Two recent trends in the utility industry are undeniable to those paying attention. There has been a significant increase in both the volume and complexity of ransomware attacks, and there's a clear shift as attackers focus their efforts on the supply chain where there is often less investment and maturity in cybersecurity capabilities.
These two trends pose a significant risk to operational resiliency and go beyond the utilities themselves. From OEMs providing networking equipment, to third-party professional services firms, utilities today depend on a large network of companies to truly be resilient.
Any organization is only as strong as its weakest link, and limiting the supply chain to only those vendors with currently robust cybersecurity controls will actually have an adverse impact on resiliency. The industry would then benefit greatly by focusing on a strategy that helps everyone rise with the tide together. Whether third-party vendors lack resources due to funding or are impacted by market conditions and the labor shortage, there needs to be a mechanism in place to reduce risk without introducing unrealistic barriers to entry.
The vision is to reduce risk holistically by providing a common set of cybersecurity best practices to address potential vulnerabilities before utilities introduce new assets or services which may pose a risk to operational resiliency.
The evolving threat landscape
The same technologies and services provided by third parties that have allowed utilities to effectively and safely manage operations also represent attack vectors for nefarious actors. Recent trends—including a shift toward digital, the prevalence of remote work during the pandemic, and the need to rely on and connect with outside vendors for daily operations and major project work—open new vulnerabilities. A breach in any company's security along the supply chain can mean a disruption of services, the loss of confidential data, or worse. Utilities must consider cybersecurity risk not only in the context of their own systems in isolation but also as the final stop of a large and complex vendor supply chain that could potentially have countless points of vulnerability if not proactively managed.
A utility supply chain often includes thousands of vendors with a similarly vast range of security capabilities and expertise. It is no small task for any utility to recognize the level of cyber risk exposure and preparedness across its entire supply chain—let alone come up with a proactive, effective, and adaptable plan of defense. In many cases, cybersecurity best practices may hail from industries where security requirements are very different. These companies of disparate capabilities and backgrounds must all be provided a path to compliance to match the needs of the utility. As both the regulatory and threat environments evolve, both utilities and the vendors they rely upon will need to rapidly adapt to new requirements.
How utilities can mitigate risk
Utilities must ensure that their supply chain risk management programs are able to address several areas simultaneously, with the ultimate objective of shifting from a "trust" to a "trust but verify" security posture. This includes:
- Defining standard third-party risk evaluation criterion that corresponds with the utility's risk tolerance
- Prioritizing vendors based on potential risk and impact to business continuity
- Proactively managing security assessments and required actions
- Responding to varied levels of security maturity across the vendor ecosystem, potentially providing knowledge to less mature vendors and flexibility to less critical entities
- Offering senior management with the visibility and communications required for daily operations and incident response
- Ensuring security software, policies, and training are up to date with best practices, with an ability to rapidly evolve in the face of new regulations and threats
Utilities would be well-served to adopt a set of common standards and principles across the entire industry. With the cybersecurity industry in a state of negative unemployment (i.e., the need for skilled professionals exceeds the supply) and vendors already suffering from audit fatigue, a common approach could significantly reduce the cost and willingness of compliance.
An effective program includes a streamlined assessment process to gauge vendor preparedness, a unified baseline of criteria, and a set of accepted security software and policies, as well as independent governance. By taking a standardized and collective approach, the industry could reduce overall security compliance costs across all utilities while ensuring that all members are protected by the latest gold standards in both technologies and people processes.