This report draws upon leading research, literature, and interviews with subject matter experts across
academia, the electricity sector, and the cybersecurity industry to make recommendations for electricity
professionals, the public sector, regulators, and supply chain vendors.
The electricity
sector underpins all other sectors and therefore requires an acute level of attention with regards to cybersecurity. At the global level, cybersecurity regulations are enforced to a varying degree across geographies. There is a positive correlation between the cybersecurity maturity of the sector and the degree of enforcement.
Threat Landscape The threat landscape is becoming more complex with an increase in sophisticated attacks against industrial control systems (ICS) and operational technology (OT) networks. Attacks have attempted, to disrupt electricity suppliers and phisically destroy equipment and have sometimes succeeded in doing so. Reconnaissance of ICS/OT networks remains a common theme of malware targeting the sector, whereby data about electricity networks and equipment is exfiltrated to remote computers under the control of attackers.
Challenges
Legacy infrastructure which lacks security capabilities is common in the electricity sector due to the long service lifespan and high cost of replacement of capital equipment. Therefore, generation and distribution
sites were found to be an attractive target, while IT systems continue to provide attackers with a route
into electricity organizations via phishing and watering hole attacks.
The supply chain is becoming ever more complex with the adoption of smart grid technologies, and it
can be particularly difficult to assure the security of software, hardware, and business services vendors.
Cybersecurity can therefore be difficult to implement as security leaders try to balance the contrasting
security requirements of their IT and ICS/OT networks.
The cybersecurity, skills gap is compounded by the lack of experts who understand both ICS/OT and cybersecurity which is hindering the efforts of electricity sector leadership to promote their organizations’ cyber maturity.
Recommendations
This report provides several recommendations on human skills, process, technology, governance, and collaboration to address the challenges identified. Improving the cybersecurity culture in the sector is key
to raising cybersecurity awareness, and by upskilling control engineers in cybersecurity, organizations can
help close the skills gap. Senior management must support cybersecurity programs, while responsibility
and ownership of ICS/OT assets should be assigned to designated personnel.
A variety of technology and technical practices are recommended to improve prevention, detection, and
protection against cyber attacks and build resilience in the face of attempts and successful attacks. The report recommends the harmonization of cybersecurity regulations to promote interoperability of cross-regional and international electricity projects, endorsement of internationally recognized standards, and the enforcement of regulations to improve cyber maturity. Finally, this report encourages collaboration across the electricity ecosystem to improve information sharing and help each other to respond to threats globally.
