Power systems today face the risk from an array of threats such as natural disasters, technological threats, human-induced events and, most recently, health emergencies. These threats pose significant risks to the reliability, safety, and resilience of power utilities, potentially leading to widespread blackouts, economic disruptions, and compromised public safety. Worldwide, the average cost of a data breach hit a new record high in 2022, costing US$4.72 million in the energy sector.1 Fortunately, there are ways in which chief information security officers at power and utilities can develop greater resilience both for the organisation and everyone who depends on them. And while threats have arguably become more numerous and sophisticated, so too have the strategies to tackle them. KPMG professionals have identified some of the most rapidly increasing — and harmful — threats to utilities and developed a practical framework for helping to prepare for, combat and overcome them.
The rise of technology threats
People with harmful intentions and criminal groups have continually posed risks to physical assets and business processes. In December2015, a cyberattack on power companies in Ukraine affected more than 200,000 customers in the west of the country for severalhours.[3] In response, the companies identified security lapses in both IT and supervisory control and data acquisition systems (SCADA)equipment control systems as well as how staff responded. It led them to improve scanning for malware and introduce cybersecurity training for staff.
Energy utilities in many countries have worked to secure their own digital infrastructure over recent years, but are increasingly (if inadvertently) threatened by the large adoption of digital appliances by their customers. This is partly because of increased demand from those adopting electric vehicles, home generation and battery storage systems, with the last sometimes supplying grids as well as drawing power from them. These developments can increase customers‘ autonomy but also create new risks as many of these appliances and others are now connected to data networks, which can massively increase the potential for cyberattacks.
An attack that forces thousands for charging electric vehicles in a city to cycle simultaneously between drawing and, in some cases, even returning power would likely cause massive and unexpected spikes on the local grid, with similar attacks possible on smart home appliances. Utilities can educate technology manufacturers and lobby for increased cybersecurity of electric vehicles and other networked appliances, including promoting compliance with governmental cybersecurity directives, as well as considering their resilience to such attacks.
Such threats can be mitigated through robust technological investments and cybersecurity measures, as well as training and support for both workforce and customers. These measures can help strengthen utilities ‘defenses against cyberattacks while safeguarding critical systems and customer data. Stakeholders could also consider regulation that creates an ecosystem of shared accountability, where organisations together are responsible for the security of the whole and of individuals.
Why operations teams should own their technology
The decarbonisation of power generation tends to make power grids less resilient by replacing small numbers of highly controllable fossil fuel plants with large numbers of renewable units with variable and often unpredictable output. Increasing reliance of renewables makes it harder to match supply and demand, particularly at peak demand times in early evenings when solar output is generally low or at zero. Utilities can tackle this by investing in balancing infrastructure, such as pumped hydroelectric plants and batteries, as well as embracing real-time markets that charge more at peak times, encouraging consumers to shift demand to other times.
Other existing threats are being intensified as societies increasingly rely on electricity and digitise physical processes, making a working grid ever more important. According to IEA estimates, technical malfunctions and equipment failures within the power grid alone led to power outages resulting in a worldwide economic loss of no less thanUS$100 billion in 2021.[4] The primary economic impacts of these outages stem from decreased productivity in businesses due to interruptions, disruptions in the supply chain and potential damage to equipment.
Utilities can use improved strategic planning and technological innovation to adapt to the challenges posed by the transition to renewable energy sources, helping to ensure grid stability and reliability.
How grids can be destabilised by decarbonisation
Power and utilities should be ready to cope with society-wide emergencies. The COVID-19 pandemic did not threaten power supplies but caused utilities a wide range of problems, including lower revenues from less consumption, deferred payments and difficulties collecting money. In the US, utilities gained access to short-term debt financing. In India, some offered rebates for consumers to provide their own meter readings, given staff could not do this.
Finally, power and utilities should engage with threats of perception. Moving to net zero will require vast spending, but customers, regulators and policy makers tend to resist higher charges that will pay for this. In some cases, governments ask utilities to comply with conflicting agendas, such as decarbonising operations while continuing to provide security of supply that is only possible through use of carbon-emitting fuels.
Utilities can weather economic downturns and external crises, as well as maintain service continuity and support communities in times of need by fostering financial resilience and organisational readiness.
A framework for resilience and anti-fragility
To face this range of threats, power and utilities can leverage the following framework to help increase resilience and ultimately move to anti-fragility, with proactive resilience embedded across the organisation. The framework includes immediate actions and considerations across five areas: organisational, technological, financial, planning, and workforce and customer.
While improving technology, financial mechanisms and planning are all important, developing a resilient organisational culture can underpin such work. This means having strong and swift governance processes that allow companies to make good decisions quickly. It also means developing employees’ competency and confidence in an industry where staff tend to take a thoughtful approach and stay for many years, meaning that change management should be carried out with care.
In our view, culturally resilient utility is better prepared to take opportunities when they arise, even if this involves reversing existing strategies. One nuclear plant operator has pivoted from managing decline to taking advantage of its country’s new commitment to nuclear power through planning to build commercial small modular reactors.
At present, many utilities react to crises when they happen, rather than embedding resilience into everyday work and the organisation’s culture. Taking the second approach can help develop anti-fragility, the ability to learn from and be strengthened by setbacks, allowing utilities to deal more confidently with day-to-day challenges as well as occasional disasters.
How we can help
KPMG professionals can support increased resilience by identifying gaps between what utilities have in place and what they would ideally need, then developing a plan to help fill these gaps, whether they involve building new facilities, strengthening existing ones or introducing new technology. KPMG firms combine experience in risk and technology, including cybersecurity, large computing systems and operational technology, with strong experience in supporting utilities to become resilient and future-proof. KPMG firms also offer a KPMG Cyber Risk Insights Platform, a service that puts a price on cybersecurity risks and solutions. KPMG professionals can also provide training, awareness and monitoring, as well as incident response services when required.
Explore the magazine
Related content
Our people
Sharad Somani
Partner, Head of Infrastructure Advisory, Head of Infrastructure, Asia Pacific and Head of ESG Consulting
KPMG in Singapore
