The power sector has been facing an unprecedented surge in cybersecurity threats, especially in the area of supply chain vulnerabilities. Erin Illman, a partner and chair of the energy cybersecurity and privacy team at Bradley Arant Boult Cummings, underscores a keystone concern. Unfortunately, too many entities continue to view cybersecurity as a bolt-on, rather than an integrated and foundational component of their strategic operations. This perspective is undermining the industry’s ability to proactively tackle the robust, sophisticated and evolving cyber threats the industry faces.
Joe Saunders, CEO of RunSafe Security, warns that geopolitical hybrid threats are becoming a top priority for the sector. He fears that these threats might increase dramatically over the next five years. Cyber threats faced by governments have increased by over 2.5 times over the last two years. This increase underscores the critical need for robust cybersecurity protections today and every day.
Recent discoveries have discovered a very alarming reality. Almost half of cybersecurity incidents at American energy firms start with a third-party vendor. This trend is reflected worldwide, as 29% of all documented breaches come from third-party vendors. Embedded software in controllers and sensors further compounds vulnerabilities. Supply chain weaknesses, especially from our biggest adversary, China, can be fatal to our most vital systems.
Supply Chain Vulnerabilities and Third-Party Risks
The electric sector’s reliance on these third-party vendors is a huge vulnerability. In fact, a recent report found that 67% of third-party breaches are to blame by software and IT vendors. This statistic highlights the need for companies to rethink their supply chain management strategies and cybersecurity practices.
Joe Saunders highlights the critical nature of this issue, stating, “Across the power sector, the greatest cyber risk sits in the software supply chain and the third-party components woven through both IT and OT environments.” The connection between operational technology (OT) and information technology (IT) is tight. Companies still need to enforce dauntingly robust cybersecurity strategies.
Illman goes on to explain that organizations should change the way they think about cybersecurity. She argues that cyber should be included in enterprise risk management and viewed as a business continuity challenge and core business issue.
“To address cyber threats, companies in the power sector must shift from a purely technical or compliance-driven approach to a strategic, business-level posture.” – Erin Illman
The vulnerabilities go further than just third-party risks. Smart meters and advanced metering infrastructures are at risk. As these technologies become more widely adopted, they become new vectors for attack.
The Rise of AI-Driven Cyberattacks
In recent months, AI-driven cyberattacks have become the latest, and one of the most daunting, threats to the power sector. Federal CIO Joe Saunders has said that these attacks are some of the top threats on the cyber horizon today. What’s more dangerous, he warns, is that AI allows attackers to create exploits faster than operators can patch vulnerabilities.
As Saunders asserts, “This is a strategic response that’s required based on the pace of change in attack techniques. He proposes employing AI and other security technologies that will create a paradigm shift in defense. This proactive approach ensures that organizations are one step ahead of evolving threats.
“To counter new AI-driven cyberattacks, we also need to use AI and other security protections to create an asymmetric shift in defence, giving operators the upper hand even as threat actors move more quickly.” – Joe Saunders
Now, the emergence of AI-driven malware further complicates longstanding cybersecurity challenges. Erin Illman mentions the long-term risks that quantum computing creates as well, which need proactive work to be avoided. As threats continue to grow, the power sector will need to empower a culture of vigilance and adaptability.
“In an era defined by AI and looming quantum disruption, a culture of vigilance, adaptability, and shared responsibility is one of the most powerful defences the power sector can cultivate.” – Erin Illman
Priorities for Strengthening Cybersecurity
Industry leaders continue to echo the need for further information sharing and cooperation between organizations. This kind of cooperation is critical for improving our resilience to and protecting against cyberattacks.
Workforce development Another one of CISA’s priorities is building a diverse and highly-skilled cybersecurity workforce. The digital revolution The power sector is in stiff competition with technology behemoths for emerging tech talent. The demand for trained talent is more critical than ever as businesses seek to strengthen their security postures.
Abbie Badcock-Broe emphasizes the importance of maintaining and testing cybersecurity measures routinely. She does not let up on the need for our enterprises to be constantly on vigil to be agile and ready. This will take serious sustained investment in people, process, and technology cybersecurity—followed by constant upkeep to ensure that they’re perpetually tested and implemented so they’re second-nature.
As power systems increasingly face threats of attack, it’s crucial that agencies understand the human factors still leading to vulnerabilities. Phishing and baiting are the most frequently used tactics by an adversary’s toolkit, spotlighting the necessity of employee training.
“Cyber threats have more than doubled in the past two years, and grids are being targeted. Disrupting the grid can plunge entire cities into darkness, making this a critical issue.” – Shubbhronil Roy