Cyberattacks are Serious Business for Utilities
Electric utilities for decades have understood the importance of providing reliable electricity to consumers. They've worked consistently on improving processes and technologies to lower SAIDI (system average interruption duration index) and satisfy regulators and consumers.
Electric utilities for decades have understood the importance of providing reliable electricity to consumers. They've worked consistently on improving processes and technologies to lower SAIDI (system average interruption duration index) and satisfy regulators and consumers. You would have a hard time finding anyone in the industry who says utilities don't understand or care about reliability, at least when it comes to operations.
In the past few years, however, a new reliability threat has emerged and has some industry experts, politicians, regulators and think tanks questioning whether electric utilities understand it and take it seriously enough. That threat is cyberattack.
In late January, Bloomberg published an article by Brian Wingfield, "Power-Grid Cyber Attack Seen Leaving Millions in Dark for Months," in which James Lewis, technology program director at the Center for Strategic & International Studies in Washington, D.C., was quoted.
"Electric utilities fail to recognize the risk (of cyberattacks) because, unlike banks and telecommunications companies, they aren't prime targets for Internet theft or espionage," Lewis said.
He said a certain percentage of utilities don't take cyberattacks seriously. The article revealed results of a Bloomberg survey on cybersecurity at energy companies. The companies surveyed estimated they could increase annual spending to an average $69.3 million and be able to avert 88 percent of attacks during the next 12-18 months. Bloomberg's survey found it would take an average annual budget of $344.6 million per company to stop 95 percent of the threats. The surveyed utilities were not named but, according to the article, included eight private utilities, six public utilities, four oil and gas exploration and production companies, and three pipeline and retail businesses.
I'm not surprised that the companies surveyed did not want to be identified because part of cybersecurity defense strategy involves keeping threats and vulnerabilities under wraps. That's why I'm thrilled about Senior Editor Kristen Wright's cybersecurity roundtable with five high-ranking utility executives. In this article, "Cybersecurity Roundtable: The Enemy is Unknown," beginning on Page 22, Kristen provides enlightening details about some of the world's most infamous hacking groups and some federal agencies' and politicians' concerns about protecting the nation's grid from their attacks. Even more enlightening are the comments and insights from the five executives who discussed what their utilities are doing to protect the grid and customer and employee information from hackers.
After reading this article, I must disagree with Lewis' assessment that some electric utilities don't take cyberattacks seriously. I believe the five utilities represented in this discussion also fairly represent most North American utilities. The executives' discussion convinced me that utilities take cybersecurity threats seriously and are fully committed to providing the resources necessary to protect their assets and information. Are their defensive measures foolproof? Of course not, but they know that, and just like with other reliability measures, they constantly and consistently are working to improve the processes and technologies necessary to secure their assets.
Could a hacking group take out all or part of the nation's electric grid? Yes, but it won't be easy and it won't be because utilities don't take these groups seriously enough.
Teresa Hansen,editor in chief