Utilities and power producers have an additional business risk that may need to be reprioritized. While there has been a long standing concern of possible cyberattacks against critical infrastructure, the energy industry has been relatively unscathed. Recently, however, there have been various reports of successful attacks worldwide. The Washington Post reported the first known incident where a cyberattack caused a blackout. It occurred on December 23, 2015 in Ukraine’s Ivano-Frankivsk region leaving parts of the region without power for several hours. Several security websites reported that it is believed the attackers gained access through a fake email from an apparent official government mail account.
The Wall Street Journal reported on a previously undisclosed cyberattack in 2013 that enabled hackers to infiltrate the control systems of a New York dam designed to mitigate flooding and which has a computer operated sluice gate. The report suggests that “while the hackers never took control of the dam, they were able to penetrate the electronics system.” The same report mentions an attack on a German steel mill which caused physical damage to the mill’s equipment. These incidents highlight the risk of bringing industrial control systems on-line.
As cybersecurity concerns continue to come to the forefront, businesses will need to better identify their cyber risk assets and prioritize the resources allocated to protect those assets. Critical infrastructure regulators have urged companies to boost up their cybersecurity measures and enhance their business continuity and disaster recovery plans. Senior management will need to better understand the tradeoff between the business risk and the impact of a cyberattack, and how cybersecurity will impact their organization’s business relationships with competitors, providers and customers. Senior management will also need to consider how to adequately invest in staff training to ensure that employees become more security savvy when using the company’s systems.