Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more

From threats to anti-fragility: A framework for resilient utilities

How you can embed resilience across an organization

Authors of this article include Janet Rieksts Alderman, Partner, Risk Services and Co-Chair, Board Leadership Center, KPMG in Canada; Vikas Gaba, Partner and National Head, Power and Utilities, KPMG in India; Ronald Heil, Global Cyber Security Leader, Energy and Natural Resources, KPMG International and Partner, KPMG in the Netherlands; Ramit Malhotra, Director, KPMG in India

Power systems today face the risk from an array of threats such as natural disasters, technological threats, human-induced events and, most recently, health emergencies. These threats pose significant risks to the reliability, safety, and resilience of power utilities, potentially leading to widespread blackouts, economic disruptions, and compromised public safety. Worldwide, the average cost of a data breach hit a new record high in 2022, costing US$4.72 million in the energy sector1. Fortunately, there are ways in which chief information security officers at power and utilities can develop greater resilience both for the organization and everyone who depends on them. And while threats have arguably become more numerous and sophisticated, so too have the strategies to tackle them. KPMG professionals have identified some of the most rapidly increasing — and harmful — threats to utilities and developed a practical framework for helping to prepare for, combat and overcome them.

Average number of weekly cyberattacks per organization in utilities, 2020-2022

Climate-related natural events

Power systems have always been threatened by natural events, including earthquakes and extreme weather, but in many parts of the world climate change is increasing the frequency and severity of storms and floods. In the US, the share of extreme weather events causing large scale outages (affecting at least50,000 customers) over the past two decades has been on average90 percent, with at least 75 percent across the period and all (or almost all) of the events in certain years2. To help better deal with future storms, local utilities can set up emergency restoration systems, 24-hour control rooms, real-time monitoring of faults and response teams at critical sub-stations.

Utilities can better anticipate and mitigate the impacts of climate-induced disasters on grid infrastructure and service delivery by enhancing organizational readiness and strategic planning, two of the key attributes of resilient organizations.

Dive into our thinking:

Plugged In

Harnessing technology to power the future

Download magazine

The rise of technology threats

People with harmful intentions and criminal groups have continually posed risks to physical assets and business processes. In December2015, a cyberattack on power companies in Ukraine affected more than 200,000 customers in the west of the country for severalhours.[3] In response, the companies identified security lapses in both IT and supervisory control and data acquisition systems (SCADA)equipment control systems as well as how staff responded. It led them to improve scanning for malware and introduce cybersecurity training for staff.

Energy utilities in many countries have worked to secure their own digital infrastructure over recent years, but are increasingly (if inadvertently) threatened by the large adoption of digital appliances by their customers. This is partly because of increased demand from those adopting electric vehicles, home generation and battery storage systems, with the last sometimes supplying grids as well as drawing power from them. These developments can increase customers‘ autonomy but also create new risks as many of these appliances and others are now connected to data networks, which can massively increase the potential for cyberattacks.

An attack that forces thousands for charging electric vehicles in a city to cycle simultaneously between drawing and, in some cases, even returning power would likely cause massive and unexpected spikes on the local grid, with similar attacks possible on smart home appliances. Utilities can educate technology manufacturers and lobby for increased cybersecurity of electric vehicles and other networked appliances, including promoting compliance with governmental cybersecurity directives, as well as considering their resilience to such attacks.

Such threats can be mitigated through robust technological investments and cybersecurity measures, as well as training and support for both workforce and customers. These measures can help strengthen utilities ‘defenses against cyberattacks while safeguarding critical systems and customer data. Stakeholders could also consider regulation that creates an ecosystem of shared accountability, where organizations together are responsible for the security of the whole and of individuals.

Why operations teams should own their technology

When operational technology (OT), used to manage industrial processes in sectors including utilities, went digital, IT services typically took over the management of several of these tools and provided cybersecurity. In some cases, no one took over the management, as often it was left unclear who was ultimately responsible. However, as digitalization has expanded, there is now a strong case for keeping OT, including both IT used for OT and dedicated OT hardware, and corporate IT separate and for operations teams to take clear ownership and action on OT. Corporate IT can be defined as anything that is needed to run a company, but it has nothing to do with direct operations like generating or transporting power or manufacturing products. Creating this shift of systems should prevent an ever-increasing set of unnecessary and uncontrollable connections between operations and corporate IT which can help strengthen security, improve accountability and reduce complexity.

Take, for example, a warehouse that relies on barcodes and scanners to manage stock movements. As digital tools, these are generally managed by IT. However, when they fail, the impact falls on operations. Several of the latest supply chain incidents involved companies that were able to produce but not ship products due to issues in IT. Some chief information security officers (CISOs) are reluctant to relinquish control of such OT to chief operating officers (COOs), but given that COOs are answerable for operations, it would make sense for CISOs and IT administrators to provide support rather than demand ownership while cooperating to keep everyone informed and aligned.

How grids can be destabilized by decarbonization

The decarbonization of power generation tends to make power grids less resilient by replacing small numbers of highly controllable fossil fuel plants with large numbers of renewable units with variable and often unpredictable output. Increasing reliance of renewables makes it harder to match supply and demand, particularly at peak demand times in early evenings when solar output is generally low or at zero. Utilities can tackle this by investing in balancing infrastructure, such as pumped hydroelectric plants and batteries, as well as embracing real-time markets that charge more at peak times, encouraging consumers to shift demand to other times.

Other existing threats are being intensified as societies increasingly rely on electricity and digitize physical processes, making a working grid ever more important. According to IEA estimates, technical malfunctions and equipment failures within the power grid alone led to power outages resulting in a worldwide economic loss of no less thanUS$100 billion in 2021.[4] The primary economic impacts of these outages stem from decreased productivity in businesses due to interruptions, disruptions in the supply chain and potential damage to equipment.

Utilities can use improved strategic planning and technological innovation to adapt to the challenges posed by the transition to renewable energy sources, helping to ensure grid stability and reliability.

Part of society: from COVID-19 to perception

Power and utilities should be ready to cope with society-wide emergencies. The COVID-19 pandemic did not threaten power supplies but caused utilities a wide range of problems, including lower revenues from less consumption, deferred payments and difficulties collecting money. In the US, utilities gained access to short-term debt financing. In India, some offered rebates for consumers to provide their own meter readings, given staff could not do this.

Finally, power and utilities should engage with threats of perception. Moving to net zero will require vast spending, but customers, regulators and policy makers tend to resist higher charges that will pay for this. In some cases, governments ask utilities to comply with conflicting agendas, such as decarbonizing operations while continuing to provide security of supply that is only possible through use of carbon-emitting fuels.

Utilities can weather economic downturns and external crises, as well as maintain service continuity and support communities in times of need by fostering financial resilience and organizational readiness. 

A framework for resilience and anti-fragility

To face this range of threats, power and utilities can leverage the following framework to help increase resilience and ultimately move to anti-fragility, with proactive resilience embedded across the organization. The framework includes immediate actions and considerations across five areas: organizational, technological, financial, planning, and workforce and customer.

Key attributes of a resilent organisation

OrganizationalMonitor readiness, agility and effectiveness at the corporate and business unit levels
TechnologicalDeploy digitally enabled systems and a focus on upgrading existing infrastructure
FinancialCreate mechanisms for liquidity management and financial recovery
PlanningUnderstand the operational risk at various levels to develop supply chain mitigations
Workforce and CustomerImplement crisis management leading practices to ensure the health and safety of employees and customers

A framework for resilience: Actions to take

OrganizationalEmbed resilience as an important criterion during investment planningPrepare and regularly update the disaster response plan incorporating new techniquesClear definition of governance structures spe
TechnologicalEnhance network visibility and remote control capabilities through the deployment of advanced metering infrastructure and advanced IT/OT solutionsFocus on e-governance through digitization of approval processes, document management and workflow systemsHigher level of digitization for key operations through the deployment of drones, outage and distribution management systems, predictive maintenance models and sensors
FinancialEnhances focus on digital payments through customer sensitization and exemption of processing fees for digital paymentsEstablish a disaster resilience fund in collaboration with central and local government, corporate social responsibility funds, customers and othersDevelop new insurance products to help ensure the rapid mobilization of funds
PlanningIdentify and implement system strengthening and hardening measures, such as dynamic circuit reconfiguration and network islandingEnabled distributed energy resources solutions, including the use of plug-in electric vehicles and microgrids, especially for critical loadsConduct vulnerability testing exercises, including stimulation-based cyberattacks and technical failures
Workforce and customerDefine customer and employee safety guidelines and ensure employee training on aspects of an emergency response planDevelop mechanisms for robust customer engagement and provisions for proactive updates to customersEnsure independent safety audits in a regular manner


While improving technology, financial mechanisms and planning are all important, developing a resilient organizational culture can underpin such work. This means having strong and swift governance processes that allow companies to make good decisions quickly. It also means developing employees’ competency and confidence in an industry where staff tend to take a thoughtful approach and stay for many years, meaning that change management should be carried out with care.

In our view, culturally resilient utility is better prepared to take opportunities when they arise, even if this involves reversing existing strategies. One nuclear plant operator has pivoted from managing decline to taking advantage of its country’s new commitment to nuclear power through planning to build commercial small modular reactors.

At present, many utilities react to crises when they happen, rather than embedding resilience into everyday work and the organization’s culture. Taking the second approach can help develop anti-fragility, the ability to learn from and be strengthened by setbacks, allowing utilities to deal more confidently with day-to-day challenges as well as occasional disasters. 

How this connects with what we do

KPMG professionals can support increased resilience by identifying gaps between what utilities have in place and what they would ideally need, then developing a plan to help fill these gaps, whether they involve building new facilities, strengthening existing ones or introducing new technology. KPMG firms combine experience in risk and technology, including cybersecurity, large computing systems and operational technology, with strong experience in supporting utilities to become resilient and future-proof. KPMG firms also offer a KPMG Cyber Risk Insights Platform, a service that puts a price on cybersecurity risks and solutions. KPMG professionals can also provide training, awareness and monitoring, as well as incident response services when required.

Footnotes

  1. IEA. ‘Cybersecurity — is the power system lagging behind?’. 2023.
  2. IEA. ‘Power Systems in Transition.’ 2020.
  3. 0 CISA. ‘Cyber-Attack Against Ukrainian Critical Infrastructure.’ 2021.
  4. IEA. ‘Electricity Grids and Secure Energy Transitions.’ 2023.

Explore more

Meet our team

Image of Ronald Heil
Ronald Heil
Partner, KPMG Netherlands
Image of Angela Gildea
Angela Gildea
U.S. Sector Leader, KPMG LLP

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Office locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Headline