The report https://www.iea.org/reports/enhancing-cyber-resilience-in-electricity-system offers practical guidance to energy policymakers and other stakeholders on increasing the cyber resilience of electricity systems. Using real-world examples, this report aims to address the following questions:

• What are the greatest cybersecurity risks to electricity systems today? How are they evolving?
• What strategies and actions can electric utilities and other key stakeholders develop and implement to identify and manage cyber risks and recover from attacks? What sector-specific characteristics need to be considered when tailoring general cyber resilience principles and measures to the electricity system?
• How can collaboration between stakeholders help to maximize effectiveness and optimize efforts? How can responsibility best be assigned and shared?
• How can policymakers and other industry organizations encourage a more proactive integrated risk management approach?
• What are the lessons to be learned from different jurisdictions’ regulatory approaches to cybersecurity in the electricity sector? Which approaches have so far proven to be most effective, and how can effectiveness be measured in advance of actual incidents and failures?

Electricity is an integral part of all modern economies, supporting a range of critical services including health care, the Internet, and transportation. The secure supply of electricity is thus of paramount importance. Digitalization is rapidly transforming the electricity system, bringing many benefits to businesses and consumers.

At the same time, increased connectivity and automation could raise risks to cybersecurity and the threat of cyberattacks.

A successful cyberattack could trigger the loss of control over devices and processes in electricity systems, in turn causing physical damage and widespread service disruption. Using real-world examples, this report offers guidance to policymakers, electric utilities, and other stakeholders on how policies and actions could enhance the cyber resilience of electricity systems. 

Many companies are slow to acknowledge the risks of cybersecurity, often waiting until a cybersecurity incident causes a crisis, forcing them to act. However, it is a near-universal truth that the response to such a crisis will be cheaper and more effective if an organization has prepared for such an eventuality. 

Utilities rely on operational technology (OT)—the systems and devices that control the physical operation of delivering power to customers. Hackers may seek to access these cyber–physical devices and cause safety issues, interrupt service, and/or destroy physical assets; the likelihood of a successful attack depends, in part, on how the OT networks are built and managed. The potential threat to energy delivery elevates cybersecurity above a normal business concern to an issue of national interest. 

This Electricity Sector Cybersecurity and Digitalization Handbook provide a comprehensive introduction to the cybersecurity threats, vulnerabilities, and risks that modern power sector utilities face. The Handbook also introduces potential solutions to these concerns. While the Handbook’s primary audience is utility staff, the information should also be relevant to energy sector regulators and government officials who are in a position to provide utilities in their regions with guidance, incentives, and funding to address cybersecurity. 

Understanding Cybersecurity Maturity Models within the Context of Energy Regulation

Cybersecurity maturity models provide regulators with a means to measure the cybersecurity readiness of a utility and compare this level of preparedness against previous assessments, a target baseline, and other utilities. 
Regulators can use the models to identify both good and bad trends. In addition, the cybersecurity maturity model data gathered by regulators can also influence regulatory changes.

Evaluating the Prudency of Cybersecurity Investments: Guidelines for Energy Regulators

This material is based upon work supported by the Department of Energy. Mid-sized public power utilities to help them prepare a cyber incident response plan, prioritize their actions and engage the right people during cyber incident response, and coordinate messaging. The Playbook includes an outline for a cyber incident response plan, and a process for response planning, and offers high-level procedures and templates that a utility can use to develop its response plan. 

World Economic Forum,

Boston Consulting Group 

The introduction of digital technologies have amplified the level of interconnectivity and introduced an additional dimension of risk that all organizations within the ecosystem need to manage together cyber risk. Increased power network connectivity, the convergence of operational technology (OT) and information technology (IT), the proliferation of Internet of Things (IoT) devices, and the digitization of business models are expanding the cyber-attack surface for malicious actors to exploit. 

Each of the electricity principles is accompanied by guidance to enable board action. For boards, action means first asking the right questions. Therefore, this section provides a questionnaire to facilitate structured dialogue on the industry-specific cyber resilience principles between the Board and senior management.

Electricity organizations have interdependent relationships with numerous stakeholders that can span multiple degrees of separation from the organization. They rely on these relationships to provide business-critical components and services (everything from core operational assets and smart devices to on-site servicing).  

Leaders must realize that their organizations are part of a larger “neighborhood” where cooperation on cyber resilience is essential between the members of that neighborhood, ranging from oversight bodies to suppliers, customers, and employees. 

With support from the United States Agency for International Development (USAID), under the Energy and Infrastructure Division of the Bureau for Europe and Eurasia, the National Association of Regulatory Utility Commissioners (NARUC) launched the Europe and Eurasia Cybersecurity Initiative in December 2016 to provide the regulators of Armenia, Georgia, Moldova, and Ukraine with the tools and understanding to work with utilities and governmental agencies to effectively strengthen the cybersecurity and resilience of their respective energy sectors. In October 2018, USAID and NARUC expanded the scope of the initiative to include regulators from Southeast Europe, specifically Albania, Bosnia and Herzegovina, Kosovo, North Macedonia, Serbia, and Montenegro.

Through this initiative, USAID is helping to ensure the reliability of the power grid in the face of increasing cyberattacks in Europe and Eurasia. By supporting regulators to become cyber auditors through developing cybersecurity strategies, engaging with utility companies, setting benchmarks, and approving prudent cyber investments, USAID’s efforts enable energy regulators to take a leading role in overseeing the security and reliability of the power grid and advancing best practices that can be shared globally. 

For cybersecurity, some of NARUC’s main focus areas include:

• Standards

• Cybersecurity Strategies

• Prudency of Investments

• Maturity Models 

The information about potential cyber security failure scenarios is intended to be useful to utilities for risk assessment, planning, procurement, training, tabletop exercises, and security testing. A cyber security failure scenario is a realistic event in which the failure to maintain confidentiality, integrity, and/or availability of sector cyber assets creates a negative impact on the generation, transmission, and/or delivery of power. 

Impacts identified in the failure scenarios include loss of power, equipment damage, human casualties, revenue loss, violations of customer privacy, and loss of public confidence. Listed below are some potential impacts. 

The failure scenarios, impacts, and mitigations were developed from a “bottom-up,” rather than a top-down assessment of potential cyber security events. Their focus is on cyber security events; hence, they do not consider requirements that are outside this scope (e.g., a redundancy that supports reliability, general cyber-physical requirements such as range checking for values, etc.).