Utilities are facing two unexpected cyber threats. Here’s why they need to act now.

The risks posed by cyber threats are rising rapidly, and the latest figures paint a troubling picture:

In this blog, I'll break down the risks facing utilities and why the industry seems slow to adopt a better approach to cybersecurity for its grid software and systems.

Utilities face a variety of cyber threats, including ransomware, upstream supply chain compromise of components, or known and exploitable vulnerabilities in unpatched or out-of-date utility software .

There are two risks, however, which utilities often overlook — or are unaware of. These risks come from unexpected places: suppliers and staff.

Recently, I’ve witnessed a rise in reports of supply chain attacks. There are a few reasons why criminals target supply chains:

Closer to home, an uncomfortable truth is that the largest cyber threat to utilities comes from within their own organizations. It doesn’t even need to be as dramatic as a disgruntled employee being bought off and assisting an attacker. It could be as simple as running a script as the wrong user or not safeguarding log-in credentials (I dread to think how many log-in credentials are written on a Post-It note and stuck to a computer screen right now).

The worst part? Staff usually have access to multiple assets within a utility’s system using the same credentials, and can move freely around, often without additional challenges between systems. That could be catastrophic, especially if their account is taken over by a malicious actor, compromising vital grid data.

Every grid operator will have cybersecurity arrangements — and most probably believe they’re doing everything they can to protect their organization. Unfortunately, utilities often fall into the trap of thinking, “A cyber-attack hasn’t happened to me yet; therefore my defences are working and I don’t need to do anything.”

That’s like saying, “I’ve never been in a car accident, so I don’t need to wear a seatbelt.” In fact, former FBI Director Robert Mueller famously said at the RSA Security Conference in 2012: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

So while an attack or breach may not have directly impacted your organization yet, you still need to ensure you’ve got the best protections in place, just in case; especially since the majority of US and UK utilities have been targeted by an attack in the past year alone. This is critical for ongoing grid modernization and maintaining grid resilience.

Another way utilities may be unknowingly putting themselves at risk is by assuming their defences are secure enough because they’re up to date with the latest regulations. To some extent, one can forgive that way of thinking asthe UK NCSC Cyber Assessment Framework, EU Network & Information Systems Directive, AUS Security of Critical Infrastructure Act, and U.S. NERC CIP all promise stricter regulations and harsher penalties.

However, cyber regulations are notorious for being behind the curve — in other words, always playing catch-up to technology advances or in response to cybersecurity incidents. So, if you’re just trying to keep up with changing regulations, there’s a double jeopardy.

How can utilities get ahead of developing cyber threats?

While the vast majority of IT leaders have already heard of Zero Trust security — an approach characterised by its policy of authenticating, encrypting, and authorising every interaction in isolation — uptake has been slower than expected.

What’s holding decision-makers back? There are three reasons, but here’s why they don’t stand up to scrutiny.

As mentioned above, there’s a tendency to think, “It hasn’t happened to me yet, so what I’m doing must be working.” Unfortunately, this logic is flawed. In fact, most organizations switching to Zero Trust models do so after a breach or successful attack. Is it really worth waiting until the worst happens?

Grid operators often tell us their current security setup offers the same level of protection as Zero Trust grid security principles. While on the surface their existing solutions may appear to be delivering similar levels of safety, it’s what’s under the hood that really counts. Zero Trust grid security is an approach that should be built from the ground up, not tacked on. To truly achieve the highest levels of security, operators simply have to have more imagination regarding how threats could manifest and how they might protect against them.

There’s an understandable worry among grid operators that adopting a Zero Trust grid security model could be costly, time-consuming, and/or affect day-to-day operations through extra security checks. They wonder if that upfront cost is worth reducing the risk of a cyber-attack. With successful attacks costing $4.88 million on average, the choice would appear clear.

In the fintech and trading industries, Zero Trust security has already been strongly embraced — and with good reason. Those organizations need to be live 24/7. Downtime simply isn’t an option..

At GE Vernova, we’ve noticed that our utility customers also find Zero Trust grid security principles to be the only truly effective way of protecting their organizations. It’s why GridOS® has Zero Trust grid security principles built into our GridOS platform and software applications, providing controls for user actions, account management, client access, network communications, and product delivery.

To learn more about GE Vernova’s Zero Trust grid security principles and GridOS®, check out our whitepaper on grid cybersecurity.