Keeping the Lights On: Reducing the likelihood of cyberattacks in the utility energy sector By Tom Miller , ClearForce GRC
uwic-day-2-session-2 (1)

By Tom Miller 

The services that make up the energy sector are vital to America’s function and progress. Virtually every aspect of daily life is reliant on the uninterrupted availability and flow of energy, whether it’s electricity, water, or natural gas.  

 At the same time, this reliance makes the energy sector a prime target for malicious actors and cybercriminals looking to exploit the necessity of its supply chain. It’s at the forefront of the Department of Energy’s radar as they recently unveiled the National Cyber-Informed Engineering Strategy to strengthen cyber resilience to better withstand attacks.  

 In the private sector, companies that do not sufficiently prepare to counter these types of growing threats are facing mounting risks, and the consequences can be devastating. A survey of 1,700 utility companies found that 56 percent had experienced data loss or at least one operational shutdown due to cyberattacks in the last 12 months. In 2018, a critical water utility company in North Carolina was the target of a cyberattack as it was still reeling from the impact of Hurricane Florence. In late 2021, a small utility company in Colorado was the victim of a suspected ransomware attack that wiped out 90 percent of their internal network functions and corrupted a large portion of their data.  

 Cybercriminals routinely look for weakened entry points to infiltrate their targeted company and carry out their attack. Unfortunately, these entry points can sometimes be employees whose organizational knowledge and access is used, either knowingly or unknowingly, against their employer. 

 Furthermore, unethical use of data does not always take the form of malicious outside cyber attacks. Oftentimes breaches are enabled by individuals who are struggling financially or personally to assuage their circumstances. Understanding and mitigating the potential risks that could arise from a poorly managed or otherwise compromised workforce is known as human capital risk management, which is an essential but often overlooked form of workplace management that deserves a place in any discussion about an energy company’s goals and strategic priorities. 

 Being able to identify employee-related risks allows energy sector business leaders to intervene and address these risks with the employee before they snowball into something that could seriously compromise the integrity of the organization. Turning a blind eye or not having any visibility to these concerns puts a company at greater risk for a security breach, regulatory noncompliance, revenue loss, legal liability, or reputational harm. 

 The intersection of cybersecurity, compliance, and safety within the energy industry is crucial. Organizations often manage each issue independently and have separate policies in place for each, however, behaviors of individuals can create risks in all of the above categories. For instance, the same distracted individual going through tough financial or personal circumstances can wind up on different paths by creating cyber risk and workplace safety issues. For the most optimal solutions to account for every overlapping risk scenario in the workplace, automated controls should be implemented to ensure policies are being followed. Organizations, especially in the at-risk energy sector, need to get past manual ad-hoc reporting processes and put proactive measures in place that go beyond intermittent background checks. 

 In this dynamic environment of evolving threats, the energy sector and utility companies must not only use every tool at their disposal to guard against increasingly savvy and intelligent cyberattacks, but understand how to synchronize technology, company policy, and best practices into an integrated solution. The key to having a successful integrated solution is timely internal communication and documentation, and an active risk mindset.  

 ClearForce is a proud supporter of The Cyber Guild’s mission to engage and inform policymakers, practitioners, and professions about forward-leaning ideas and good practices in the cybersecurity space for a more secure world. The overarching focus of The Cyber Guild’s mission is to form a powerful coalition amongst those who share in the common goal to establish a sustainable and more diverse cyber workforce. 

 Tom Miller is co-founder and CEO of ClearForce, a cyber and employee risk management company based in Vienna, VA. Tom has more than 25 years of analytic and risk management experience, having consulted for many of the top U.S. banks, published numerous articles, and presented topics at industry events and conferences related to risk management, insider threats, and the application of analytic technology and policy.