Keeping the Lights On: Why Utilities Must Act on New Cyber Risks in the Time of COVID-19

Keeping the Lights On: Why Utilities Must Act on New Cyber Risks in the Time of COVID-19

By: Leo Simonovich, Global Head of Industrial Cybersecurity, Siemens Energy, Inc.

In the energy industry, crisis moments like COVID-19 focus attention on two things: how to keep people safe, and continue to supply power to customers. Right now, that means working remotely is the number one priority for utilities, but this reality also exposes the energy industry to new cyber risks both coming from inside and outside the walls of its cyber defenses. Lives are on the line—companies need to protect their workers and avoid outages.


Utility CEOs and board members face a unique blend of cyber and safety risk. By accessing critical plant production and grid networks from homes, employees raise the risk of a possible second wave crisis: rolling outages and safety events when keeping the lights on matters most. Attackers will attempt to exploit the rush to remote systems, understaffed facilities, and new ways of working. 


To avoid an impending cybersecurity crisis, utility leaders need to shift focus toward making remote work increasingly secure, operationally viable, and resilient. Boards and CEOs must move quickly to ensure the safety of employees, while protecting the entire energy value chain from attack. Balancing the new risk matrix requires four broad steps: Understanding the new cyber risk, establishing baseline defenses, building interoperable defenses with partners, and reegineering overall architecture for this new reality. 

Understanding the new cyber risk

Home-based work increases exposure to cyber risks: less-reliable internet connections, social engineering attacks against employees and their families, and honest mistakes made in unfamiliar workflows are all new potential risks. Partner companies will also face increased cyber exposure. Utilities need to deliberately choose which tasks pose unacceptable risks and which can be adapted for remote work. For example, many monitoring tasks can be done remotely—and safely—with the right procedures, but testing or servicing safety and backup systems remotely cannot. 


Establishing baseline defenses appropriate to remote work

Layered defenses, commonly known as Defense in Depth, reduce the consequences of cyberattacks, and remote work will elevate specific needs:


  • Secure connections. Employees without secure access can’t work effectively, making this necessary—but not sufficient—for cybersecurity. Plant operators should proactively define who should access which assets and institute controls before approving remote technology.  

  • Monitor for anomalies. Working from home makes some security practices impossible. For example, valid and malicious commands now both come from outside the plant. It’s hard to discern what’s normal. This increases the importance of monitoring as a way to distinguish between employees and attackers. Some monitoring can be automated, freeing time for relevant personnel to investigate suspicious activity. 

  • Prepare for incident response. Plants now need an incident response plan that works when most employees are not on site, some are hospitalized, and an attack appears within their systems. Assume attackers will pressure-test the new defenses and achieve at least partial success. Expect to need to activate incident response within the next few weeks, with limited on-the-ground support and distributed remote-expert support. Eradication and reboot may not be an option for the foreseeable future.

Building interoperable defenses with partners

Cybersecurity is as strong as its weakest link. Utility leaders and peers at partner companies should work to implement common defense measures. These include defining privileged access, disclosing vulnerabilities, or sharing threat intelligence. Ensuring that partner systems work from a shared roadmap will help utilities assess and improve security. Failing to consider partners’ cybersecurity leaves a potentially large blind spot in your defenses.

Reengineering the security architecture for this new reality

Utilities are making fundamental changes to their energy production workflows—and cybersecurity methods and architectures will need to be revamped. Systems that assume workers are present at plants or field sites will now have the wrong emphasis. For example, plants typically ban portable devices, but most workers are now outside the plant, with access to those banned devices or social media platforms. A blueprint designed for this new reality needs to defend and monitor the new remote workflows in the new context.  


While the COVID-19 crisis makes these steps urgent, several long-term trends that pre-date the pandemic will drive similar changes. Distributed-energy sources will require new operating models. Remote work and automation will offer efficiency gains. Energy companies will need to train their next-generation workforce. Cyberattacks against utilities will continue to escalate in frequency and sophistication. We know these changes are coming and may become permanent. Utilities will need to iteratively adapt cybersecurity protocols to protect operations as each trend shapes the new reality. Short-term and long-term, that’s how we keep the lights on.