Until recently, a typical energy utility generated electricity from a few large power plants. It may have had millions of customers, but it measured their use with occasionally checked mechanical meters. Now, many such utilities also draw on many smaller-scale renewable sites, including surplus production from domestic customers and manage those customers through smart meters that provide a constant stream of data. Meanwhile, some energy companies that previously sold only to businesses are turning themselves into utilities by adding domestic customers, including oil and gas-focused groups trying to diversify.

Companies building domestic supply businesses are taking on new involvements in people’s lives with a more significant impact if their systems fail. These changes tend to increase the number and scope of a company’s relationships, often adding individuals and smaller organizations that are less likely to have adequate cyber security. In short, it can dramatically increase their ‘attack surface’ – the total number of virtual locations through which someone could access, change or extract data. Overall, many such companies are taking on the virtual equivalent of moving from defending a few prominent forts to securing many cities, villages and individual buildings.

These increasing risks can be further heightened since utilities tend to have less sophisticated cyber security than their peers in other industries. However, this creates opportunities for the sector to make significant improvements by adopting what is already in use elsewhere. An example of such sound practice is to shift from trying to control what is happening in their digital systems to monitoring them for suspicious behavior.

Global Banking CEO Outlook, PDF cover

Plugged In

The role of energy organizations in combating climate change

Download magazine (2.46 MB) ⤓

From control to monitoring

Many energy companies have approached cyber security in the past by trying to control everything. This might have worked once, but it is not realistic when handling complex relationships with millions of customers. Instead, energy companies should consider the security models used by modern technology-based companies aiming to monitor systems and networks intelligently rather than controlling them. In terms of physical security, the revised approach is less like imposing military control on an area than policing it.

A behavior-based approach means looking for unusual activity rather than specific signatures of malicious threats, such as already-known patterns or indicators of compromise, like the code of a software virus. The problem with the latter is that cyber attackers are skilled at taking on the identities of innocent parties, such as cloud software providers. It is more complicated – although not impossible – to disguise malicious digital behavior. These behaviors include looking for ways to get into systems, entering them, navigating within them to find valuable data, extracting it and then leaving or destroying the system afterward. If someone climbs into an office building through an open window and heads for where the valuables are stored, they are worth investigating, even if they look like someone with a staff card.

Threat detection systems that use machine learning – automated analysis of large amounts of data – are an excellent tool for effectively monitoring behavior. This is because they can spot subtle patterns that people may overlook. These could include a new sequence of communication that takes place at 2am every Sunday between a company system and one in a foreign country or an employee who appears to be running a corporate server from a desktop computer. Behavior, rather than known indicators, provides clear grounds for suspicion in both cases.

Protecting operational technology

As well as applying to information technology (IT), these approaches can also help protect operational technology (OT), the specialist equipment used to monitor and control physical industrial processes. OT is increasingly connected to networks, allowing those managing plants to manage them more efficiently and gather data much faster, but it can also make it more vulnerable to cyber attacks.

Compared with IT, threat detection systems need to be used in slightly different ways than in OT. One reason is that OT networks tend to change less often than IT ones, such as because a specific industrial process, is only required once every few months, making monitoring systems more prone to sounding false alarms based on what appear to be unusual events. This can be addressed by managing OT security locally at large plants, so there is awareness of irregular but legitimate operations rather than through a remote security operations center (SOC). It also makes more sense to use threat detection systems to undertake passive analysis of normal behavior rather than actively stress-test OT networks, given the consequences of failing OT systems can include damaged industrial equipment or safety incidents.

Despite their differences, IT and OT are gradually converging, such as applying advanced analytics to industrial processes. This is also true of Industrial Internet of Things (IIoT) devices, which gather data that allows analytics to improve maintenance, efficiency, and sustainability work, including efforts to avoid polluting accidents. As with OT, the use of IIoT can increase cyber risks. The long-term strategies involve cultural and technical changes, such as giving responsibility to manage OT to chief technology officers, charging chief information security officers with managing risks across IT, OT and IIoT and considering cyber security an integral part of all transformational projects.

Managing regulatory requirements

Cultural change is also required by organizations to recognize that cyber security needs careful attention to its governance, regulation and compliance. Technology can support this in the shape of integrated risk management (IRM) tools which help monitor and manage the work of meeting regulatory requirements and act as a store for the evidence they require. In the United States, industry-specific regulators, including the North American Electric Reliability Corporation and Federal Energy Regulatory Commission, need to be assured that cyber risks are managed, as do economy-wide regulators, including the National Institute for Standards and Technology and those checking compliance with the Sarbanes-Oxley Act. Modern IRM tools can also track incidents and vulnerabilities, providing organizations with real-time information.

Some regulators, including the United Kingdom’s Office of Gas and Electricity Markets (Ofgem), consider the security of supply and network resilience when reviewing price controls for companies that run energy networks and infrastructure, with cyber security an increasingly important aspect of this. KPMG professionals can advise regulated companies on how to ensure their regulatory economics and cyber security specialists work to include allowances for the costs of improved digital security in business plans.

Reducing utility vulnerabilities

Utilities play an essential role in society. A cyber attack on an oil refinery that causes it to shut down for a few hours might only be noticed once its owner makes an announcement. But suppose the same attack on an energy utility causes a power cut. In that case, this will be seen by thousands or millions of people almost immediately, in some cases with severe consequences for safety and wellbeing. Unfortunately, this means that utilities are attractive targets for hackers backed by hostile nations who aim to disrupt societies rather than extract financial ransoms.

KPMG firms can help utilities strengthen cyber security in several ways, including tailoring threat detection to make it work much more efficiently. Security systems generate a lot of noise, data and false alerts. Still, these can be reduced through adjustments based on a business’s specific priorities and critical processes. KPMG professionals can assist clients with such optimization work, enabling alerts that are higher in accuracy and fewer in number, which in turn helps to save time and cost. This is partly based on in-house security testing, which is used to refine such tailoring over time. KPMG firms also have a global network of operational technology specialists, and alliances with specialized OT security vendors, which can help utilities worldwide better protect their infrastructure from cyber threats. KPMG firms can support better governance, regulation and compliance work through the use of IRM tools and advice on how cyber security can impact issues, including regulatory cost allowances.

How Hydra Ottawa improved its cyber security

Hydro Ottawa, a power utility serving more than 300,000 business and residential customers in Ontario, Canada, has used Cognito, an automated threat management service provided by Vectra, since 2016. Previously, the utility’s technologists spent a lot of time hunting for threats manually. Implementing Vectra’s automatic detection, scoring and prioritizing of cyber threats meant the company dramatically reduced the time needed to investigate threats and now re-sponds faster to any that are identified.

As part of Vectra's service, it monitors certain behaviors, including reconnaissance attempts, attempts to install remote access tools, and attempts to extract data, the last of which Hydro Ottawa has set up specific alerts for. The utility has also used the service to take pre-emptive steps, such as changing the configuration of specific devices on its network to eliminate vulnerabilities.

As well as monitoring its corporate systems, Hydro Ottawa is planning to use Vectra to protect some of its operational technology (OT) including its supervisory control and data acquisition (Scada) systems. Rather than looking at components used for specific industrial processes, the system will monitor the overarching systems used to control these at level 2 and above of the Purdue reference model used to describe OT systems. In particular, Cognito will focus on the perimeter between OT and the company’s IT environment, and unless attackers have physical access to facilities, they would have to breach this digital perimeter to reach OT systems.

Aside from monitoring, Hydro Ottawa uses threat information from Cognito to help it conduct internal audits and implement standards, including the National Institute for Standards and Technology’s cybersecurity framework.

Vectra has an alliance with KPMG in the Netherlands.

Additional thinking

Global Energy Institute

Receive valuable insights covering critical energy topics.

Follow us on LinkedIn

View regular energy content on our LinkedIn showcase page

Connect with us