Info-Tech: Digitalization for utilities is a “double-edged” sword regarding cybersecurity

(UI) – With the world becoming increasingly digitized, security leaders within the utilities sector face a dynamic and complex landscape. Utilities own and operate a collection of systems, assets, facilities, equipment, and devices that interact with the physical world and are interconnected via various communication networks.

Beyond the traditional information security domain, a utility’s cybersecurity program must have a broader scope to protect against a wide range of targets. Emerging technologies such as Industrial Internet of Things (IIoT) and the antiquated industrial control system (ICS) environment create a dynamic landscape.

The diverse cybersecurity risk levels and the consequences of cyberattacks add to the complexity of securing this type of environment. To help security leaders safeguard the digital transformation in the utilities industry, global IT research and advisory firm Info-Tech Research Group has published its new resource, the Utilities Cybersecurity Report.

“Digitalization is a double-edged sword. On the one hand, it propels automation and enhances control in utilities, driving operational excellence and improving service reliability,” says Jing Wu, principal research director at Info-Tech Research Group. “On the other hand, digitalization introduces a greater risk of cyberattacks due to increasing interconnections across the IT, OT, and IIoT domains.”

According to the firm’s recently published report, amid the increasing adoption of IIoT technologies, utilities are struggling with the sheer volume of devices they now need to protect against sophisticated cyberattacks or breaches. Many existing IT cybersecurity experts do not fully understand how OT operates or how to comply with industry-specific regulations and standards. Furthermore, leaders can find themselves reacting to ever-evolving government policies and regulations.

Cybersecurity has become a prominent topic on the agenda at executive and board meetings, but most of the executive leaders and board members do not have deep knowledge of cybersecurity. To protect the organization from cyberattacks, security leaders are expected to bridge the gap between strategy development and tactical implementation. The report provides the following overview of the current cybersecurity landscape for the utilities sector:

The talent shortage is creating a risk

A staff shortage impacts daily operations and opens the utility to risk with three primary consequences: systems misconfigurations, lack of time for risk assessment and management, and delays in critical systems patching.

The firm suggests that organizations focus on staff development and retention to address the gap. Talent acquisition through consulting services on an as-needed basis could be cost effective for smaller utilities.

Increase oversight and transparency

The report also explains that human-enabled processes are accountable for most misconfigurations, such as incorrect permissions, missing authentication, and weak passwords. A company-wide cybersecurity governance program can enforce policies and embed a cybersecurity mindset into an organization’s culture. Each utility sector faces unique challenges and regulations, including natural gas, water, and wastewater.

Beyond the overarching enterprise-wide analysis, the firm recommends that utilities should use industry-specific frameworks to evaluate maturity and identify gaps.

Cost-effective technology adoption

The firm’s research states that although there are common governance and control management practices applicable across digital domains, such as IT, OT, and IoT, the reality is that there are also unique challenges within the OT environment that require different approaches. Legacy embedded systems cannot be scanned for vulnerabilities, and false alarms can be equally devastating. Not all assets in OT can be patched or upgraded. In some instances, the source code is missing for an effective patch.

As the utilities cybersecurity landscape continues evolving, the cybersecurity technology market will become a battleground between various suppliers.

Evolving utilities cybersecurity regulations

Another area the report explores is the evolving domain of utilities cybersecurity regulations. Globally, government agencies take different approaches to cybersecurity laws and standards, and updates continue to be proposed and enforced worldwide. Utilities must comply with cybersecurity laws and regulations enacted by governments on a national or regional level. Regulations sometimes incorporate standards established by trusted organizations.

Adopting standards prior to compliance obligations

Well-constructed regulations can be difficult to establish, as they must balance cybersecurity compliance benefits against the cost to the utility and customers. As dynamic as the utilities cybersecurity technology landscape is, the regulations continue to evolve as regulators respond to government legislation updates or reforms over time. Laws and regulations often include delays to allow utilities to implement specific details.

Drive cybersecurity maturity holistically

Utilities should first focus on basic cybersecurity hygiene while conducting a comprehensive risk assessment. It is crucial to perform an assessment to identify the organization’s current state and the future state of IT/OT cybersecurity maturity. Mapping out the initiatives strategically is essential to bridging the gaps, which is a continuous and iterative process.

Recent cyberattacks against nations’ critical infrastructure serve as warnings to utilities as they can cause devastating consequences. Based on risk assessment of the various attack surfaces, Info-Tech advises that it is imperative for security leaders to weed through technical details and hyperfocus on the broader impact.

 

Related News

From Archive

• Most Read
• Most Commented