Utility Sector at Critical Mass to Build Resilience Against Cyber Risk
Everyday Life Depends on Invisible Infrastructure
Many of us don’t fully realise how critical are the services that enable us to do simple things like taking a shower before getting ready for work, pouring ourselves a glass of cold water from the kitchen tap, turning on the heater on a chilly evening, or making dinner on the stove. With this dependence comes the growing importance of utility cybersecurity solutions—as these vital systems increasingly become targets for sophisticated cyberattacks.
Why Utilities Are Now Prime Targets for Cyberattacks
Utilities like sanitation, electricity production, and water supply are often taken for granted, despite the fact that they provide us with vital infrastructure that allows us access to clean water, heat, and light, and are a key driver in our economic and social development.
The Cybersecurity and Infrastructure Security Agency (CISA) in the United States also identifies these utility sectors as critical infrastructure. CISA defines critical infrastructure as assets and systems so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. This designation underscores the national importance of protecting these sectors from cyber threats. You can find more information on CISA’s critical infrastructure sectors on their official website, including resources related to specific sectors like energy and water.
This concept of critical infrastructure protection extends beyond the U.S. Many countries have their own Computer Emergency Response Teams (CERTs) or similar agencies that also recognize the vital role of utility sectors. These organizations, such as the NCSC in the UK or ENISA in the EU, often have their own frameworks and definitions for critical infrastructure, but they share the fundamental understanding that disruptions to utilities can have severe national and societal consequences. These agencies work to protect these essential services from cyber threats, often collaborating internationally to address the global nature of cybersecurity challenges.
Real-World Cyber Incidents Prove the Risk
Today, the utility cybersecurity landscape faces significant risk as cyber criminals increasingly target infrastructure critical to economies and cyber threats continue to become more sophisticated. In fact, Moody’s Investors Service’s recently updated cyber heat map found that critical infrastructure sectors such as electric, gas, and water utilities were at the highest risk of cyber threats overall due to the critical nature of their capital-intensive and long-lived assets and services, their growing reliance on digitalisation, and improvements needed for selected cyber practices relative to other sectors. The sector was specifically found to have high exposure to cyber risk as a result of its high level of interconnectivity with other industries, less developed mitigation practices, and its reliance on less advanced cyber risk mitigation strategies, including less developed perimeter vulnerability management programs and less advanced cyber risk management practices.
The Rising Cost of Breaches in the Utility Sector
We’ve seen just how damaging the exploitation of vulnerabilities within utilities can be through a number of recent high-profile incidents such as the ransomware attacks on the largest petroleum pipeline in the United States in 2021, which cut off gas supply across the East Coast, as well as one of the largest energy providers in Europe in 2020, resulting in the theft of sensitive customer information and employee credentials. Even more troublingly, hackers attempted to poison the water supply of a small water treatment plant in Florida last year by manipulating the chemical feed system to increase sodium hydroxide dosages to dangerously high levels. This was only unsuccessful as an employee had realised the system was being manipulated and stopped the threat.
Building Cyber Resilience Is No Longer Optional
According to a report last year, the average cost of a data breach in the utility sector is $4.65 million. As 60% of businesses have raised their costs post-breach, it stands to reason that the cost of a breach within the utility sector would most likely be passed on to everyday consumers.
As such, it should be a top priority for utility companies to get to grips with their security, especially in the UK at a time when consumers are already facing huge costs and do not need to be lumped with the extra costs of a cybersecurity breach.
How Vulnerability Management Strengthens Utility Cybersecurity
As utility companies continue to shift and change to adapt to the Fourth Industrial Revolution in a constantly evolving and increasingly complex threat environment, gaining a better view of the areas in which they are most vulnerable has never been more important. This is particularly true if they want to protect mission-critical applications whose breach could adversely impact delivering utility services.
According to a recent security report, at least 67% of utility sector applications have at least one serious exploitable vulnerability open throughout the year. However, with the right vulnerability management measures in place, utility companies can timely identify any vulnerabilities within a system, application, or even at a code level, and gain greater visibility of systems and interconnectivity to understand how risk in one asset could have a knock-on effect on others.
Taking a Proactive Approach to Utility Cybersecurity
This helps to enhance the overall security posture of an organisation by enabling utilities to prioritise and allocate their resources and efforts in response to cyber threats more effectively, preventing access to critical infrastructure before malicious activity can even occur.
Let’s look at it in a simpler way. We can use one of the greatest and most influential film series ever made, the Lord of the Rings, as an example. At one point in the movie, the evil orcs attack the human fortress of Helm’s Deep which had never been breached before. However, an outsider knew that the wall of the fortress held a weakness that was a little bigger than a drain and exploited that weakness, nearly overwhelming the fortress’ defences. Now, imagine if the human soldiers had a tool that could provide them with the knowledge of that vulnerability. Not only would they have been able to restructure their defences to protect the most vulnerable areas in the fort, but the statement that Helm’s Deep had never been breached might have held true.
This is how vulnerability management can help utilities to cover their most critical assets, by helping to identify, understand and act on risk. Vulnerability management is a continuous cybersecurity process that includes identifying, evaluating, treating, and reporting software and network vulnerabilities. Properly monitoring and responding to pressing, complex issues are essential components of vulnerability management and information security as a whole.
Because of how crucial the utility sector is in providing us with the vital infrastructure that we’d find it hard to live without, the sector needs to shift away from a reactive response to cyber threats that have already happened and move to a more proactive approach that identifies where malicious actors could possibly gain access for an attack and reduce their vulnerabilities to cyber threats. Protecting critical infrastructure is simply too important to lag behind.
Secure Your Utility Infrastructure with Onapsis
Want to understand how to protect your critical infrastructure from today’s escalating cyber threats? Contact Onapsis, the leader in SAP and utility cybersecurity, to learn how we help secure the utility sector.
Frequently Asked Questions
- What are the top cybersecurity risks for utility companies?
Utility companies face growing risks from ransomware, data breaches, and exploitation of misconfigured or unpatched systems. Their critical infrastructure and reliance on legacy applications make them prime targets for sophisticated threat actors. - How does vulnerability management help improve utility cybersecurity?
Vulnerability management enables utilities to proactively identify, prioritize, and remediate weaknesses across applications, systems, and networks. This reduces the attack surface and supports stronger compliance and risk mitigation efforts. - Why is SAP security important for the utility sector?
Many utilities rely on SAP applications to manage core functions like billing, asset management, and service delivery. Weak SAP security can result in operational disruptions, data theft, and financial loss—making it a priority for utility CISOs. - How can utility companies get started with improving their cybersecurity posture?
A strong first step is to evaluate existing security gaps and align internal teams around shared security responsibilities. Onapsis offers purpose-built solutions to help utilities secure SAP environments, detect vulnerabilities, and respond to threats in real time.
