Cybersecurity – is the power system lagging behind?

Cyberattacks are on the increase in the electricity sector, yet IEA analysis indicates that utilities face serious difficulties in finding and retaining the skilled professionals needed to defend themselves.

As with most industries, utilities increasingly use digital technologies to better manage plants, grids, and business operations, which contributes to energy security by improving quality of supply, providing additional services to customers, and enabling clean energy transitions through the integration of distributed energy resources. However, this progress comes with risks. Digital systems, telecommunication equipment, and sensors throughout the grid increase utilities’ exposure, as each element provides an additional entry point for cybercriminal organisations.

Publicly available information on significant cybersecurity incidents is limited due to under-reporting and lack of detection. However, there is increasing evidence that cyberattacks on utilities have been growing rapidly since 2018, reaching alarmingly high levels in 2022 following Russia’s invasion of Ukraine. Recent cyberattacks in the electricity sector have disabled remote controls for wind farms, disrupted prepaid meters due to unavailable IT systems, and led to recurrent data breaches involving client names, addresses, bank account information and phone numbers. Worldwide, the average cost of a data breach hit a new record high in 2022, reaching USD 4.72 million in the energy sector.

Critical infrastructure, including gas, water and particularly power utilities, are favoured targets for malicious cyber activity. The chart below points out how these industries are in the spotlight.

While electric power utilities across the globe already dedicate substantial budgets to cybersecurity - averaging 8% of total IT budgets in the United States and Canada - job posting data from major power utilities in the United States shows that cyberattack events trigger sudden increases in demand for cybersecurity professionals, suggesting a lack of long-term strategy or planning in the past. Smaller companies in the United States and others in developing economies could show similar behaviour in the future after suffering preventable attacks.

European Union utilities have also been in reactive mode. While the implementation of secure remote working (both for corporate and industrial systems) and related cyber risks may explain the job positing peak in February 2020, these trends suggest that European Union utilities were not fully prepared at the time to face critical events such as the Covid-19 pandemic and Russia’s invasion of Ukraine.

Despite these occasional spurts in cybersecurity job postings by power utilities, long-term data from the United States shows a slight decrease in the share of cybersecurity among total postings in the sector since 2010. By contrast, the share of cybersecurity job postings in finance and insurance companies in the United States has increased almost threefold during the same period, and that in the public administration almost twofold.

The figures show that the number of cybersecurity expert job postings in power utilities has not evolved as rapidly as total job posting trends in the sector, despite the increasing digitalisation of power systems and their exposure to cyberattacks. Very similar trends have been observed in Canada and the United Kingdom. Some of the gap may be explained by heterogeneity across sectors, by factors such as diverse propensities to contract external specialised support, and differences in labour turnover (i.e., churn rates). Still, the difference is of some concern.

In addition to lower rates of job postings, power utilities have difficulties recruiting and retaining cybersecurity employees due to three main reasons:

1. A worldwide shortage of cybersecurity workers across all sectors, estimated at 3.4 million people in 2022.
2. Available data for the United States, Canada and the United Kingdom suggests salaries offered by power utilities in cybersecurity job postings are among the lowest for the occupation.
3. Power utilities require specific cybersecurity skills adapted to their regulated technical and operational activities.

In 2021 and 2022, US power utilities offered an average annual salary of USD 81 800, higher than in educational services but substantially lower than top sectors such as finance and insurance, which offered more than USD 100 000. Given the wide range of job vacancies, cybersecurity experts are likely to prefer sectors offering better conditions, further increasing the shortage of professionals in the power utility sector. Finance and Banking, in particular, is a sector well known for its high levels of investment in cybersecurity.

If we look at historical data for new hires in power utilities, finance and insurance, and public administration, we see that offered cybersecurity salaries in power utilities were initially competitive between 2010 to 2013, and not far from top-paying sectors. However, utilities’ offered wages have not kept up with competition nor inflation over the past thirteen years, and power utilities have progressively fallen into the lower group along with public administration. What’s more, the salary gap for new cybersecurity positions at top paid sectors in comparison with power utilities has been higher than ever since early 2021. While this may be explained in part by differences across sectors in wages (and the degree to which firm-level revenue is shared with workers), the relatively low and stagnant salaries for cybersecurity workers within power utilities is a cause for concern in the face of increasing threats.

Considering these findings, it is not surprising that power utilities seem to have difficulties finding cybersecurity profiles adapted to their tasks. This is certainly due in part to the very specialised nature of their activities and the high degree of digitalisation in recent years, leading to complex IT and OT systems capable of remote control and operation of plants and grids. A recent survey showed that 62% of respondents within utilities either do not know or do not believe that they have the skills and tools in their organisations to protect against cyber threats.

Regulation in North America and specifically in the United States has been at the forefront in developing cybersecurity standards for the power grid, mainly through the North American Electric Reliability Corporation (NERC) and its Critical Infrastructure Protection (CIP) standards, as well as through the Cybersecurity Framework Smart Grid Profile. As expected, knowledge and experience with NERC standards is one of the top five skills required for cybersecurity profiles in the power utilities sector, closely followed by Industrial Control Systems (ICS) security standards, specifically within the NERC CIP framework.

Responsibility for securing power systems does not rest exclusively with power utilities. Policy makers play a central role in enhancing the cyber security of power systems, along with regulators and equipment providers. Without a strategic approach towards ensuring cyber-skills, power system stakeholders may not be able to effectively cope with future attacks. The main action areas for achieving more appropriate electricity security frameworks are institutionalising responsibilities and incentives; identifying, managing and mitigating risks; monitoring progress; and responding to and recovering from disruptions. Smaller utilities may require additional support from policy makers and regulators, as their fixed costs for cybersecurity infrastructure and systems are higher in relative terms.

Although long-term data on job vacancies seems to suggest that demand for skilled cybersecurity personnel at US power utilities is relatively stagnant, the sector has been doing well in terms of business continuity and resiliency, namely absorbing damage and avoiding major impacts to end users. In order to achieve this, many power utilities have relied on external support from specialized companies instead of creating large inhouse cybersecurity teams. But internal adaptation to current cyberattack trends across teams is necessary as it involves the whole value chain of power utility companies. Cyber threats will continue to evolve and become both more frequent and more powerful, given the established business models of cybercriminals and the wide range of advanced technologies at their disposal. It is therefore essential that every power utility, big or small, includes cybersecurity as a core element of their business strategy and ensures access to inhouse cybersecurity professionals and their skills, continuously updating them and ensuring talent retention.