Boosting Data Security in the Utilities Sector: Why Energy Data is Now at Risk
- Apr 20, 2022 12:44 pm GMT
Data has become a critical component of the Utilities Sector. But as data becomes more valuable to utilities, Data Security is now at the top of the agenda. And as grids become smarter, energy models become more distributed and flexibility becomes a day-to-day part of balancing the grid, the role of data is only going to become more important.
A data breach can be costly, both financially and reputationally and it has a knock-on effect on trust both with customers and energy sector partners.
Unfortunately, it is not only energy sector professionals that understand the value of energy data. Cybercriminals have noticed this too. This has made utilities prime targets for attacks. Keeping data secure, whether it’s being stored in a Data Lake or shared with energy sector partners, must be a priority.
Visibility of energy data is key. The ability to map and track data helps utilities to keep their data secure and enables them to uncover any potential breaches as quickly as possible.
A modern integrated Platform as a Service (iPaaS) solution that can monitor and handle data securely in a distributed architecture makes an enormous difference.
A Utilities Sector Data Breach: What are the Costs?
In IBM’s annual cost of a data breach report in 2021 the average cost of a data breach from those surveyed was $4.24 m. The chart below shows how these costs are incurred.
In today’s digital and connected environment the chances are high that a breach will occur. As utilities consider information and cyber security it is important for them to not only think about the cost of a data breach, but also what will be permanently lost because of that breach. For utilities this means the loss of man hours, the loss of information, intellectual property, and more.
In the utilities sector, other factors must also be considered:
1. It’s a highly regulated industry
Breaches in more regulated industries are usually more costly. In the energy sector, the cost of a breach is slightly higher than average at $4.65m
2. Additional costs of a cyberattack
Costs associated with ransomware or cyberattacks soon escalate. Colonial Pipeline paid a reported $4.4m to its attackers (although some of this was later recovered)
3. The length of time to discover a breach
The longer it takes to identify and contain a breach, the costlier it becomes. It took an average of 287 days to identify and contain a breach in 2021.
4. Fines and legal costs
Data breaches may incur fines from regulatory bodies such as those that come under the EU’s General Data Protection Regulations (GDPR). In the US there is move towards Data Privacy class action cases. US investment bank, Morgan Stanley recently agreed to pay $60 million to settle a class-action lawsuit following incidents that left customer data exposed.
5. Reputational Damage
It’s hard to convert reputational damage into an exact monetary value, but its impact can be severe. In the utilities sector it’s not always easy for customers to take their business elsewhere if their personal information has been stolen or breached. However, now more than ever before, consumers are an important part of the energy system. Their data and co-operation are vital in the effective management of flexibility markets or time-of-use tariffs. A knock in consumer confidence could have a devastating impact on these services.
The Relationship between Data Breaches and Cyberattacks
Cyberattacks are not the only cause of data breaches. Human error (ever sent an email to the wrong person?) and physical breaches such as theft also play a part. But recent statistics from the US’ Identity Theft Resource Center show that human error and physical breaches have reduced over the last two years. Breaches caused by cyberattacks are by far the most common reason for a data breach and these have been increasing since 2019.
Cybercriminals understand that data has become a valuable commodity, critical to businesses operations. In one new tactic, ransomware gangs are using ‘double extortion’ where ransomware is combined with data theft. The gang not only encrypts files (as with ‘traditional’ ransomware) but threatens to publish or sell sensitive information unless the ransom is paid. Paying a ransom is no guarantee of Data Security – the information may be published anyway.
Data is going to be breached. Accidents happen and hackers are persistent. In this environment, preparation is key. Visibility of data enables utilities to better handle the situation and recover quickly.
The Utilities Sector: A Vulnerable Target
2021 was the year that cyberattacks became headline news. A series of incidents affecting large enterprises, including those in the utilities sector, were reported one after the other. But it was the ransomware attack on Colonial Pipeline that captured the attention of the media, as gas stations ran dry and panic buying set in. The event highlighted the impact an attack on critical infrastructure could deliver to people’s everyday lives.
Yet it was by no means the only attack on utilities in 2021. The utilities sector was the second most targeted industry by cybercriminals (after financial institutions). A series of attacks targeting US water treatment plants in 2021 illustrates just how vulnerable utilities are. An attack on a utility and holding utility data hostage gives cybercriminals enormous leverage.
Data Breaches and Digital Transformation
The future energy landscape is digitalized. Smart grids, smart meters, grid-edge innovation, and distributed energy resources are all vital ingredients of this fast-developing model.
But they also increase the number of potential points for a data breach to occur. Every IoT device and sensor, every solar installation, windfarm or microgrid is a potential vulnerability for cybercriminals to target.
As the shift to the distributed energy system continues, data sharing between all participants in the energy ecosystem is critical to a balanced grid and the smooth running of the system. In these circumstances, data must be secure whether it’s in use, in rest or in motion. Proper encryption of data in motion, a ‘Zero-Trust’ approach to data in use and constant monitoring of data at rest are key.
In fact, the data transparency that’s necessary for flexibility services can also improve Data Security in utilities. The visibility of data that’s required for data sharing helps utilities to rapidly spot any data breaches.
Protecting Operational Technology (OT) in the Utility Sector
According to recent research, threat actors divulged sensitive data from operational technology (OT) environments in one in seven leaks targeting industrial organizations. Yet as smart grids and digital twins become more common, IT/OT integration is a growing trend as insights from real-time data become vital. Data Security is a priority in these circumstances.
To protect data, utilities must encrypt data using protected tunnels, such as a unidirectional security gateway for OT/IT integration, HTTPS, SSL/Transport Layer Security, or a dedicated VPN. Some leading iPaaS providers leverages data diodes (or "unidirectional security gateway") to ensure energy data can be exchanged seamlessly and securely between OT and IT systems.
Boosting Data Security in Utilities. Reducing the Cost of a Data Breach.
In today’s energy environment, where data is both more important and more at risk, what steps can utilities take to boost their Data Security?
A recent joint alert by US, UK and Australian cybersecurity agencies gives critical infrastructure organizations advice on how to protect themselves and their data against Ransomware. It’s well worth taking a look at the full list of guidelines, but they include:
- Implementing user training to raise awareness of the risks of suspicious links
- Zero Trust combined with Least Privilege
- Employee training in password security
- Reducing credential exposure
- Documenting external remote connections
Data breaches are costly. Rapidly discovering a breach and having a plan in place to recover and deal with the situation will reduce the impact of an attack and the associated costs.
For utilities, visibility of data is key to Data Security. Siloed data, hidden data, ‘dark data’ all put Data Security at risk. You cannot secure what you cannot see…or don’t even know exists.
This is why having a modern iPaaS solution that is ISO/EIC 27001:2017 certified, manages and handles data securely and monitors data around the clock can boost Data Security. Utilities have visibility of their expanding attack surfaces, including distribution systems, IoT sensors, communications networks and more.
A modern iPaaS makes it easier for an organization to track its own data from device to cloud storage. Further, with the use of a data lake, all data that is collected can be retrieved conveniently for use. The integration of data systems helps prevent the leakage of data by avoiding data silos and avoiding the need to copy data on multiple systems. Data can be mapped and tracked from the source of the data through every point to the destination. The ability to track your own data helps you to protect that data effectively.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.