Utility Week’s first risk report in conjunction with Marsh, a leading global risk and insurance broker, comes at a time as utility companies have battled the elements, seen energy prices climb over the past six months, and began bracing themselves for a deluge of companies and consumers unable to pay their bills. The inaugural UK Utilities Risk Report highlights the key issues keeping sector leaders awake at night, including cybersecurity. The conflict and stress in the sector have led to greater threat levels of cyber-attacks on critical infrastructure, as well as tightening global gas and oil supplies and surging fuel prices at the pumps.
For the purpose of the report, senior managers in utilities – a strong representation across the utilities spectrum across 23 different companies – completed an online survey and the responses were then followed up by in-depth interviews with respondents.
Cybersecurity
In the report, cybersecurity came out top as the biggest risk to utility firms, taking into account the likelihood of firms suffering a cybersecurity breach and the potential impact on the business. While the report focused on utilities, the cybersecurity concerns are ubiquitous. With government warnings of cyber-attacks being issued to critical infrastructure organisations as tensions with Russia began to escalate, this risk was clearly front of mind.
Nearly eight out of ten (77%) regard a serious cybersecurity breach as a high-risk factor and 85% said that this would have a major impact on the business. In energy retail, six out ten (63%) viewed a serious cybersecurity breach as a high-risk factor, and the same number said it would have a serious impact on their business. One retailer, in fact, said they were surprised that the risk was not scored more highly, particularly with the rollout of smart meters, which although governed by stringent security controls could still potentially provide another entry into the network.
Utilities are also prone to the type of ransomware attacks that corporates across the board were being subjected to. Clearly, for utilities the impact was heightened because energy and water companies provide essential services to customers. We can attest to these concerns. Simplex has, in the past, worked with utility companies to review their disaster recovery situation from a technology, people, and process point of view.
Across the industry, the majority view is that breaches of cybersecurity would only continue to grow as a risk factor as operations became more digital, and a large number of digital interfaces (like sensors) were added to networks. An inability to manage growing digital complexity was, in fact, rated as a high-risk factor by almost four out of ten all respondents (39%).
The utility companies have voiced their concerns about the regulatory burden around cybersecurity which is unhelpful and unnecessarily bureaucratic. The punitive approach based on fines and penalties dissuades organisations from sharing best practices as no one wants to admit mishits because of the fear of getting penalised, which in turn is adding to the risk.
Vulnerability Management as a Service
According to a report by the National Cyber Security Centre of the UK, 81% of large companies report security breaches. And 60% breaches were because of unpatched vulnerabilities.
At Simplex, our Vulnerability Management as a Service, or VMaaS, aims to tackle this. VMaaS is a technology agnostic, automated, and context aware managed service that helps organisations achieve compliance through vulnerability scanning and delivers reports and insights about overall security posture. The average cost of security breach is £600k to £1.15 million. But apart from the business risks around loss of revenue, organisations also face loss of reputation.
You can download the brochure of our VMaaS offering from here, and get in touch for a complimentary, no-obligation advisory about your organisation’s security posture.
Photo by Robert Linder