Following recent breaches, USEA calls on utilities to prepare plans, invest in training

Utilities should invest in processes to prepare for cyberthreats and establish communication strategies to respond to potential breaches, according to the US Energy Association.

Following several recent high-profile cybersecurity hacks, the USEA recently issued a handbook urging utilities to implement an effective plan to prevent and mitigate the impacts of such attacks.

While most all companies are susceptible to cyberthreats, utilities need to consider both cyber and physical consequences of a successful breach, which could disrupt service or destroy physical assets, according to the "Electricity Sector Cybersecurity and Digitalization Handbook." The USEA and Energetics, a management consulting firm specializing in energy and security technologies, created the 117-page handbook, which was sponsored by the US Agency for International Development.

"Solutions should be tailored to your utility's specific needs because your utility is unique," according to the guide. "There are no 'silver bullets' to cybersecurity. It takes time to understand risks and effort to mitigate them."

Cybersecurity recommendations

The construction and management of utilities' operational technology systems, which control the physical assets that provide electricity to customers, are especially important, the guide notes. A potential breach of this system "elevates cybersecurity above a normal business concern to an issue of national interest," the USEA said.

"Many companies are slow to acknowledge the risks of cybersecurity, often waiting until a cybersecurity incident causes a crisis, forcing them to act," it said. "However, it is a near-universal truth that the response to such a crisis will be cheaper and more effective if an organization has prepared for such an eventuality."

Among various recommendations, the USEA emphasizes the need for energy companies to build relationships and establish contacts with regulators, law enforcement and security professionals, among other stakeholders, to ensure a more efficient response following a breach. Companies can develop and rehearse action plans to help restore operations and communication should a hack prove successful as well.

Utilities should also identify internal staff who can spearhead communications during an emergency, relaying information to regulators and deciding what information to make public. Better communication between the operational technology and information technology sides can be especially useful. These two teams tend to operate separately but aligning their goals and improving communication can "foster a collaborative culture and joint accountability," the USEA said.

Cyberthreats can stem from the global supply chain as well. Utilities must understand such risks and work to carefully assess and select products while monitoring for quality assurance and vulnerabilities.

"Securing the supply chain for the various components, software, and services of an electric power utility across numerous vendors and suppliers is a complex endeavor," the USEA said. "Repeatable procurement and contract requirements and language can help alleviate some of that complexity."

Companywide effort

Additionally, the energy association emphasized the need for utilities to "foster a culture of security from the executive leadership down through all levels of staff."

Appointing a leader to promote cybersecurity strategies can be a "strong first step," the USEA said. From there, the company can invest in employee trainings that help staff recognize common hacking attempts, such as phishing emails, it said.

Such training can be especially important given systems' increasing vulnerability as companies digitalize more of their operations. These new communication channels can be especially susceptible to human error, potentially resulting in a breach.

The USEA also recommends that power companies integrate cybersecurity processes initially when taking steps to modernize the grid. Cost is a major consideration for these cybersecurity investments, especially since such tools serve to protect money-making assets but do not generate revenue themselves. Cybersecurity measures, in general, should not cost more than the value of the assets and data they serve to protect, according to the energy association.

"Integrating cybersecurity into new digitalized operations means developing processes that will look for potential risks, evaluate them, and address them," the USEA said. "A process is versatile in a way a cybersecurity product is not. A process will help to manage risks even as the risks change because the infrastructure expands."