48% of power and utility CEOs think cybersecurity attack is inevitable: KPMG

Dive Brief:

Almost half of power and utility CEOs think a cyber attack on their company is inevitable, a new KPMG CEO outlook report finds.
Of those surveyed, 48% feared cyberattacks were a matter of "when" not "if", 58% felt prepared to identify a cybersecurity threat and 59% identified cybersecurity specialists as the most important new role in their company. If a cyber attack were to occur, 68% feel prepared to manage external stakeholders and 63% feel confident they can contain any impact on strategic operations.
"Technology-driven opportunities in the [power and utilities] sector have also opened the door for significant risks and cyber threats, which feature highly on CEOs and Board agendas," said Global Sector Head of Energy and Natural Resources at KPMG Regina Mayor, in a statement.

Dive Insight:

The broader KPMG report focuses on CEOs across a number of industries, and finds it isn't just power and utilities executives who worry about the balance between technological innovation and susceptibility to cyberattacks. The top concern for CEOs in general are economic nationalism, followed by cybersecurity, "disruptive technology risk" and climate change risk.

For utility executives, cybersecurity continues to be a top concern as grid modernization potentially opens up the power sector to more vulnerabilities.

"In theory, a grid with more distributed resources can increase the potential attack surface for adversaries because the capacity of distributed generation, including renewables, has grown exponentially over the last decade," Bill Lawrence, director of the North American Electric Reliability Corporation's Electricity Information Sharing and Analysis Center, told Utility Dive in May.

Connecticut officials in September found there had been millions of attempts to hack utilities in the state over the past year, though all intrusions were successfully prevented. In October, seven Russian military officials were indicted for hacking-related charges, including allegedly trying to steal login credentials from Westinghouse Electric employees involved with advanced nuclear reactor development.

Back in July, Department of Homeland Security (DHS) officials said that Russian hackers had been breaching utility control rooms since 2016 and that the attacks were ongoing, raising new concerns that hacking efforts were becoming more sophisticated.

However, grid security experts later told Utility Dive the threat level may have been exaggerated by the DHS. Although the level of hacking was still considered "extremely concerning," adversaries were not at an advanced enough level to be causing widespread blackouts.

"The very real possibility of localized action is out there, but the grid is not going down tomorrow, next year, or anytime in the near future," Joe Slowik, an adversary hunter at Dragos told Utility Dive in July.

However, federal officials have still been active in planning for a potential large scale attack. The Trump administration has argued in part that its proposed coal and nuclear bailout is an attempt to maintain a more resilient grid in light of cybersecurity concerns, a point other federal officials and utility executives have disputed.

The Department of Energy last month awarded $28 million toward 11 cybersecurity projects and is coordinating efforts with the DHS to make pipelines more secure.