- 100% of survey respondents say their cybersecurity function is not fit for purpose
- Utilities struggle to monitor their digital ecosystem more than all other sectors
- 85% of respondents say they don’t have a robust incident response program
All utilities organizations surveyed in the latest EY Power and Utilities Global Information Security Survey 2017-18 (GISS): Why wait for a cyber catastrophe to prepare for a cyber attack?, say that their cybersecurity function does not meet their needs. The survey also finds that 58% of sector respondents anticipate difficulties in monitoring the perimeter of their digital ecosystem, compared with 36% across all sectors.
With the sector moving through radical transformation, it is becoming more challenging for utilities to map the digital environment in which they operate. The report highlights that an increasingly fragmented energy value chain, together with the rise of microgrids and distributed energy resources, make it difficult to understand and manage risk. Despite the rising threat level, however, 85% of respondents say they do not have a robust incident response program that includes regular crisis scenario testing.
Matt Chambers, EY Global Power & Utilities Risk and Cybersecurity Leader, says:
“An expanding digital ecosystem with potentially millions of networked access points is exposing utilities to more sophisticated and frequent cyber attacks, which have the potential to disrupt critical infrastructure. Utilities are particularly attractive targets for state-sponsored actors in politically unstable regions. It is little surprise, therefore, that they are more worried than ever about the breadth and complexity of the evolving threat landscape.”
The heightened perception of risk owing to the increased adoption of digital technologies is reflected in the report.
Falling from 19% of sector respondents last year, only 6% now say they are confident that they have fully considered the information security implications of their current strategy, and that their risk operating model incorporates and monitors cyber threats, vulnerabilities and potential impacts. And only 17% prioritize protection of non-IT “crown jewel” assets, while nearly a quarter (23%) still do not have a security operations center.
Chambers says: “While utilities may feel more confident about confronting threats that have become familiar in recent years, they still lack the capability to deal with more advanced, targeted assaults. To be cyber resilient, utilities must embrace an enterprise-wide risk management strategy that includes review and adoption of leading practices against evolving threats using a multilayered approach across a proven framework for managing cybersecurity.”
The report also finds that 44% identify budget constraints as a key barrier to responding to cyber attacks. Nearly a third of respondents (29%) say they would need more than a 25% increase in budget to achieve management’s desired level of risk tolerance, yet only 9% expect to receive a budget increase of that scale in the next 12 months. Meanwhile, 62% believe that an attack that didn’t cause harm would be unlikely to prompt an increase in budget.
Chambers says: “Often, the people responsible for security lack influence with senior management and struggle to articulate the risk in order to obtain additional investment. This reinforces the need to elevate security to an enterprise-level risk and become an integral part of the utility’s overall strategy.”
The majority (85%) of power and utilities respondents consider careless members of staff as the most likely point of weakness to attack. Almost half (48%) also believe that their risk exposure related to vulnerabilities from social media usage has increased over the last 12 months, significantly up from just 8% last year.