HomeEnergy and Utilities

How utilities can help prevent cyberattacks in the age of IoT

Why do most utilities struggle to effectively manage, analyze, and apply the data ingested by their security tools to support detection and remediation efforts?

Protecting critical national utilities infrastructure

While Industrial Internet of Things (IIoT) technologies enable operational improvements for utilities, they also bring increased cybersecurity risks. Whether initiated by terrorists, cyber hackers or nation state actors, successful attacks can result in devastating consequences. Breaches of nuclear-based power plants and energy grids can affect the provision of energy, while cyberattacks on water facilities can lead to contamination or denial of drinking water. The risks to citizen safety, critical infrastructure, and the environment are alarming. Fundamental IIoT cyber hygiene, augmented with automation and artificial intelligence (AI), is critical to continuity of operations and service delivery for utilities.

Today, utilities leverage IIoT technologies in collecting data to monitor assets, gain operational insights, and improve efficiency and safety. Yet, as IIoT expands, attempts to exploit and gain access to industrial control systems (ICS) networks will continue. The attack surface in an IIoT-enabled environment can range from high-value assets or services to critical workloads in the cloud. It also can include process control systems in cyber-physical systems and critical business, operational, and consumer data. For example, the U.S. Department of Homeland Security (DHS) recently reported that the Dragonfly espionage group accessed Human Machine Interfaces (HMI) that control processes at several North American power generation utilities. While inside the system, the group copied configuration information and gained the potential to sabotage or take control of the facilities.

To better understand the state of IIoT security, the IBM Institute for Business Value (IBV) partnered with Oxford Economics to survey 700 executives from industrial and energy organizations in 18 countries, including 120 from utilities. At the time of the survey, all 700 organizations were implementing IIoT in their operations.

The research confirmed that utilities are early and extensive adopters of IIoT technologies. Respondents say their organizations primarily apply them for alarms, meter reading and real-time equipment monitoring, generating huge volumes of data that move across supervision and control networks.

However, utility executives are apprehensive about the security of their IIoT endpoints. Devices and sensors are cited by 24 percent of respondents as the most vulnerable parts of their IIoT deployments. Utility executives are also concerned that data on these devices and sensors, as well as on gateways, is not adequately protected. Twelve percent of utilities are concerned with the vulnerability of data in the cloud.

On average, the exposure of sensitive data is rated by utilities as the highest impact IIoT-related risk. This includes billing and revenue information (from smart grid and smart metering systems), control systems information, and employee and customer data. Power utilities are more concerned with production disruptions or shutdowns and the resulting damage to their reputations. More than half of all utilities are worried about the potential impact of regulatory violations and damage to equipment.

Why haven’t utilities closed the gap?

Utility companies are clearly aware of the cybersecurity risks, but 70 percent say they have—at most—a moderate understanding of IIoT cybersecurity. Survey results reveal that utilities lack fundamental IIoT cyber hygiene—the organization, technology and processes required to mitigate the risks.

While power utilities have a way to go before their operations can be called “secure,” they do have a better grasp of the security needs of their IIoT deployments and connected cyber-physical systems than water utilities.

Eighteen percent of power utilities have formal IIoT cybersecurity programs to establish, manage and update required IIoT cybersecurity tools, processes and skills, compared to only 2 percent of water utilities.

Our respondents also report being challenged to apply or comply with a plethora of regulations, standards and guidelines. In addition, 39 percent of power and 30 percent of water companies from our survey have industrial production networks and aging infrastructures that are difficult to update. Security was an afterthought for many early generation industrial control system applications, such as the smart grid, and legacy devices were often manufactured with lessened attention to security.

Though power companies’ programs are more mature on average, the IIoT cybersecurity capabilities of both groups are nascent. They face significant challenges that account for the gap between IIoT technology and cybersecurity deployment and prevent comprehensive IIoT cybersecurity.

Talent gap exacerbates technology deficiencies

Although power companies’ programs are more mature on average, the IIoT cybersecurity capabilities of both groups are nascent. They face significant challenges that account for the gap between IIoT technology and cybersecurity deployment, and prevent comprehensive IIoT cybersecurity.

Forty-nine percent of water and 40 percent of power utility executives surveyed are experiencing a cybersecurity talent shortage. In addition, velocity and scale are challenges when defending complex utility infrastructures with numerous IIoT technologies. Our research shows 44 percent of water and 30 percent of power utility executives face such big data challenges.

They struggle to effectively manage, analyze, and apply the data ingested by their security tools to support detection and remediation efforts.


Bookmark this report


Additional content

Meet the authors

Steven Dougherty

Connect with author:


, Energy, Environment and Utilities Business Development Executive, IBM Security


Lisa-Giane Fisher

Connect with author:


, Leader, Middle East and Africa, and Global Benchmark Research leader, Utilities industry, IBM Institute for Business Value


Mark Holt

Connect with author:


, Security Business Development Leader, IBM Global Energy, Environment and Utilities


Cristene Gonzalez-Wertz

Connect with author:


, Global Electronics, Environment, Energy, and Utilities Research Leader, IBM Institute for Business Value

Download report translations


    Originally published 30 January 2019