Utilities are fighting in the dark against fast-changing cyber threats. Defence strategies need to adapt.
The threat of cyber attack once again topped the list of strategic risks facing energy and water companies in the newly published UK Utilities Risk Report 2024 – a research initiative conducted by Utility Week in association with Marsh McLennan.
It’s reassuring to see that the seriousness and immediacy of this risk is recognised by utilities. As global geopolitical tensions heighten, activism continues to rise and utilities strive to embrace the benefits of smart technology and integration of information systems, both the likelihood and potential impact of cyber breaches are escalating.
What is worrying though, is that many utilities feel ill-equipped to manage or mitigate these threats. They are also unprepared for the ways in which they may change as a result of emerging technologies, according to sector leaders who attended a launch event for the UK Utilities Risk Report 2024 at the House of Commons.
There, executives and directors representing energy and water companies expressed anxiety about their limited abilities to identify and understand the motivations or affiliations of bad actors. And while companies are making large investments to enhance cyber resilience and defence, one policy leader warned “Quantum computing will blow defences sky high” when it comes of age – it’s a fast-developing technology area which is under close watch for its potential by bodies like the Digital Catapult.
There’s no doubt that a big part of fighting cyber threat comes down to reliance on highly skilled specialists and the use of sophisticated technologies and counter-measures. But in a world where cyber attacks are now ubiquitous – government figures estimate 2.39 million UK companies were attacked in 2023 – relying on the virtual cloak and dagger actions of niche experts is unsustainable.
In part, noted several members of our group, this is because growing these teams to reflect the mounting scale of threat would be far too costly – notwithstanding the potential for cyber attracts to bring catastrophic impacts for companies.
But another consideration is that it can lead to undue complacency or deferral of responsibility. There has been “too much dependence that somewhere someone is doing something in the background to keep us safe” commented one energy network director.
To improve resilience and agility in responding to changing threats, two key points emerged. Firstly our leaders agreed there is a new need for a “culture of cyber safety” to be established across the sector which emulates the high levels of attention paid to protecting staff and the public from any physical harm relating to utilities assets.
Secondly, there need to be a change in attitudes around sharing lessons from cyber incidents after they occur. It was generally agreed that cyber breaches will occur sooner or later. To help improve the agility of company responses and limit the impact of these inevitable incidents, there needs to be increased readiness to leverage experience as a defensive tool.
These thoughts echo and build on contributions made by industry leaders in the UK Utilities Risk Report 2024 itself, which also covers findings around the heightened policy, supply chain and climate change-related risks facing utilities over the next 5-10 years.
The report is now available to download in full.