How power and utility CISOs can adapt to enable a digital future

Cyber criminals are targeting the P&U sector, which has been made more vulnerable by COVID-19 disruption, according to a recent EY survey.

Cyber funding is falling short of requirements

P&U cybersecurity leaders are struggling to secure the resources they need. One in two (50%) flag that they are working with budgets that are insufficient to manage the cybersecurity challenges that have emerged over the past 12 months. A more modest 42% of leaders in other sectors, on average, share the same concern.

The issue is not that finance and the executive team underestimate the importance of cybersecurity. “Boards do now understand that cybersecurity is a key risk, but that does not necessarily translate into them releasing additional budget,” says Kris Lovejoy, EY Global Consulting Cybersecurity Leader. “Partly that is because there has been a failure from some heads of security to articulate clearly how to deal with the increased cybersecurity risk.”

Today, P&U respondents are searching for savings and making difficult decisions. Among those who say their budget is insufficient for their needs, 55% say they have been forced to review legacy architectures and identify cost-reduction opportunities, and half (49%) have scaled back their innovation activities to focus on nonstrategic tasks (see figure 1).

The result is deep consternation: nearly half (43%) of P&U cybersecurity leaders believe it is only a matter of time before their organization suffers a major breach that could have been avoided if they had received additional investment. This proportion is higher than in the other sectors surveyed where, on average, 37% of leaders believe that underfunding is making a breach inevitable.

Cybersecurity teams are viewed as opponents rather than partners

One unwelcome irony for P&U CISOs is that the more they are underfunded, the more they are held to account. Over half (59%) of P&U respondents say that cybersecurity is coming under more scrutiny than ever before.

A simple explanation for this could be that the business lacks faith in the function’s abilities, regardless of the level of budget it receives. Just 45% of P&U respondents believe their executive management team would describe cybersecurity as "protecting the enterprise." Whereas in other sectors, an average of 61% are confident they would get this endorsement.

Part of the problem could be that cybersecurity is rarely seen as a strategic partner. Fewer than half (46%) of respondents in the sector are confident in the cybersecurity team’s ability to speak the same language as peers in the business. Just 31% believe they are seen as supporters of innovation.

The lack of engagement between cybersecurity teams and key functions, e.g., HR, product development and R&D, is evident in the weakness of their relationship. Just 12% describe their relationship with product development and R&D as one of high trust and consultation; the figure falls to 7% when it comes to their interactions with business lines, which would include critical partners such as logistics, engineering and production.

In the absence of strong ties with the business, there is likely to be little understanding of how cybersecurity could play a positive role in the transformation or digitization of operational technology (OT). And, in an environment where budgets are tight, boards are prioritizing functions where there is a clear route from investment to added value.

The adversary is stronger and more unpredictable

P&U companies are facing a more extensive and sophisticated threat than in the past. Most respondents tell us that they have seen a rise in the number of disruptive attacks in the last year (see figure 3), and 40% warn that hackers are consistently experimenting with new strategies, such as targeting weak links in the supply chain, that may override the security systems in place.

The rise in attacks can be partly explained by pandemic disruption. The World Economic Forum has, for example, warned that attackers are specifically targeting the P&U sector because they believe it is newly vulnerable due to COVID-19 impacts, such as the move to remote working.

Another challenge is that the sector has embarked on a massive digital transformation journey in recent years, with P&U companies connecting their IT with OT to modernize infrastructure and control their plants and networks. As Clinton Firth, EY Global Cybersecurity Lead, Energy, explains: “Digital transformation creates powerful new opportunities but, as the different environments merge, the attack surface area increases. That is causing a lot of stress.”

Prepare how to respond across a growing footprint

P&U businesses face a sector-specific challenge in protecting IT and OT as these systems converge. But many P&U CISOs are also worried about vulnerabilities from their organization’s procurement activities: 44% say they are making it a top priority to fix new vulnerabilities in the supply chain. Remote working is another issue, with 43% of P&U cybersecurity leaders prioritizing measures to address risk introduced by changes forced upon them by COVID-19.

The sector is an attractive target because of the impact that an attack has on society. In this way, sophisticated, state-sponsored actors are targeting the sector, and the cybersecurity function will struggle to compete with adversaries such as these. CISOs need to assume that their organizations will be attacked, and be sure to have a well-rehearsed incident response plan involving the supply chain before the attack happens.

Today, hackers are exploiting the sector’s vulnerabilities more than ever before – and CISOs should assume that the rate of attack will only increase. If they can overcome the barriers they face around security by design, CISOs can not only minimize the disruption of these attacks but also build a reputation as strategic enablers of digitization.