Utilities saw cyberattacks spike this year. Can they stay safe?

Cyberattacks targeting US utilities spiked 70% this year, with 1,162 attacks reported through August, compared to the same period last year, which saw 689, according to Check Point Research, as reported by Reuters.

As Reuters notes, none of the attacks so far have “crippled” a US utility. But with cyberattacks targeting critical infrastructure on the rise, the clock is ticking.

Nearly 38% of 445 utility companies globally had weak cybersecurity management programs as recently as 2022, according to recent research by Morningstar Sustainalytics. The figure did improve to nearly 27% in 2023, but Sustainalytics said it believes cybersecurity has become a major concern for utilities companies, according to the report, The Downside of Digital Transformation for Utilities: Data Privacy and Cybersecurity Risks.

Have you read?
New cybersecurity centre to protect grids and distributed renewables
Priority cyber-enabled energy system technologies designated in US

Among the recorded incidents affecting the companies tracked in the Morningstar Sustainalytics to date, the majority of data privacy and cybersecurity incidents in the utilities sector involved breaches that compromised thousands of customers’ personal information. 

Cyberattacks have also caused service disruptions. For example, Luma Energy, a grid operator in charge of modernizing the power infrastructure in Puerto Rico, suffered a cyberattack in 2021 that blocked users from accessing their customer portal accounts during outages. 

Similarly, Colombian utility, Empresas Públicas de Medellín, experienced a cyberattack in 2022 that caused disruptions to its office operations as well as to customers’ meter and bill payments. Hydro-Quebec, a major grid operator in Canada, suffered an attack in 2023 that caused its app and website for verifying outages to go offline.

Data breaches are on the rise worldwide, and the energy sector is among the top five industries targeted most often for hacking and ransomware attacks. The recent uptick in security-related incidents targeting US electrical substations and utilities has set off alarm bells. With a 71% increase in incidents over the past year, experts predict that this worrying trajectory will continue beyond 2024. 

But is anyone doing anything about it? As it turns out, yes.

Another recent report stemming from a scenario exercise aims to help the industry grapple with the changing security landscape. The GridEx VII Lessons Learned Report is a post-exercise review and analysis of NERC and the Electricity Information Sharing and Analysis Center’s (E-ISAC) GridEx VII, that took place in November 2023.

The report provides recommendations and actions for utilities, government partners, the E-ISAC, and other stakeholders to prepare for and respond to security incidents that affect the North American electric system.

GridEx VII concluded with a day-long executive session during which industry executives and government leaders from the United States and Canada convened in-person in Washington, D.C., as well as virtually, to explore strategic and policy implications presented by the scenario via a “Tabletop” exercise. The Tabletop exercise resulted in the following recommendations:

• Explore opportunities to improve the transmission of critical data between control centers
• Evaluate alternative technologies for voice communications necessary to operate the grid
• Increase participation and collaboration between utilities, local, state and provincial governments
• Conduct further discussion between industry and government regarding restoration priorities and supply chain concerns

Originally published by John Engel & Sean Wolfe on power-grid.com.