The utility sector increasingly relies on interconnected industrial control systems and networks to streamline operations. The crucial role these utilities play in our daily lives, ranging from electricity to water and gas supply, underlines the critical significance of robust cybersecurity measures within the sector. With the increase of smart devices and intelligent infrastructure (e.g. Smart Grid), the vulnerability of these systems to cyber threats has intensified, posing potential risks such as data breaches, service disruptions, and even possible sabotage.  

Cybersecurity measures are thus imperative to safeguard these critical infrastructures, ensuring the uninterrupted provision of essential services. As the utility sector continues to evolve with technological advancements, implementing comprehensive cybersecurity protocols becomes a necessity and a fundamental pillar for sustaining the reliability and resilience of the infrastructure that underpins modern society. This article describes the results of a two-year investigation into the impact of COVID-19 on the Cybersecurity strategies of utility firms. We aimed to investigate the effect of a large pandemic on the strategy and to reveal insights that can support strategic planning. 

Assessing the implications of the NIS Directive  

The utility sector, encompassing a range of vital services such as electrical power, natural gas, steam supply, water supply, and sewage services, has assumed an indispensable role within the trade, transportation, and utilities supersector ​[1]​ As the COVID-19 pandemic demonstrated its disruptive potential across the BENELUX region, securing the utilities sector gained unprecedented prominence. Parallel to that, the United States directed an Executive Order for Cyber Resilience [2] after the Colonial Pipeline hacks. This directive also applies to EU utility organizations dealing with the US government. 

The adoption of the NIS directive by the European Parliament in the EU on July 6, 2015 [3] further underscored the critical importance of safeguarding essential services within the region. This directive designated energy and drinking water suppliers as Operators of Essential Services (OES), highlighting the need for comprehensive measures to fortify physical and technological infrastructures.  
The three core pillars of the NIS2 directives are: 

  • member States’ preparedness; 
  • inter-state cooperation; and 
  • fostering a culture of security across vital sectors. 

This article sheds light on the imperative role of the Utilities Sector in the context of the NIS2 directive, advocating for improved resilience to ensure uninterrupted operations during unforeseen events. Nasim Taleb’s work refers to black swans.​[2]​  

Analysis of the Evolving Threat Landscape in the Utility Sector 

With rising concerns over cybersecurity vulnerabilities, the utility sector remains a prime target for diverse, sophisticated cyber threats. Highlighted by McKinsey, the sector’s susceptibility is rooted in the rise of multifaceted assailants ranging from nation-state actors to cybercriminals and hacktivists.​[3]​ The decentralized nature of cybersecurity leadership and integration new operational technologies (OT) like smart meters exacerbates the challenge of protecting critical infrastructure. 

Further validating these concerns, Clark’s study identifies the rise of advanced persistent threats as a significant risk to vital infrastructure, elucidating a series of impactful attacks worldwide.​[4]​ Meanwhile, the World Economic Forum’s Global Risk Report accentuates the accelerated digital transformation of societies, underscoring the urgent need to enhance preventive measures against malware and ransomware attacks.[7] As the utility sector continues to navigate an increasingly complex cyber threat landscape, the convergence of technological advancement and heightened vulnerabilities necessitates a proactive and collaborative approach to ensure the resilience and security of critical systems. 

Impact of Unforeseen Events on Organizational Cybersecurity Strategies: Evaluating Ad Hoc Responses and Security Posture 

As organizations adapt to unforeseen events, ad hoc adjustments often emerge, potentially introducing new cybersecurity risks. This section highlights how unexpected events, notably the COVID-19 pandemic, influence organizations’ cybersecurity strategies, leading to resource diversions from established IT security. By analyzing the impact of these ad hoc decisions on an organization’s security posture, the authors aimed to identify critical areas within the information security domain that demand attention to mitigate the effects of unforeseen events on cybersecurity strategies. 

Contrary to existing literature, participating organizations did not observe a substantial increase in phishing attacks. However, the research highlights a concerning trend, with one-third of the organizations needing to provide crucial awareness training to their employees.  

The pandemic catalyzed organizations to bolster their Identity and Access Management (IAM) strategies by adopting additional security measures such as 2-factor authentication and implementing zero-trust principles. 

 A significant outcome of the pandemic was the reassessment of risk appetite among most organizations, with a notable proportion confirming adjustments to their risk management strategies. Moreover, organizations compliant with the ISO27001:2013 standard for Information Security Management Systems (ISMS) demonstrated enhanced resilience, increasing the importance of robust security frameworks. Organizations that adhere to an industry-standard have a clear understanding of a minimum level of maturity. Compliance also entails regular reviews of the controls. The Dutch government, in aligning with the ISO27002, has established the new “Baseline Informatiebeveiliging Overheid” (BIO) to guarantee a foundational set of security requirements for government organizations.​[5]​ 

Notably, the research amongst companies operating in the utilities sector underscored a disconnect between the perceptions of policymakers and employees, particularly concerning the provision and recognition of awareness training. Bridging this gap calls for increased alignment between information security professionals and other organizational stakeholders, highlighting the need for cohesive and comprehensive cybersecurity strategies. 

Despite efforts made with the NIS and NIS2 directives to strengthen cybersecurity in the utility sector, this research has shown once more that alignment is critical to improving awareness and establishing a cybersecurity culture. In conclusion, we can state that new insights for CISOs emerged from our research on dealing with catastrophes like COVID. Although COVID Swan was formally not a Black Swan, we have learned that we should never “Waste a Good Crisis.”

Bob Leysen is an information security officer at Itineris. He recently graduated with an executive Master’s in Risk and Cyber security management from Antwerp Management School. He has previously worked in a Service Delivery role. He aims to improve the security posture and compliance of Itineris and the solution delivered to customers. 

Yuri Bobbert is a professor at Antwerp Management School, CEO at Anove International, and CSO at ON2IT Cybersecurity. Yuri supervised Laurens and Bob’s Executive Master in Cybersecurity research project at Antwerp Management School.  

Work Cited 

​​[1] U.S. Bureau of Labor and Statistics, “Industries at a glance: utilities.” Accessed: May 15, 2022. [Online]. Available: https://www.bls.gov/iag/tgs/iag22.htm#:~:text=The%20utilities%20sector%20is%20part,water%20supply%2C%20and%20sewage%20removal. 

​[2] N. N. Taleb, The black swan : the impact of the highly improbable. Penguin, 2008. 

​[3] T. Bailey, A. Maruyama, and D. Wallance, “The energy-sector threat: How to address cybersecurity vulnerabilities,” 2020. 

​[4] R. M. Clark, S. Hakim, and S. Panguluri, “Protecting water and wastewater utilities from cyber-physical threats,” Water and Environment Journal, vol. 32, no. 3, pp. 384–391, Aug. 2018, doi: 10.1111/wej.12340. 

​[5] Barry Derksen and Nico Kaag, Baseline Informatiebeveiliging Overheid (BIO) gebaseerd op de ISO 27002:2022. 2023.​ 

Disclaimer

The authors alone are responsible for the views expressed in this article. The views mentioned do not necessarily represent the views, decisions or policies of the ISACA NL Chapter. The views expressed herein can in no way be taken to reflect the official opinion of the board of ISACA NL Chapter. All reasonable precautions have been taken by the authors to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material lies with the reader. In no event shall the authors or the board of ISACA NL Chapter be liable for damages arising from its us.