BY Fraser Tennant
Understanding the cyber security challenges facing the power and utilities (P&U) sector and improving how businesses respond to them is the overarching theme of a new EY report published this week.
In EY’s ‘Creating trust in the digital world’ global information survey 2015, 1755 respondents from global P&U organisations provide insight into the most important cyber security issues facing the sector today – a sector currently undergoing major transformation due to the introduction of smart meters and data networks across the digital energy value chain.
Moreover, the onset of this digital energy value chain, what EY describes as the “attack surface” of P&U organisations, is expanding considerably, as is the sophistication and persistence of the cyber attacks being launched by cyber criminals.
Highlighting the main concerns of the P&U sector, the EY report reveals that 19 percent of P&U responders admit that they do not have an information security strategy; 46 percent point to a lack of executive awareness or support as a major obstacle to dealing with threats to cyber security; and 55 percent confirm that their organisation does not have a dedicated security operations centre (SOC).
In terms of how P&U organisations should manage a cyber attack, the report recommends that they first identify their key risk management principles and apply them to the cyber risk issue. Fundamentally, this means knowing their critical assets; making cyber risk more tangible; aligning cyber risk with existing risk frameworks; making cyber risk relevant to the business; and embedding risk appetite within investment decisions.
Furthermore, says EY, organisations should adopt a three-stage improvement process: (i) ‘Activate’ (establishing and improving cyber security foundations); (ii) ‘Adapt’ (adapting cyber security to changing requirements); and (iii) ‘Anticipate’ (predicting what is coming to be better prepared).
“P&U companies are rethinking their business models by being more innovative and offering a richer customer and employee experience through a variety of channels”, states the report. “However, there are significant cyber threats, and organisations need to recognise and understand the current challenges to get ahead of the cyber criminals.”
Although the EY report makes it clear that the P&U organisations are indeed making significant progress as far as tightening up their cyber security, the overriding message is that there remains considerable room for improvement across the sector.