The utilities sector, as with virtually every other industry, is undergoing thorough technical disruption. Advancements in analytics and end-user technologies offer a world of opportunities for utility companies—and all this before 5G connectivity goes mainstream.

But as new technology provides business opportunities, it also opens up a new world of risks, often unmanaged in more traditional businesses such as utilities.

With the adoption of more connective technologies—especially those that are closer to the end-user in the distribution chain, such as smart meters—this creates more avenues for sophisticated cyberattacks. A recent survey of utility companies from Siemens and the Ponemon Institute notes that cyber risk “is worsening, with potential for severe financial, environmental, and infrastructure damage.” Moreover, when it comes to protecting themselves, industry players tend to be unprepared, or even myopic. The World Economic Forum highlighted this lack of preparedness in its 2019 report, stating, “…security of the Internet of Things was paramount to the success of Industry 4.0.”

A digitized, consumer-driven grid is certainly the future of utilities, but companies have no choice but to prepare for the increased potential for exploitation. Cybersecurity, then, should be one of the key pillars to consider ahead of these digital transformation initiatives.

Getting Ahead of Cyber Threats

Regulators have tried to keep pace with these changes as quickly as providers have. For example, the U.S. Department of Energy has already released its ES-C2M2 guidelines to help find a common starting point for utility companies.  For almost two decades, utilities have had to comply with the Critical Infrastructure Information Act, but new regulation significantly increases the burden of compliance-focused on the new edge devices.  Senate Bills 327, specific to California, sits alongside the new Californian Consumer Privacy Act (CCPA) while Senate Bill 734 amplifies the NIST 800-82 standard with the Cyber Security Framework to enshrine the need for security and privacy by design.

This regulation hints at one of the larger challenges of addressing cybersecurity in the utilities sector: digitalization has created a need to horizontally align a vast array of connected devices—many of which are outside utility companies’ control—under one security framework. Providers must account for the entire connected utilities value chain, from power generators to smart refrigerators, all with no clear accountability for owning the cybersecurity and compliance burden. The question remains: where does the handshake take place between the device manufacturer and the utilities provider?

To address these risks in the most efficient way possible, utility companies can start by measuring their competence in these key focus areas:

1. Securing smart meters.

Even with all their potential benefits, smart meters make for a particularly vulnerable asset because they’re a primary touchpoint between consumer and provider. There’s currently no industry-wide standard for smart meter security, so every utility company must take its cybersecurity infrastructure into account while drafting up a plan to make these devices as secure as possible. As a result, adherence to new IoT Security regulations often occurs in a disjointed and individualistic manner.  This process bears no resemblance to other leading economies where industry-wide agreements ensure a standardized and unified approach to solving the industry-wide paradigm.

2. Bringing consumers into the fold.

Another major disruptor in the digitalized utilities industry is more consumer-generated power production. As end-user generation devices such as solar panels become increasingly integrated into the grid, they’ll need to be secured, as well.

Utility companies should deliver clear standards and pursue collaboration with customers to ensure all potential entry points to the grid are secure. In doing so, utility companies will also have to consider the end-to-end responsibility for security management. For example. the individual households installing these devices are unlikely to deploy adequate security controls to meet enterprise demands. Therefore, overlay security solutions will be required to protect enterprise-managed assets.

3. Staying up-to-date on information technology security.

While preventing new cyber threats is critical, focus shouldn’t move away from current risks. Utility companies should make sure IT infrastructures have the necessary safeguards to handle the technological demands of a more connected grid with minimal risk.

Remember that innovative security solutions such as biometrics or embedded pattern recognition will soon become the industry standard. Companies have no choice but to ensure they are secure—this will lead utilities organisations to enhance previous physical security regimes to become cyber-physical in focus.

Cybersecurity is just one pillar for utility companies to consider during a holistic digital transformation. For more insights, read Wipro’s deep dive on Smart Grid and Utilities Transformation or contact us today for expert insight on how you can secure your operations.

Geoff Jue

Vice President and Head of NA Utilities Wipro Limited

Geoff Jue is Wipro’s Vice President and Head of Utilities for the Americas.  Geoff is chartered with growing the industry practice by driving client value and business outcomes, delivery excellence, continuous innovation, and building meaningful relationships.

Geoff is well known in the utilities industry with over 39 years of experience – 21 years in management consulting leading regional and global sales, solutions, marketing, and delivery teams for Wipro LLC, HCL Technologies, Accenture, and IBM; and 18 years in various executive positions at PG&E Corporate as well as running T&D operations, customer service, and retail operations.  Geoff also served as CIO to Xcel Energy for 3 years.

Geoff received his MBA from Golden Gate University in San Francisco, Bachelor of Science Degree in Industrial Engineering and Operations Research from UC Berkeley, and Certificate in Total Quality Management from UC Berkeley. He currently serves on the Board of Directors at the San Francisco Playhouse, a non-profit theatre in San Francisco. He is based out of San Francisco.

Mark Brown

Partner & Global Practice Head – OT & IoT Security Wipro Limited

Mark leads Wipro’s cybersecurity focus globally on OT & IoT Security and manages a practice offering an end-to-end capability across Industry 4.0 and OT/IoT and IT convergence.

Mark joined Wipro in February 2019 from his previous role as global CIO/CTO at Spectris plc and has extensive international and sectoral experience across many facets of technology leadership.  He has previously been a global Fortune 50 CISO, global Fortune 500 CIO and for 4 years led EY’s UK & Ireland Cybersecurity, Data Privacy and Business Resilience advisory and assurance consulting practice.

Mark's experience in global technology strategy, cybersecurity and digital transformation enables him to provide insightful, pragmatic advice to clients on the paradigm of right-sizing Information security within business.

An industry-recognised leader in his field, Mark is regularly asked to present at international Information security and technology risk conferences and delivers thought leadership on how he has developed and implemented global technology and cyber security strategies, transforming the function from reactive IT functions, to pro-active business enablement functions. In 2011, he was recognised as SC Magazine Europe’s Information Security Person of the Year.