The electric power sector faces a rapidly evolving cyberthreat landscape. The sophistication and frequency of attacks are increasing, and the number of threat actors is growing. In fact, energy is one of the top three sectors that cybercriminals target in the United States. Threats can range from internal, such as an attack from a disgruntled employee, to external, from nation-states or organized crime, Deloitte report finds.
“The advancement of electrical infrastructure presents an interesting obstacle for cybersecurity. As grids become modernized and digitized, they also become more supported by and integrated into third-party operations,” says Paul Zonneveld, Deloitte Global Energy and Resources Risk Advisory leader. “With increasingly complex global supply chains, power companies will need to identify and map threats across the extended enterprise.”
To reduce cyber risk in the supply chain, retail power companies face three notable obstacles. First, ownership of the cyber supply chain is often ill-defined, so companies must establish clear accountability. Second, as pressure mounts to move operations to the cloud, companies must do their due diligence in assuring that providers are secure. And third, companies often do not have the manpower to assess cyber risks.
What can companies do?
However, electric power companies can take steps to overcome these obstacles and manage cyber risks across the enterprise.
- Map infrastructure assets and evaluate vulnerabilities. Electrical power companies should map infrastructure assets and prioritize them by cruciality. They should next determine the vulnerabilities of assets and assess the maturity of the control environment for managing threats. And finally, companies should build a framework for protecting critical assets using people, processes, and technology.
- Evaluate suppliers’ security processes. To manage cyber risk in the supply chain, companies have to engage with the supply chain procurement function. Electric power companies must understand suppliers’ cybersecurity processes for products and services and also assure that they comply with leading industry practices.
- Engage with industry peers and government agencies. Managing cybersecurity risk should not stop at the individual enterprise level. Electric power companies can improve cybersecurity processes by helping to establish industry standards, exchanging threat intelligence with peers, and testing new technologies.
“Technological innovation and analytics should drive every electric power company’s cybersecurity strategy,” adds Zonneveld. “New tools are increasingly available, and the capability to monitor networks in real time, discover threats, and address them is advancing rapidly— consequently providing needed protection for the industry at large.”