the new cyber-risk. Home-based work increases exposure to cyber-risks. Less-reliable internet connections, social engineering attacks against employees and their families, and honest mistakes made in unfamiliar workflows are all new potential risks. Partner companies will also face increased cyber exposure. Utilities need to deliberately choose which tasks pose unacceptable risks and which can be adapted for remote work. For example, many monitoring tasks can be done remotely – and safely – with the right procedures, but testing or servicing safety and backup systems remotely cannot.

2. Establish baseline defences appropriate to remote work. Layered defences, commonly known as ‘defence in depth’, reduce the consequences of cyberattacks, and remote work will elevate specific needs:

a) Secure connections. Employees without secure access can’t work effectively, which makes such access necessary – but not sufficient – for cybersecurity. Plant operators should proactively define who should access which assets and institute controls before approving remote technology.

b) Monitor for anomalies. Working from home makes some security practices impossible. For example, both valid and malicious commands now come from outside the plant. It’s hard to discern what’s normal. This increases the importance of monitoring as a way to distinguish between employees and attackers. Some monitoring can be automated, freeing time for relevant personnel to investigate suspicious activity.

c) Prepare for incident response. Plants now need an incident response plan that works when most employees are not onsite, some are hospitalized, and an attack appears within their systems. Assume attackers will pressure-test the new defenses and achieve at least partial success. Expect to need to activate incident response within the next few weeks, with limited on-the ground support and distributed remote expert support. Eradication and reboot may not be an option for the foreseeable future.

3. Build interoperable defences. Cybersecurity is only as strong as its weakest link. Utility leaders and peers at partner companies should work to implement common defence measures. These include defining privileged access, disclosing vulnerabilities or sharing threat intelligence. Ensuring that partner systems work from a shared roadmap will help utilities assess and improve security. Failing to consider partners’ cybersecurity leaves a potentially large blind spot in your defences.

4. Reengineering the security architecture. Utilities are making fundamental changes to their energy production workflows – and cybersecurity methods and architectures will also need to be revamped. Systems that assume workers are present at plants or field sites will now have the wrong emphasis. For example, plants typically ban portable devices - but most workers are now outside the plant, with access to those banned devices or social media platforms. Any blueprint designed for this new reality needs to defend and monitor the new remote workflows in this new context.

Loading...
Keeping the lights on

While the COVID-19 crisis makes these steps urgent, several long-term trends that pre-date the pandemic will drive similar changes. Distributed energy sources will require new operating models. Remote work and automation will offer efficiency gains. Energy companies will need to train their next-generation workforce. Cyberattacks against utilities will continue to escalate in frequency and sophistication. We know these changes are coming and may become permanent. Utilities will need to iteratively adapt cybersecurity protocols to protect operations as each trend shapes the new reality. Short-term and long-term, that’s how we will keep the lights on.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Stay up to date:

Cybersecurity

Related topics:
Health and Healthcare SystemsCybersecurity
Share:
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

What’s the difference between carbon negative and carbon neutral?

Emma Charlton

November 29, 2024

How to transform lung cancer outcomes in low- and middle-income countries

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum