When
it comes to cyber risk, electricity is without a doubt the most critical of
critical sectors. Imagine if all of a sudden there was no electricity for
several days. What if it was for several
weeks or longer. It would be catastrophic. Just about everything, everywhere
would come to a halt.
It
would cause severe economic, health and environmental damage. In the U.S., just
in the east coast, Lloyd’s of London estimates $243 billion in insurance costs
and loss of life and damage from a cyberattack disrupting the electricity
distribution network.
Bad
actors such as organized crime groups and rogue nation-states know this and are
going after the electricity sector with more cyberattacks than ever before.
They
are also targeting the supply chain first, to infiltrate and use as the
“backdoor” into the electricity sector. So not only are the 3,300 electricity
utilities in the U.S. prime targets, so are its suppliers.
In
my book, Next LevelCybersecurity: Detect The Signals, Stop The Hack, in one of the cases,
I show how a rogue nation-state broke into several “staging targets” first. These
were suppliers. They used the suppliers as the “back door” to break into the
electricity utilities to steal detailed information about the Crown Jewels
(i.e. mission-critical cyber assets and systems) to plan the eventual attack on
the utilities.
The
book shows what a cyberattack chain is and reveals the common signals to look
for to detect the attacker timely, regardless of whether you are an electricity
utility or other type of entity.
The
North American Electric Reliability Corporation (NERC) in January 2019 also
sent a warning to the electricity sector and raised the bar for cyber risk
management by assessing a $10 million penalty for 127 violations of cyber
security standards by a electricity utility.
NERC
determined that the violations in aggregate created serious and substantial
risk, and mandated cybersecurity enhancements.
The
Federal Energy Regulatory Commission (FERC) also approved new cybersecurity
standards on security management controls and supply chain risk management that
utilities must comply by January 1, 2020 and July 1, 2020, respectively.
Electricity
utilities must be proactive and not get caught by surprise by either a
cyberattack or a regulatory audit. The stakes are too high.
A
regulatory audit discovering non-compliance can be costly, but a cyberattack
will be even more costly. Just one successful cyberattack on one utility or a
supplier can cause a domino effect and lead to a systemic catastrophe.
So
what can electricity utilities do now? Here
are three steps to remain proactive:
1.
Perform
a “reverse stress test” where you assume the worst case (a successful cyberattack
that shuts the power supply off for several days), then trace back all of the
high probability steps the attacker would have taken, all the way back to the
“intrusion” source. This will help identify gaps and blind spots, for risk
mitigation.
2.
Performing
ongoing Crown Jewels Risk Assessment, to make sure
you not only correctly categorize low, medium and high impact cyber assets and
systems per NERC cybersecurity regulations, but also map to threats,
vulnerabilities and risk mitigation, including monitoring for signals of cyber
attackers trying to get to the Crown Jewels, and report results to the board
for ongoing oversight.
3.
Train
your entire organization using three tiers (oversight, awareness and
performance) and on the NERC cybersecurity standards, beyond basic security
awareness, to prevent non-compliance as happened in the recent $10 million penalty
case, to transform your people, to be the strongest link in the chain, not
the weakest and the most vulnerable.
To learn more on risk mitigation, please visit www.saihuda.com.
