Current cyberattack trends pose an unprecedented threat to critical infrastructure, such as electricity systems
Cyberattacks are on the increase in the electricity sector, yet IEA analysis indicates that utilities face serious difficulties in finding and retaining the skilled professionals needed to defend themselves.
As with most industries, utilities increasingly use digital technologies to better manage plants, grids, and business operations, which contributes to energy security by improving quality of supply, providing additional services to customers, and enabling clean energy transitions through the integration of distributed energy resources. However, this progress comes with risks. Digital systems, telecommunication equipment, and sensors throughout the grid increase utilities’ exposure, as each element provides an additional entry point for cybercriminal organisations.
Publicly available information on significant cybersecurity incidents is limited due to under-reporting and lack of detection. However, there is increasing evidence that cyberattacks on utilities have been growing rapidly since 2018, reaching alarmingly high levels in 2022 following Russia’s invasion of Ukraine. Recent cyberattacks in the electricity sector have disabled remote controls for wind farms, disrupted prepaid meters due to unavailable IT systems, and led to recurrent data breaches involving client names, addresses, bank account information and phone numbers. Worldwide, the average cost of a data breach hit a new record high in 2022, reaching USD 4.72 million in the energy sector.
Critical infrastructure, including gas, water and particularly power utilities, are favoured targets for malicious cyber activity. The chart below points out how these industries are in the spotlight.
Cyberattacks on power utilities often trigger sudden increases in demand for cybersecurity professionals
While electric power utilities across the globe already dedicate substantial budgets to cybersecurity - averaging 8% of total IT budgets in the United States and Canada - job posting data from major power utilities in the United States shows that cyberattack events trigger sudden increases in demand for cybersecurity professionals, suggesting a lack of long-term strategy or planning in the past. Smaller companies in the United States and others in developing economies could show similar behaviour in the future after suffering preventable attacks.
Is the energy sector prepared for cyber breaches?
An instant and endless supply of electricity is taken for granted in many parts of the world. The flick of a switch powers the work and family lives of billions of people.
But the energy systems that underpin entire economies are facing “an unprecedented threat” from cyberattacks, according to the International Energy Agency (IEA).
The true scale of cyberattacks on critical energy infrastructure is unknown, as some incidents go undetected or are not reported. However, data from the IEA shows a dramatic rise in the targeting of utilities including power, gas and water supplies. The number of weekly cyberattacks rose from 499 in 2022 to 1101 in 2022.
Stepping up digital defences
Industry research shows that utility companies are spending an average of 8% of their total IT budget on cybersecurity – but the number of attacks is outpacing spending. Perhaps the most critical weakness in the digital defences of power companies is a lack of skilled professionals to fill cybersecurity roles.
Across global industry as a whole, there are 3.4 million unfilled cybersecurity jobs, according to an analysis by cybersecurity experts Fortinet. This yawning skills gap is undermining efforts to counter cyberattacks.
This global skills gap requires a global solution across the energy ecosystem. The World Economic Forum’s Centre for Cybersecurity is convening leaders from industry, academia and civil society to collaborate on solutions. The Systems of Cyber Resilience: Electricity Initiative has helped bolster the cyber resilience of the global electricity infrastructure. This multistakeholder community will now serve as a global exchange platform for cybersecurity leaders in the electricity sector.
Getting smarter with cybersecurity recruitment
The IEA suggests power companies lack long-term strategies for hiring cybersecurity specialists and developing digital defence skills in-house. Instead, these companies operate reactively when perceived threat levels increase.
As the chart above shows, job postings for cybersecurity specialists in North America tend to rise sharply following major cyberattack incidents. Despite these recruitment surges, data shows the proportion of cybersecurity security job postings by energy companies is falling behind other industries such as banking and finance.
The IEA also reports a salary gap between industries, stating, “available data for the United States, Canada and the United Kingdom suggests salaries offered by power utilities in cybersecurity job postings are among the lowest for the occupation”.
Closing the cybersecurity skills gap
The World Economic Forum’s Global Cybersecurity Outlook 2023 suggests pathways for increasing the talent pool of cybersecurity specialists. One solution is to democratize access to the industry.
The report says industry must “expand and promote inclusion and diversity efforts within cyber recruitment. Underrepresented groups in cybersecurity such as women, people of colour and those with informal educations have been continually discouraged from technical careers through societal expectations and perceptions of cybersecurity work culture”. The Forum has launched an initiative to raise c-suite awareness of the cybersecurity talent crisis and its implications, and to define strategies to strengthen the talent pipeline.
Secure power for a more secure world
The war in Ukraine has highlighted the extent to which the global economy is reliant on interconnected energy systems. With digital threats to these networks growing, the IEA is urging companies to adopt digital defence strategies as a core pillar of their operations.
“It is essential”, says the IEA, “that every power utility, big or small, includes cybersecurity as a core element of their business strategy and ensures access to in-house cybersecurity professionals and their skills, continuously updating them and ensuring talent retention”.