Coronavirus 2019 (COVID-19) produced a rise in digital attacks. According to PR Newswire, the FBI received 4,000 reports of digital attacks a day during the height of the pandemic. That’s a 400% increase compared to the volume of alerts it received before COVID-19. Along these same lines, ABC News reported that Interpol had spotted an “alarming rate of cyberattacks” aimed primarily at large corporations, government entities, and medical organizations. Such attacks make it difficult to coordinate a national response to a pandemic like COVID-19.
That could be true in more ways than one. Indeed, malicious actors could further hurt government entities and medical organizations by targeting some of the other industries on which they rely. Those sectors include electric. Governments and medical organizations depending on this sector to maintain their IT and industrial systems to carry out their essential services.
So, how has the electric sector fared in 2020?
Black & Veatch Holding Company explored this question in its 2020 Strategic Directions: Electric Report. For its report, Black & Veatch surveyed more than 600 stakeholders to explore the issues and trends affecting the power sector. Their responses provide insight into how COVID-19 has affected the sector’s digital security.
Electric Organizations Feeling the Pressure of COVID-19
There are three things to consider when it comes to understanding the impact of COVID-19 on electric organizations. First is the rise in utility usage resulting from people working, attending classes, and in general spending more time at home. Indeed, research from Steve Cicala revealed that household electricity usage in the United States had risen by 10% during the second quarter of 2020. This increase meant that Americans spent $6 billion more on electricity during those three months.
Such growth signals how electric organizations are under pressure to maintain the availability of services to support employees who are operating remotely as a result of the pandemic. A growing number of attacks confronting electric utility organizations aren’t making that task easy, however. According to a 2020 report, the volume of distributed denial-of-service (DDoS) attacks confronting utility organizations, including electric entities, increased year over year by 595% between June 15 and August 21.
Brandon Robinson, a partner at Balch & Bingham LLP, said that changes within the electric grid might be a contributing factor. Per Morning Consult’s coverage of that report:
Whether one’s motivation is to do financial, economic, national security or industry harm, critical infrastructure such as the electric grid can be a natural target for such cyberattackers…. The electric grid is also evolving, as we see an evolution from larger, more centralized resources to more distributed resources, and virtualized, remote control of those resources, which call for and have led to adaptation in the way that connectivity between and control of grid resources is protected.
Second, energy organizations’ security budgets are not expected to increase over the coming year. On the contrary, McKinsey found that security budgets for global energy and materials organizations were expected to decline in 2021. This decrease in budget would apply to all organizations within the utilities sector, McKinsey uncovered, though small organizations were more likely to be affected by this development than large ones.
A decline in security budgets could be the result of electric organizations’ changing priorities. In Black & Veatch’s survey for 2019, respondents named cybersecurity as their third most-challenging issue facing them. Cybersecurity slipped to sixth place in the 2020 report, however, a change which could indicate that organizations are shifting to new resource priorities as a result of the pandemic.
That’s a problem that plays into the third consideration: electric organizations still have work to do in terms of hardening their cybersecurity. For instance, about one-fifth of respondents indicated to Black & Veatch that they had not yet implemented a security program for their Operational Technology (OT) despite NERC CIP requirements. A quarter of survey participants also indicated that their organization’s cybersecurity investments had not kept step with investments in other areas such as digital assets and customer engagement.
What This Means for Electric Organizations Going Forward
The findings from Black & Veatch highlight the possibility that electric organizations might need to do more with less in order to secure themselves going into 2021. To do that, they need the right expertise and support.
That’s where ORIGNIX comes in. Via its cyber Process Risk Analysis (cyberPRA) methodology, ORIGNIX delivers systematic cyber and operational risk assessment using well-established techniques and templates. This methodology includes cyber Hazard and Operability (cyberHAZOP), which helps customers systematically identify and qualify the risks on their cyber-physical systems’ (CPS) availability and reliability. From there, ORIGNIX uses its cyber Operations Resilience Management (cyberORM) to help clients achieve the desired functional and strategic risk tolerance level of your CPS using generally accepted good engineering practices (RAGAGEP) including internationally recognized industry standards ISO 27001/2, ISA/IEC 62443, ISA/IEC 61511 and NIST 800-82.
For more information, click here.