The ecosystem surrounding electricity organizations is rapidly expanding, multiplying what was once a well-understood landscape of transmission and distribution lines, to now include smart devices and a connected business ecosystem of suppliers, customers, peers, and more. Additional relationships stretch even further, to an “extended ecosystem” of policymakers, insurers, and legal bodies.
This web of various stakeholders is not only critical to the modern utility operation, but manifests in a number of ways, from new technologies and machinery to updated regulations like NERC-CIP. Coupled with rising threats to cybersecurity in major industries, there is mounting pressure on utility organizations to revisit and reevaluate the capability and scope of their security measures.
But the digitization sweeping across industrial operations has outpaced the ability of traditional – and widely used – security approaches. More sophisticated and frequent cyberattacks prey on these vulnerabilities, risking crippling hacks, stolen data, and halted operations. By overlooking the needs of these disparate-yet-connected systems, the current status quo for security is holding back utility businesses across the board.
The World Economic Forum and Boston Consulting Group recently published a research report on how business leaders in utilities must approach cyber risk to fortify operations and enable continued innovation. One of the more forward thinking utility operators, the Enel Group, provides a beneficial case study for how to proactively mitigate risk in the increasingly complex utility landscape.
Enel has adopted a systematic cyber risk management model that guides and manages cybersecurity best practices across both IT and OT. Their new approach to security was designed specifically with IoT operations and the networking of smart devices in mind, cultivating an environment in which cyber risk and its resulting business impact are seen as essential considerations in the development of projects and activities.
The current security approach and technology toolset deployed by most utilities is impairing these businesses’ ability to capitalize on their expanding market. Utilities are now focusing on applications driving real business outcomes, such accelerating adoption of electric vehicles and lowering the cost of energy from renewable sources. However, the security toolset used by utilities still requires all devices, users, and applications to be in full control of the utility–in a way that is fundamentally incompatible with these modern functions. Assets such as electric vehicles, windmills, solar installations, battery deployments are not owned by the utility, yet required to interface with the power grid. Workarounds and patchwork solutions that are being deployed today are too complex and cannot manage the expanding scope of these multi-vendor, multi-device, multi-application, multi-user operations. Without foundational technology and comprehensive, flexible cybersecurity processes, utilities can’t securely integrate full automation, distributed generation, and the multitude of other new trends befalling the industry.
Tackling cyber risk starts at the top and is foundational to business’ success. The WEF is calling upon Boards to meticulously review their organizations’ security functions and practices, stressing “the need for extending robust cyber resilience governance from the IT world into the OT environment.” To eliminate the weakest links in our connected industries and critical infrastructure, business leaders in utilities need to reimagine what cybersecurity looks like, adopting an approach that spans both IT and OT, and protects operations from end-to-end, across every interaction, application, and device.
For more on the World Economic Forum’s findings and recommendations, take a look inside the official report on Cyber Resilience in the Electricity Ecosystem here.