Recommendations for Maintaining Utility Cybersecurity in the Time of COVID-19

Energy is fundamental to health security, national security, and democracy. Utility companies around the world are on the front lines of the current pandemic, taking extraordinary steps to keep power flowing to hospitals, homes and other critical services.

Unfortunately, the COVID-19 crisis has presented a growing number of challenges to utility business continuity just at the time when customers are counting on them the most: supply chains are strained; revenue is declining; and—in Eastern Europe—misinformation campaigns by malign actors are inhibiting communication with the staff of utilities and their customers. 

The COVID-19 pandemic is creating opportunities for cyber attackers as utilities transition to remote work environments. Cyber security experts estimate utilities have experienced a fourfold increase in attacks on their assets since the onset of the pandemic.   

In a recent webinar sponsored by the Energy Technology and Governance Program of the United States Agency for International Development (USAID) and the United States Energy Association (USEA) in cooperation with the Edison Electric Institute, leaders and experts from the American energy and cybersecurity industries offered the following recommendations for utilities to consider to protect themselves from the rising threat of attack:

  • Understand the anatomy of an attack to better build up defense:
    • Stage 1: traditional IT (information technology) attack to gain information on industrial control systems (i.e. phishing)
    • Stage 2: OT (operational technology) attack on the industrial control system itself

  • Ensure operators are trained to identify attacks that may not reveal themselves as cyber intrusions, but may appear to them to be routine, such as assets being put into a maintenance status.  At a minimum, ensure operators know who to call when they encounter the unexpected.

  • Have pre-identified, cross-functional incident response teams in place. Convene those teams as often as necessary to assess risk, review new information, respond to threats.

  • Rely on learning from past training exercises, and plan to participate in future simulations and exercises.

  • Provide staff training and review access requirements for the new behaviors, protocols, and workflows you have put into place during this critical time. Consider secure plans for remote training; review remote access requirements; build training and access controls for new and temporary employees.

  • Keep up-to-date on current threat awareness.  Cyber attackers are using COVID-19-themes and relevant social topics to trick staff and customers during this vulnerable time.

  • Review or revise VPN connections and end-point security for a remote workforce.

  • Be aware of risks in your system supply chains. Many components of power systems are sourced internationally, including from adversarial nations. Know the source of your system’s critical components.

  • Don’t drop your guard as operations slowly return to normal state. As utilities scale-down working-from-home arrangements and resume standard shift and team schedules, they expand the potential attack surface and increase the number of vulnerabilities. 

  • Maintain an accurate asset inventory, know which assets are deployed on your network and where they are located to serve business continuity and cyber security imperatives.

  • Consider use of a cyber security assessment tool to understand your baseline performance and where you might strengthen security measures.