How you can embed resilience across an organization
Authors of this article include Janet Rieksts Alderman, Partner, Risk Services and Co-Chair, Board Leadership Center, KPMG in Canada; Vikas Gaba, Partner and National Head, Power and Utilities, KPMG in India; Ronald Heil, Global Cyber Security Leader, Energy and Natural Resources, KPMG International and Partner, KPMG in the Netherlands; Ramit Malhotra, Director, KPMG in India
Power systems today face the risk from an array of threats such as natural disasters, technological threats, human-induced events and, most recently, health emergencies. These threats pose significant risks to the reliability, safety, and resilience of power utilities, potentially leading to widespread blackouts, economic disruptions, and compromised public safety. Worldwide, the average cost of a data breach hit a new record high in 2022, costing US$4.72 million in the energy sector1. Fortunately, there are ways in which chief information security officers at power and utilities can develop greater resilience both for the organization and everyone who depends on them. And while threats have arguably become more numerous and sophisticated, so too have the strategies to tackle them. KPMG professionals have identified some of the most rapidly increasing — and harmful — threats to utilities and developed a practical framework for helping to prepare for, combat and overcome them.
Average number of weekly cyberattacks per organization in utilities, 2020-2022
Power systems have always been threatened by natural events, including earthquakes and extreme weather, but in many parts of the world climate change is increasing the frequency and severity of storms and floods. In the US, the share of extreme weather events causing large scale outages (affecting at least50,000 customers) over the past two decades has been on average90 percent, with at least 75 percent across the period and all (or almost all) of the events in certain years2. To help better deal with future storms, local utilities can set up emergency restoration systems, 24-hour control rooms, real-time monitoring of faults and response teams at critical sub-stations.
Utilities can better anticipate and mitigate the impacts of climate-induced disasters on grid infrastructure and service delivery by enhancing organizational readiness and strategic planning, two of the key attributes of resilient organizations.
People with harmful intentions and criminal groups have continually posed risks to physical assets and business processes. In December2015, a cyberattack on power companies in Ukraine affected more than 200,000 customers in the west of the country for severalhours.[3] In response, the companies identified security lapses in both IT and supervisory control and data acquisition systems (SCADA)equipment control systems as well as how staff responded. It led them to improve scanning for malware and introduce cybersecurity training for staff.
Energy utilities in many countries have worked to secure their own digital infrastructure over recent years, but are increasingly (if inadvertently) threatened by the large adoption of digital appliances by their customers. This is partly because of increased demand from those adopting electric vehicles, home generation and battery storage systems, with the last sometimes supplying grids as well as drawing power from them. These developments can increase customers‘ autonomy but also create new risks as many of these appliances and others are now connected to data networks, which can massively increase the potential for cyberattacks.
An attack that forces thousands for charging electric vehicles in a city to cycle simultaneously between drawing and, in some cases, even returning power would likely cause massive and unexpected spikes on the local grid, with similar attacks possible on smart home appliances. Utilities can educate technology manufacturers and lobby for increased cybersecurity of electric vehicles and other networked appliances, including promoting compliance with governmental cybersecurity directives, as well as considering their resilience to such attacks.
Such threats can be mitigated through robust technological investments and cybersecurity measures, as well as training and support for both workforce and customers. These measures can help strengthen utilities ‘defenses against cyberattacks while safeguarding critical systems and customer data. Stakeholders could also consider regulation that creates an ecosystem of shared accountability, where organizations together are responsible for the security of the whole and of individuals.
When operational technology (OT), used to manage industrial processes in sectors including utilities, went digital, IT services typically took over the management of several of these tools and provided cybersecurity. In some cases, no one took over the management, as often it was left unclear who was ultimately responsible. However, as digitalization has expanded, there is now a strong case for keeping OT, including both IT used for OT and dedicated OT hardware, and corporate IT separate and for operations teams to take clear ownership and action on OT. Corporate IT can be defined as anything that is needed to run a company, but it has nothing to do with direct operations like generating or transporting power or manufacturing products. Creating this shift of systems should prevent an ever-increasing set of unnecessary and uncontrollable connections between operations and corporate IT which can help strengthen security, improve accountability and reduce complexity.
Take, for example, a warehouse that relies on barcodes and scanners to manage stock movements. As digital tools, these are generally managed by IT. However, when they fail, the impact falls on operations. Several of the latest supply chain incidents involved companies that were able to produce but not ship products due to issues in IT. Some chief information security officers (CISOs) are reluctant to relinquish control of such OT to chief operating officers (COOs), but given that COOs are answerable for operations, it would make sense for CISOs and IT administrators to provide support rather than demand ownership while cooperating to keep everyone informed and aligned.
The decarbonization of power generation tends to make power grids less resilient by replacing small numbers of highly controllable fossil fuel plants with large numbers of renewable units with variable and often unpredictable output. Increasing reliance of renewables makes it harder to match supply and demand, particularly at peak demand times in early evenings when solar output is generally low or at zero. Utilities can tackle this by investing in balancing infrastructure, such as pumped hydroelectric plants and batteries, as well as embracing real-time markets that charge more at peak times, encouraging consumers to shift demand to other times.
Other existing threats are being intensified as societies increasingly rely on electricity and digitize physical processes, making a working grid ever more important. According to IEA estimates, technical malfunctions and equipment failures within the power grid alone led to power outages resulting in a worldwide economic loss of no less thanUS$100 billion in 2021.[4] The primary economic impacts of these outages stem from decreased productivity in businesses due to interruptions, disruptions in the supply chain and potential damage to equipment.
Utilities can use improved strategic planning and technological innovation to adapt to the challenges posed by the transition to renewable energy sources, helping to ensure grid stability and reliability.
Power and utilities should be ready to cope with society-wide emergencies. The COVID-19 pandemic did not threaten power supplies but caused utilities a wide range of problems, including lower revenues from less consumption, deferred payments and difficulties collecting money. In the US, utilities gained access to short-term debt financing. In India, some offered rebates for consumers to provide their own meter readings, given staff could not do this.
Finally, power and utilities should engage with threats of perception. Moving to net zero will require vast spending, but customers, regulators and policy makers tend to resist higher charges that will pay for this. In some cases, governments ask utilities to comply with conflicting agendas, such as decarbonizing operations while continuing to provide security of supply that is only possible through use of carbon-emitting fuels.
Utilities can weather economic downturns and external crises, as well as maintain service continuity and support communities in times of need by fostering financial resilience and organizational readiness.
To face this range of threats, power and utilities can leverage the following framework to help increase resilience and ultimately move to anti-fragility, with proactive resilience embedded across the organization. The framework includes immediate actions and considerations across five areas: organizational, technological, financial, planning, and workforce and customer.
| Organizational | Monitor readiness, agility and effectiveness at the corporate and business unit levels |
| Technological | Deploy digitally enabled systems and a focus on upgrading existing infrastructure |
| Financial | Create mechanisms for liquidity management and financial recovery |
| Planning | Understand the operational risk at various levels to develop supply chain mitigations |
| Workforce and Customer | Implement crisis management leading practices to ensure the health and safety of employees and customers |
| Organizational | Embed resilience as an important criterion during investment planning | Prepare and regularly update the disaster response plan incorporating new techniques | Clear definition of governance structures spe |
| Technological | Enhance network visibility and remote control capabilities through the deployment of advanced metering infrastructure and advanced IT/OT solutions | Focus on e-governance through digitization of approval processes, document management and workflow systems | Higher level of digitization for key operations through the deployment of drones, outage and distribution management systems, predictive maintenance models and sensors |
| Financial | Enhances focus on digital payments through customer sensitization and exemption of processing fees for digital payments | Establish a disaster resilience fund in collaboration with central and local government, corporate social responsibility funds, customers and others | Develop new insurance products to help ensure the rapid mobilization of funds |
| Planning | Identify and implement system strengthening and hardening measures, such as dynamic circuit reconfiguration and network islanding | Enabled distributed energy resources solutions, including the use of plug-in electric vehicles and microgrids, especially for critical loads | Conduct vulnerability testing exercises, including stimulation-based cyberattacks and technical failures |
| Workforce and customer | Define customer and employee safety guidelines and ensure employee training on aspects of an emergency response plan | Develop mechanisms for robust customer engagement and provisions for proactive updates to customers | Ensure independent safety audits in a regular manner |
While improving technology, financial mechanisms and planning are all important, developing a resilient organizational culture can underpin such work. This means having strong and swift governance processes that allow companies to make good decisions quickly. It also means developing employees’ competency and confidence in an industry where staff tend to take a thoughtful approach and stay for many years, meaning that change management should be carried out with care.
In our view, culturally resilient utility is better prepared to take opportunities when they arise, even if this involves reversing existing strategies. One nuclear plant operator has pivoted from managing decline to taking advantage of its country’s new commitment to nuclear power through planning to build commercial small modular reactors.
At present, many utilities react to crises when they happen, rather than embedding resilience into everyday work and the organization’s culture. Taking the second approach can help develop anti-fragility, the ability to learn from and be strengthened by setbacks, allowing utilities to deal more confidently with day-to-day challenges as well as occasional disasters.
KPMG professionals can support increased resilience by identifying gaps between what utilities have in place and what they would ideally need, then developing a plan to help fill these gaps, whether they involve building new facilities, strengthening existing ones or introducing new technology. KPMG firms combine experience in risk and technology, including cybersecurity, large computing systems and operational technology, with strong experience in supporting utilities to become resilient and future-proof. KPMG firms also offer a KPMG Cyber Risk Insights Platform, a service that puts a price on cybersecurity risks and solutions. KPMG professionals can also provide training, awareness and monitoring, as well as incident response services when required.
Insight
Plugged In magazine: Third Edition
Harnessing technology to power the future
Insight
National Grid: Decarbonizing electricity can require ‘lots of grids’ built much faster
An interview with Ben Wilson, Chief Strategy and Regulation Officer at National Grid Group plc
Insight
How artificial intelligence and automation can help transform power and utilities
How you can accelerate innovation responsibly
Insight
Smart grids: A forgotten key to decarbonization
How you can implement smart grids successfully
