“Even though the U.S. distribution grid isn’t covered by CIP requirements, utilities seemingly have a false belief that a Ukraine-like incident can’t happen in the U.S.”Among the top issues impacting both ongoing and planned security initiatives, survey respondents cited “integration of related systems/data,” as well as “supply and availability of experienced staff.” “Supporting normal operations while also staffing projects with the required combination of OT and security know-how continues to challenge utilities,” the company noted. “A lack of system/data integration is limiting visibility into security risks,” said BRIDGE Energy Group. When it comes to security and compliance metrics, less than 30 percent of respondents said they use a dashboard or geospatial visualizations—another 30 percent said they don’t report compliance metrics at all. Without analytical reporting and visualizations, companies face the risk of future compliance failures and weaken their ability to ensure timely threat detection, the company added. Additional key findings from the survey included:
- 48% of survey respondents say they plan on having a minor security project in the coming 24 months
- 76% have not yet fully integrated their real-time security and operations data
- 69% have a formal standard for calculating risk, while 31 percent still do not
- Only 25% of utilities have developed a chain of command for primary operations security
“The energy sector has made significant improvements in understanding and mitigating risk through the NERC Critical Infrastructure Protections standard, but the threat landscape continues to evolve” said Tim Erlin, director of IT security and risk strategy at Tripwire.“Organizations’ defensive tools and techniques need to evolve to match the threat,” he said.