The scope of the cybersecurity threat is large and continues to grow for the utility industry. After the well-publicized data breach of Target's credit card system, companies of all sizes and variety need to make cybersecurity a top priority. Protection of customer and employee information is crucial. But there is also concern over hackers disabling, interrupting, or taking over a utility system, the impact of which could be devastating.
Cyber attacks can come from any number of sources. Some common examples are the local high school student who attacks to fish around the systems of others with no malicious intent. Organized groups of hackers working together can also target companies to gain information, customer and employee data, and notoriety or disable popular, well-known companies’ websites or operations. Perhaps most dangerous are nation states, who either directly or through surrogates deliberately target other nations and their infrastructure. Because of these bad actors, utilities of all sizes must be vigilant to ward off attacks and minimize damage should an attack prove successful.
A threat to utilities large and small
Recent studies show that roughly one-third of all cyber attacks are aimed at utilities. Utility companies are targets of cyber criminals for many reasons. The bad actor may want to steal customers’ personal information. Or the hackers may want to access critical systems to damage or disrupt the delivery of utility service or hold the company for ransom. Perhaps the most troubling and hardest to defend against, is the bad actor who simply plants a virus within an unsuspecting company’s system that remains unobserved and inactive until some later time when the hacker activates it.
The deployment of the smart grid has the ability to improve utility system operations and improve reliability. At the same time, smart grid deployment adds increased exposure and points of attack for hackers of any variety. While companies are aware of the risks and take active steps to mitigate exposure, no system, neither the “old” system nor the deployed smart grid, is foolproof.
Vigilant cybersecurity in the utility world is non-negotiable. All utilities—whether large or small, investor owned, co-op, or municipal, be they water, electric, gas, or pipeline—are already targets. Companies must understand the world in which they operate and how best to protect their organization, their physical and cyber assets, and their customers' and employees' personal information.
Regulation appears to be coming
The Federal Energy Regulatory Commission and North American Electric Reliability Corporation are already drafting physical security standards. Cyber security standards are likely to follow. Other federal and state agencies are also now engaged in the conversation to try to ensure the public is properly protected from the increased security risk at utilities.
One way to ensure appropriate compliance with privacy regulations is to demonstrate that steps are already being undertaken to protect assets and customers. First, be proactive in evaluating the risk and vulnerability to cyber attack. Second, take appropriate steps to minimize the risk of your system being penetrated by a bad actor, including secure IT protocols. Finally, create and enforce policies and procedures to minimize the chances of a successful intrusion. Since no system is impenetrable, companies must also have a detailed incident response plan to efficiently respond to a successful intrusion into your system.
Companies have an obligation to protect themselves and the data and personal information of their customers and employees. Bad actors all around the world are already regularly attacking utilities, financial institutions, retailers, and other entities of all sizes and industries. By being proactive and deliberate in addressing the cyber security concern, utility companies can improve the chances of defending against cyber attacks and minimizing damage to the company and their customers.
For more information, please contact:
Our national Data Privacy and Cybersecurity team has a wealth of experience advising clients on best practices for data privacy, security, storage, and disposal. We specialize in breach coaching clients through the myriad of rapidly changing state, federal, international, and industry privacy and breach notification laws, including drafting and implementing proactive measures and employee training. Our skilled attorneys also provide client support during investigations by state and federal regulators. We have significant expertise in litigation prosecution (indemnification) and litigation defense (single plaintiff and class action). Our attorneys deal with data breaches every day. The national Data Privacy and Cybersecurity team at McDonald Hopkins has counseled clients in nearly every industry through hundreds of privacy incidents. When a data breach occurs, it’s fast moving and there’s no time to spare. We are here to advise your organization and advocate for your business. We don’t just practice data privacy law. We live data privacy law 24/7. If you suspect that your organization has suffered a data breach or privacy incident, call our 24/7 Hotline at 855-MH-DATA1 (855-643-2821).