Survey Shows Utilities’ Cybersecurity Not Keeping Up with Technology

March 2, 2017

Results from EY’s 19th Global Information Security Survey 2016-17 indicate a need for improved resilience in the ability of the power and utilities sector to respond and recover from cyber incidents so that safe and reliable operations can be restored and maintained.

Growth in digital and connected devices, along with the convergence of information technology (IT) and operations technology (OT) systems, have increased the significance of cyberattacks on critical infrastructure, including the power grid, says EY. EY’s Global Information Security Survey (GISS) covers over 20 industry sectors and captures the responses of 1,735 participants around the globe, including 81 from the power and utilities (P&U) sector.

Over decades, utilities have learned to better respond to potentially catastrophic events. Commodity supply shocks, storms, natural disasters, equipment failure, terrorist attacks and the growth in cybercrime have all driven utilities to improve their approach to business resilience and risk management. However, the GISS results indicate the need for improved resilience in their ability to respond and recover from cyber incidents so that safe and reliable operations can be restored and maintained.

Key findings

Here’s a sampling of survey findings.

1. Inadequate security operating models are exacerbated by budget pressures

• 89% say their cybersecurity function does not fully meet their needs, and only 53% of P&U respondents have a security operations centre

• 39% need a budget increase of at least 25% to achieve management’s desired level of risk tolerance

2. Reputational risks are rising

• 58% have had a recent significant cybersecurity incident

• 39% do not have a communications plan in place in the event of a significant attack

3. A skilled cyber workforce is essential to keep pace with evolving utility threats

• 58% rated security awareness and training as a high security priority

• 84% consider careless employee actions to be the most likely source of a cyber attack

See more survey results: www.ey.com/gl/en/industries/power—utilities/ey-the-path-to-cyber-resilience-sense-resist-react.