Why are utilities especially vulnerable to cyberattacks?

Wind turbine generating energy. Image by Tim Sandle.

Energy and utility networks are the backbone of modern society, providing essential services such as electricity, water, and gas. Disruptions to these services can lead to significant economic and social impacts. This makes such services particularly vulnerable to cyberattacks and a cybersecurity incident can cause major disruption.

The widespread adoption of smart grids, IoT devices, and digital control systems has improved the energy and utilities sector. At the same time it has made the sector more vulnerable to disruption from rogue agents.

To gain a greater understanding, Digital Journal posed some questions to Kim Larsen, CISO at Keepit.

Digital Journal: How prepared are utilities to prevent and solve these attacks?

Kim Larsen: Utilities have had a long time to prepare, but between a changing threat landscape and evolving compliance frameworks it can be difficult to identify precisely what to focus on. Cybersecurity has been a critical topic for years, and utilities play a vital role in maintaining societal stability. The industry is bound by stringent network and compliance requirements, forcing them to conduct exercises and create plans that ensure business continuity. Given the evolving threat landscape, utilities must be vigilant and proactive. There’s no room for complacency—plans must be in place to address potential attacks swiftly and effectively. The threat is real, and the stakes are too high to ignore.

DJ: What could the impact of a widespread attack be on utilities?

Larsen: That depends… The impact of a widespread attack on utilities depends on the sector’s and the population’s preparedness. A short-term power outage might be manageable, but extended disruptions—say, a week without electricity—could cripple society. Utilities must conduct thorough scenario analysis to understand the potential consequences and prepare accordingly. From gas shortages to electrical failures, the ripple effects could be severe. It’s not just about reacting to an attack but anticipating its impact and mitigating the risks to ensure continuity and resilience.

DJ: Are utilities investing enough in securing their network?

Larsen: That also depends… Whether utilities are investing enough in network security is a complex question. It’s not just about the amount invested but about understanding vulnerabilities and shoring up weaknesses. Utilities must avoid putting all their eggs in one basket by diversifying their security strategies. The key is continuous testing, refining, and adapting to the threat landscape. It’s essential to have a governance model that identifies critical components, assesses redundancy, and aligns with leadership on acceptable risk levels. Investments must be measured not just by cost but by the effectiveness of the security measures in place.