Special thanks to Jason Haward-Grau, Lars Jacobs, and Maliha Rashid
Over the last couple of years, the cyber threats to power and utilities (P&U) organizations have risen significantly, notably from increasingly sophisticated ransomware and malware attacks. Malware, in particular, can spread rapidly, disrupting processes, stealing data, threatening safety and cutting vital services to government, business and consumers.
Unlike IT, which tends to have a 3—5 years life cycle, many P&U OT estates run on old and often unsupported software and hardware. With digital transformation making OT increasingly IT—dependent, there is a growing attack surface that hackers can and will seek to exploit. In addition to traditional players, the threat extends to a host of smaller startups selling electricity and gas and supplying their meters. Many of these companies are essentially marketing and customer service operators with relatively immature cyber security.
"In addition to traditional players, the threat extends to a host of smaller startups selling electricity and gas and supplying their meters"
In a digital world, where everything is connected, grid shutdowns can bring public services, businesses, and homes to a standstill. Not everyone has a backup generator, and a power outage instantly exposes our growing dependence on electricity across every part of daily life. Connectivity also carries the threat outside the organization to millions of customers via IoT devices like smart meters in homes, and online access to billing accounts, opening opportunities for phishing and other forms of unauthorized entry into P&U systems.
Aware of these dangers, regulators exert more significant pressure on companies to demonstrate secure cyber defenses. The EU’s Cyber Resilience Act seeks to establish a baseline of resilience across industries, with a strong focus on critical P&U infrastructure.10 In the US, the Transport Security Administration (TSA) Security Directives (published in the wake of a 2021 cyber-attack on Colonial Pipeline) requires electric and gas utilities to assess all their assets to ensure they meet new, higher safety standards and produce clear incident readiness plans.11