Insights of electric power and natural gas

The energy-sector threat: How to address cyber security vulnerabilities

Electric-power and gas companies are especially vulnerable to cyber attacks, but a structured approach that applies communication, organizational, and process frameworks can significantly reduce cyber-related risks. In our experience working with utility companies, we have observed three characteristics that make the sector especially vulnerable to contemporary cyber threats. First is an increased number of threats and actor targeting utilities: nation-state actors seeking to cause security and economic dislocation, cyber criminals who understand the economic value represented by this sector and hack visits out to publicly register their opposition to utilities projects or broad agendas. The second vulnerability is utilities expansive and increasing attack surface, arising from their geographic and organizational complexity, including the decentralized nature of much organization’s cyber security leadership. Finally the electronic-power and gas sector’s unique interdependencies between physical and cyber infrastructure make companies vulnerable to exploitation, including billing fraud with wireless “smart meters”, the commandeering of operational-technology (OT) system to stop multiple wind turbines and even physical destruction. To answer these challenges, we apply our work in more cyber-sophisticated industries (e.g. banking, national security) and our on-the-ground international experience with utilities at various stages of technological sophistication to purpose a three pronged approach:

• Strategic intelligence on threats and actors before attack on the network. Companies must move beyond and reactive measures and take a forward looking approach to security that integrated the security function into critical decisions about corporate expansion and the accompanying increase in infrastructure and geographic complexity. In parallel, leaders must develop the security-minded plants to address “known unknown” as attackers continue to find utilize new attack vectors.

• Programs to reduce geographic and operational gaps in awareness and communication, creating a culture of security.

• A high-level functioning utility security apparatus should be aligned to ensure that the best mind across the enterprise-not just in security-are aware of threats and have robust processes to report potential vulnerabilities and emerging incidents. Furthermore, technical system should provide security with a common operating picture of sites across geographic and business unites to detect coordinated attack and reconnaissance campaigns.

• Industry-wide collaboration to address the increasing convergence of physical and virtual threats. Industry partnerships, as the eyes on the ground for leading-edge technologies (and corresponding vulnerabilities) should engage in regular dialogue on how to secure the delicate ties between physical and virtual infrastructure, as well as IT and OT network.

How We Help Clients?

• Credit Risk

• Crisis Response

• Cyber Security

• Risk data and digitization

• Operational Risk compliance and Control

• Enterprise risk management and Risk culture

• Trading and balance sheet risk

• Risk Advance Analytics

• Risk and Regulation