Dive Brief:

• A new report from Deloitte concludes three primary factions are responsible for growing utility cybersecurity risks: nation states, organized crime and disgruntled employees.
• The energy sector made up 20% of cyber incidents reported in 2016, the consulting firm said, and they are only getting more persistent and sophisticated. Hackers are beginning to target industrial control systems more frequently, blurring the line between physical and cyber attacks. 
• As the grid becomes more connected it is opening new lines of attack, according to many security experts. Deloitte's new report identifies grid modernization as a "potential cyber vulnerability."

Dive Insight:

It's no wonder, that almost half of power and utility CEOs think a cyber attack is inevitable: the industry is quickly trending toward cloud-based energy management and distributed resources, both of which experts say represent a growing vulnerability.

"The system is gaining complexity and the number of access points is rising," Deloitte warned, increasing "the number of routes hackers can exploit to enter utility systems."

There are an estimated 25 billion devices connected to the worldwide Internet of Things, and IHS Markit believes that number could reach 125 billion by 2030. But just as technology introduced the vulnerability, Deloitte says it is also the solution.

"Technological innovation and analytics should drive every electric power company's cybersecurity strategy,"  Paul Zonneveld, Deloitte's global energy and resources risk advisory leader, said in a statement. "New tools are increasingly available, and the capability to monitor networks in real time, discover threats, and address them is advancing rapidly."

Deloitte identified three main areas where utilities can take steps to combat cyber risks:

• Mapping infrastructure assets and evaluating vulnerabilities and the maturity of the control environment. Companies should "build a framework for protecting critical assets" that relies on people, processes and technology, the report suggests. 
• Evaluate suppliers' security processes: Utilities must engage with the supply chain procurement function and understand suppliers' cybersecurity processes.
• Deloitte said utilities must engage with industry peers and government agencies, exchanging threat intelligence with peers and testing new technologies.

Experts say the growing focus on ICS vulnerabilities means vendors will play an essential role in protecting critical operations, but it is not clear utilities are fully engaged on this front. The North American Electric Reliability Corp. holds a simulation every two years to test and improve utility responses, and during the last iteration none of the participating utilities turned to vendors for help or information.

"A first step for utilities to reduce supply chain cyber risk would be to start on complying" with NERC's Critical Infrastructure Protection mandates on supply-chain risk, Brian Murrell, Deloitte's U.S. advisory power and utilities leader, told Utility Dive.

"Utilities can develop plans to ensure resiliency in the event of a cyberattack, and those plans should include responding to attacks via the supply chain," Murrell said. "The important thing is to have a plan in place and be ready for supply chain disruptions."

That is particularly important as Deloitte finds internal threats and disgruntled employees to be a major threat for utilities — alongside nation states and organized crime, which the firm said in some regions may be merging in order for governments to "ensure deniability."

Internal threats, due to human error, disgruntled employees or contractors, "have typically been one of the most common threats," the report concluded.