Incident readiness: a playbook for your worst day

Being prepared for a cyber incident can minimize critical power and utility infrastructure disruption.

Special thanks to Jason Haward-Grau, Lars Jacobs, and Maliha Rashid

Over the last couple of years, the cyber threats to power and utilities (P&U) organizations have risen significantly, notably from increasingly sophisticated ransomware and malware attacks. Malware, in particular, can spread rapidly, disrupting processes, stealing data, threatening safety and cutting vital services to government, business and consumers.

Unlike IT, which tends to have a 3—5 years life cycle, many P&U OT estates run on old and often unsupported software and hardware. With digital transformation making OT increasingly IT—dependent, there is a growing attack surface that hackers can and will seek to exploit. In addition to traditional players, the threat extends to a host of smaller startups selling electricity and gas and supplying their meters. Many of these companies are essentially marketing and customer service operators with relatively immature cyber security.

"In addition to traditional players, the threat extends to a host of smaller startups selling electricity and gas and supplying their meters"

In a digital world, where everything is connected, grid shutdowns can bring public services, businesses, and homes to a standstill. Not everyone has a backup generator, and a power outage instantly exposes our growing dependence on electricity across every part of daily life. Connectivity also carries the threat outside the organization to millions of customers via IoT devices like smart meters in homes, and online access to billing accounts, opening opportunities for phishing and other forms of unauthorized entry into P&U systems.


Aware of these dangers, regulators exert more significant pressure on companies to demonstrate secure cyber defenses. The EU’s Cyber Resilience Act seeks to establish a baseline of resilience across industries, with a strong focus on critical P&U infrastructure.10 In the US, the Transport Security Administration (TSA) Security Directives (published in the wake of a 2021 cyber-attack on Colonial Pipeline) requires electric and gas utilities to assess all their assets to ensure they meet new, higher safety standards and produce clear incident readiness plans.11

Building incident readiness ‘muscle memory’

A robust cyber security culture can significantly reduce the chance of an attack, but P&U organizations should also be ready should an incident occur. Incident readiness is about developing a playbook for that ‘worst case’ scenario, mitigating vulnerabilities in advance, and documenting a plan to respond quickly and decisively. Through training and exercises, it’s possible to build up invaluable ‘muscle memory.’

“In addition to traditional players, the threat extends to a host of smaller startups selling electricity and gas and supplying their meters”

Readiness is the foundation of resilience, with a robust plan defining the roles and responsibilities of different stakeholders and the necessary actions to respond and recover swiftly to help minimize the impact on the organization and its customers. Plans should be in both secure electronic format and hard copy to ensure access should systems go down. The three components of a readiness plan are:

People

Establishing a chain of command that names the critical decision—makers, the skills they should possess, and any training needed to fill gaps.

Processes

Specific incident response steps for different scenarios, external and internal communications (including legal obligations), and a clear path to business as usual. P&U OT applications typically have less robust backup and recovery capabilities than IT systems, so these need to be strengthened and given explicit control permissions.



Technology

Is a significant component of the plan, outlining the data needed, the steps and processes to locate and gather this information, and tools for analyzing what happened and facilitating a fast recovery.

Doing the drill

Simulations or ‘tabletop’ exercises are a regular feature of mature cyber security culture, helping P&U organizations improve their ability to detect network attacks earlier, enabling faster containment to prevent escalation. The drill should identify gaps in detection software and intelligence gathering to keep them on top of potential threats worldwide. And by showing up more clearly the links between physical hazards and cyber issues, it will build a greater appreciation of the broader impact of an attack and help reduce the risk of an incident occurring in the first place.

"By bringing together stakeholders who don’t usually interact, incident readiness drills expose people to different ways of looking at the organization."

In a typical exercise, a facilitator walks staff through a tailored cyber incident, tasking the group to evaluate options and make decisions at crucial moments, exposing key individuals to real—life challenges to get operations back on track in the shortest possible time. This improves readiness, gets the players familiar with their responsibilities, and uncovers operational weaknesses.

By bringing together stakeholders — like the CIO, CISO, Head of OT Operations, or an OT shift manager — who don’t usually interact, incident readiness drills expose people to different ways of looking at the organization. OT staff tend to be concerned with operational safety, process optimization and reliability, while their IT counterparts think more about confidentiality, availability, and integrity. Bridging this mindset gap can help teams collaborate more effectively and think through practical questions that may never be discussed until an incident occurs, such as: how will we all connect? And where/how will we meet?

A robust and underlying security culture can make a difference when spreading cyber awareness and responsiveness. Many water and energy providers, including solar, wind, biomass, gas, and coal, have traditionally had relatively relaxed health and safety environments, without rigid restrictions save for the generator area. Now that cyber has become a recognized threat, these organizations must build awareness and encourage good habits.

Accessing the resources, you need

Cyber attackers are becoming more active, and ransomware and malware incidents are increasing in both frequency and severity. P&U organizations may not be able to prevent every attack, but they can improve their incident readiness.

Armed with a tried and tested playbook, P&U organizations can respond at pace, with a documented set of tasks, a transparent chain of command, and knowledgeable individuals with the muscle memory to mobilize and close the threat down as quickly as possible, protecting the safety of all employees and keeping vital national infrastructure up and running.

However, an incident readiness plan is only as good as the people that operate it, so organizations need a strong focus on training and resourcing. This should ensure that relevant workers are skilled and drilled in containment and recovery, with the plan leader able to locate and deploy the appropriate individuals quickly. Given the enormous demands on staff — with the IT team often working around the clock — tiredness and mistakes can creep in, so it’s essential to have resources in reserve to take over.

Finally, P&U organizations should recognize that even the most efficient incident readiness plan has room for improvement. That’s why an external perspective can be invaluable in building resilience. A skilled third—party specialist can guide the readiness team through the various steps and carry out an incident readiness assessment with recommended actions to overcome gaps.

How KPMG can help

At KPMG, we have carried out multiple incident readiness assessments and tabletop exercises for P&U and industrial businesses. We bring a wide range of highly qualified and experienced team members into incident readiness, from security and penetration testers to operational consultants, cyber readiness experts and recovery practitioners who have been directly leading recovery efforts for impacted clients. KPMG was delighted to be recognized as a ‘Leader’ in Worldwide Incident Readiness Services by IDC Marketscape in 2021.

Clients particularly value our multi—sector view. Too often, businesses are contained within their industry bubble and have limited awareness of best practices in other sectors that they may be able to import and apply. KPMG professionals have worked on incident readiness and simulations across many industries, including financial services, automotive, chemicals and manufacturing.

Footnotes

  1. Sophos, The state of Ransomware 2021, April 2021.
  2. Cybereason, Ransomware Attacks and the True Costs to Business, Dragos 2020 ICS Cybersecurity Year in Review.
  3. Coveware, Ransomware Threat Actors Pivot from Big Game to Big Shame Hunting, May 2022.
  4. Unit 42, 2022 Unit 42 Ransomware Threat Report, March 2022.
  5. CNN, Someone tried to poison a Florida city by hacking into the water treatment system, sheriff says, February 2021.
  6. Business Standard, Suspected Chinese hackers collect intelligence from India's power grid, April 2022.
  7. Fortinet, 2020 State of Operational Technology and Cybersecurity Report, April 2021.
  8. Cybereason, Ransomware Attacks and the True Costs to Business, Dragos 2020 ICS Cybersecurity Year in Review.
  9. The Texas Tribute, Texas power grid, energy sectors facing elevated Russian cyber threats during war in Ukraine, March 2022.
  10. European Commission, Cyber resilience act – new cybersecurity rules for digital products and ancillary services, March 2022.
  11. Burns McDonnell, Cybersecurity Directives Require Quick Action by Electric/Gas Utilities, March 2021.

Contact us

Jason A Haward-Grau

Jason A Haward-Grau

Managing Director, Cyber Security Services, KPMG US

+1 713-304-0044