The World Economic Forum (WEF) latest word on cybersecurity-related issues is a new white paper entitled “Cybersecurity Resilience in the Electricity Ecosystem: Securing the Value Chain.” The document is interesting but flawed. On the upside, it acknowledges that networked IT and OT systems link all of the parties involved in the power sector and uses those links to justify its call for expanding cooperation and sharing responsibility in order to protect all stakeholders. On the downside, it doesn’t dig deeply enough into the implications of its proposals for making the power sector more resilient and resistant to cyberthreats.
This essay will take a look at both sides.
Greater connectivity means greater vulnerability
In the white paper, the WEF notes that cybersecurity has become a bigger problem in the power sector for multiple reasons, including greater use of high-tech equipment, rising consumption of electricity, changing regulatory environments, and the rapidly evolution of cyberthreats.
To make the power sector more resilient and resistant to cyberthreats, it says, all of the companies involved in the production, transmission and delivery of electricity, along with all of the equipment and service providers that serve those companies, must work to ensure that they can provide the necessary security for their own links in the value chain. It also calls on stakeholders to work together to ensure that the security of the entire system remains adequate over the entire life cycle of the products involved.
The white paper urges all of the parties involved to do the following:
- to improve the resiliency of the sector at large;
- to expand collaboration between stakeholders to increase security;
- to make the security of supply chains and value chains a high priority;
- to balance product-level and systems-level requirements for security;
- to take different approaches whenever needed to optimize security and resiliency; and
- to understand the ways in which networked technologies are acquired, introduced, and operated and to make adjustments as necessary.
Complicated problems don’t have simple solutions
All of the above statements are unexceptional. Nevertheless, they overlook the serious challenges inherent in the WEF’s approach.
One such challenge stems from the insistence that stakeholders may not agree on how to define the full life cycle of goods or services. What happens if, for instance, a seller of Industrial Internet of Things (IIoT) sensors estimates the service life of its products at five years and agrees to provide security updates and other support services for that period of time, but a customer decides to keep those sensors in operation for more than five years because of budget cuts? Which party, then, is now responsible for securing those devices, and how should those obligations be upheld?
Another challenge comes from the fact that the white paper skates over the question of how these new standards might affect costs. If all of the parties involved have to take some measure of responsibility for defense against cyberthreats, they will need more resources – more time to communicate with each other, more skilled workers to staff IT and OT security teams, more auditors to ensure conformity with relevant bodies of law, more money and time and improvements to achieve compliance with widely recognized standards such as those set by the U.S. National Institute of Standards and Technology (NIST). Since all of these things cost money, they will increase the cost of cybersecurity operations – and as such, they have the potential to increase the cost of electricity. In turn, higher electricity costs can have negative political and/or economic consequences.
The white paper does not quite make clear why those costs might be worth incurring. This is unfortunate, as there is a solid argument to be made on this front.
It is difficult to understate the importance of the power sector. Electricity generation, transmission, and distribution are not just utility services or arena of industrial activities that has been affected, like so many others, by digitalization and the introduction of new technologies. Instead, they enable all other sectors of the economy by providing the energy that allows them to reach maximum productivity and efficiency. They also play a crucial role in the improvement and sustainment of human life.
In other words, cybersecurity in the power industry is not just a matter of money or performance. It’s also – quite literally – a matter of life and death. (Indeed, U.S. government officials have acknowledged that successful cyberattacks on the sector have the potential to lead to mass casualties.)
As such, the WEF ought to take a deeper look at its proposals for making the power sector more resilient and resistant to cyberthreats.