Zpryme Survey finds that cybersecurity is a top priority for utilities; however 40% of energy executives believe U.S. electric networks are insecure.

Cybersecurity is a hot topic, but it is probably the hottest topic that can’t be discussed much. Even with the secretive nature of cybersecurity, Zpryme and ViaSat have pulled back the curtain to provide a glimpse into the current and future state of cybersecurity for North American utilities. The Cybersecurity Outlook 2015 INFOgraphic, commissioned by ViaSat, provides insights from nearly 180 North American utility executives who answered questions about cybersecurity in the U.S. and their organizations. These insights are based on an online survey Zpryme conducted during December 2014 and January 2015. Included below is a summary of key survey findings. You may also download the complete INFOgraphic below.

Key Findings & Insights

  • Cybersecurity is a top priority for utilities with more than 50% of respondents placing cybersecurity in the top 10% of priorities. Just 1% said it wasn’t a priority issue.
  • There is significant room for improving cybersecurity—about 40% of the respondents believe the U.S. electrical networks are somewhat or very insecure.
  • The strongest benefits for increased cybersecurity include reliable service, control of safety systems, and increased resilience.
  • Operational systems with the highest demand for security include SCADA systems and distribution automation.
  • Day-to-day decisions about cybersecurity rest in the hands of managers and professionals. Most cybersecurity decisions are made below the executive level.

The U.S. Utility Industry

When asked what priority should be placed on the security of real-time systems, more reported the top 5% of all priorities (28%) than any other response. Twenty-two percent said top 10%; 25% said top 25%; 24% said top 50%, while just 1% said security was not a priority issue at all. Only 9% of these respondents said U.S. electrical networks were very secure, with 52% saying somewhat secure, 32% saying somewhat insecure, and 7% saying very insecure. A majority (62%) of the executives believed that in 2015 cyber attacks on U.S. utilities would increase in frequency and expand to include both OT and IT systems. And the biggest impact of a cyber attack on a utility would be power outages (44%). Other lesser chosen impacts include damage to electricity control systems (19%), financial losses and fines (17%), operations equipment damage (6%), denial of service (6%), and safety equipment failure (4%).

Zpryme asked executives to rate the benefits of cybersecurity for seven different grid operation systems through a six-point scale where 6 = top benefit and 1 = lowest benefit. The average ratings reveal—from greatest to lowest benefit—reliable service (4.7), control of safety systems (4.3), increased resilience (4.2), low/no power losses (4.2), NERC CIP compliance (4.0), low/no fraudulent activities (4.0), and accurate network information (3.9). However, all of these operational systems would receive substantial benefit from a cybersecurity system.

Respondents were further questioned about which operations devices/technologies would have the highest demand for security. Their responses were—in descending order of frequency—SCADA/ICS communications (33%), distribution automation (24%), upgrade of existing transmission and distribution equipment (20%), substation automation (13%), and advanced transmission monitoring systems (11%). A majority (58%) of the executives—when considering incident response, resiliency and operational reliability—reported that an integrated cyber and physical system was very valuable; while another 32% said moderately valuable; 8% said slightly valuable; and 2% said not very valuable. Nearly two-thirds (65%) believed having diverse and redundant communications for grid control operations was very important. Twenty-six percent said diverse/redundant communications was moderately important, 7% said slightly important, and just 1% said not important at all.

Utility Companies In-Depth

These executives noted at what level day-to-day decisions about cybersecurity were made in their own organizations and responded: management level (42%), professional/staff level (23%), executive (CEO, VP) level (20%), and operational level (11%). Apparently, most decisions are made below the executive level. When asked how important it would be to have real-time visualization of their operational system security, responds said: very important (50%), moderately important (34%), slightly important (9%), or not important (7%).

The interest level for a security assessment at their utilities was queried and they said: not interested in the foreseeable future (31%); they had already conducted a security assessment (30%); they wanted one this year (16%); they might consider one next year (14%); or that they wanted one now (9%).

When considering a communication system failure at their utility, the respondents noted what their disaster recovery plan included. Such disaster plans entailed: detailed plan for continued operations (59%), radio-based communications (32%), waiting for the systems to be repaired by someone else (16%), using portable satellite communications (16%), not having a disaster communications plan (9%), and some other (than these listed items) components (11%). And lastly, when considering cyber and physical security, these respondents preferred: a complete system approach (33%), an approach that integrated existing capabilities (33%), modular-based systems (31%), or one-off products (3%).

[sc name=”Standard-ETSI” ]