IT/OT Collaboration
News
Utilities: Energy & Power, Water, Waste

IEA makes recommendations for policy makers, electric utilities on improving cyber resilience of electricity systems

April 20, 2021
electricity systems

The International Energy Agency (IEA) released guidance to policymakers, electric utilities and other stakeholders on how policies and actions could enhance the cyber resilience of electricity systems.

While differing contexts require tailored approaches, several overarching action areas can serve as the basis for achieving more appropriate electricity security frameworks for the future, according to the IEA report. The measures laid out include institutionalizing responsibilities and incentives, identifying risks, managing and mitigating risks, monitoring progress, and responding to and recovering from disruptions.

The electricity system is interconnected with all other critical infrastructure and services. Cyberattacks on electricity systems are therefore a critical threat to every aspect of modern societies. Policymakers, regulators, system operators, and industries across the electricity value chain have important roles to play in enhancing the cyber resilience of the system.

Utilities must implement proper risk management strategies to identify capabilities and risks of their systems from both IT and operational technology (OT) perspectives. In addition, they must establish a clear risk management strategy that can help prioritize areas of work and investment decisions to maximize benefits.

Policymakers must set appropriate responsibilities and incentives for relevant organizations within their jurisdiction. They must designate responsible authorities to set objectives, give direction on measures and assess their implementation. They have also been advised to implement coordination mechanisms between responsible authorities (both within and outside the electricity sector) to avoid conflicts between various regulatory levels. 

The policymakers must also incentivize or oblige regulated and non-regulated entities to implement cybersecurity safeguards. Measures should aim to improve outcomes, rather than relying only on compliance-based processes that risk becoming a box-ticking exercise. The level of enforcement needs to relate to how critical the organization is to wider system reliability. 

Policymakers need to ensure that operators of critical electricity infrastructure identify, assess and communicate critical risks. Policymakers and regulators are required to ensure designated organizations regularly conduct system-level risk analyses to identify key threat scenarios and system vulnerabilities and facilitate public-private cyber risk information sharing.

Electricity systems are also prone to cascading effects across both digital and electrical systems. As utilities increasingly interconnect their systems for the sharing of operational and planning information, an attack could cascade across their digital networks.

The majority of electricity infrastructure – such as power plants and transmission and distribution systems – have long operational lifetimes, often lasting over fifty years. This has led to most electricity systems, including a mix of recent highly digitalized technologies and analog legacy assets deployed decades earlier. 

Older, unprotected OT was often designed without the intent of connecting to networks, leaving them “air-gapped,” and increasingly adapted and connected to IT networks through standardized protocols and additional interface devices. Without adequate security measures and integrated cyber resilience approaches, these connections risk introducing new vulnerabilities to the system.

Power companies are among the most frequently attacked targets, increasingly by nation-state hackers aiming for disruption and even destruction through ICS, according to insights released by Deloitte. One of the most challenging vulnerabilities to address is cyber supply chain risk, given the increasingly far-flung and complex nature of the supply chain. 

A survey brought out by Siemens and the Ponemon Institute showed that industrial cyber risk is worsening, with the potential for severe financial, environmental and infrastructure damage. Industry-wide, readiness is uneven and has common blind spots. In particular, the report highlights the cybersecurity requirements for OT, and the importance of distinguishing between security for OT and security for IT. This remains a major challenge for many organizations across the industry.

The research was conducted to gain a clearer picture of utilities’ existing capabilities, levels of preparedness, vulnerabilities, and strategic understanding of their OT cyber risk. Cyber supply chain accountability and ownership are not very well-defined within companies, most CISOs have no control over their enterprises’ supply chain, and they may have little access to supply chain cyber risk intelligence or visibility into suppliers’ risk management processes, Deloitte added.

Effective policies need to look beyond bulk utilities and consider the entire electricity chain, including supply chains, according to the IEA. Supply chain security is an international issue. To demonstrate security preparedness, certification or other similar mechanisms based upon existing international standards need to be institutionalized and interoperable at the global level, where deemed appropriate, it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape