Cracking the Code on Cybersecurity Through a Risk-Based Approach: Emerson Best Practices for Power and Water Suppliers

In many ways, digital transformation is a double-edged sword for the power and water industries.

On one hand, incredible technological advancements – including the convergence of information technology (IT) and operational technology (OT), enhanced connectivity, streamlined access to larger datasets, and more – have revolutionized the ability for utilities and municipalities to optimize operations, safely manage distributed energy resources and continue to generate reliable, low-cost power and produce clean water.  

On the other, as power and water suppliers transform their operations to capitalize on the benefits above, they become increasingly vulnerable to cybersecurity attacks and threats – and that’s especially true if they don’t have the right approach or partner to help protect them.

Today, cybersecurity attacks against critical infrastructure are growing. The U.S. Environmental Protection Agency released a memorandum stressing the need to audit security practices of local water systems and Dragos – a leader in industrial cybersecurity  – recently reported a continued increase in instances across the energy sector. 

And as attacks grow, so do costs. In fact, global annual cybersecurity attacks and threats are predicted to cost the world $8 trillion in 2023, which is up from $3 trillion in 2015 and expected to rise to $10.5 trillion by 2025.

With more distributed energy resources (DERs) like wind farms, solar facilities and microgrids supplying renewable power to the grid which powers critical infrastructure, there is an even greater potential for hackers to remotely disrupt the flow of electricity. The U.S. Department of Energy stated in an October report that DERs “pose emerging cybersecurity challenges to the electric grid” and should be designed with security as a “core component.”

So, as hackers today become smarter, use more sophisticated techniques, and – in many cases – evolve and innovate faster than the companies they target, the question becomes: What can companies do to fend them off?

A Risk-Based Approach to Cybersecurity

Regardless of industry, adopting a risk-based approach can help you identify potential vulnerabilities and protect your company from them now and in the future. A risk-based approach is not to protect against all threats but to identify potential vulnerabilities and make strategic decisions based on the likelihood and impact of each vulnerability.

As you bolster your cybersecurity efforts, consider these practices to ensure your approach is holistic and constantly evolving:

Assess risk.

Risk assessments equip your company with critical insights that help mitigate risks upfront. By conducting an assessment, you determine the readiness of key cybersecurity elements – including network security, data management, perimeter protection and more – and establish a better understanding of your system’s overall security posture.

Tighten system access.

Security measures can be cumbersome and may make limited security tempting, but attackers are counting on it. Keep system access tight by ensuring employees are conscientious of security policies, constantly evaluating risks and helping to build the right culture of security internally.

Establish strong policies.

Even the most sophisticated, secure measures can be rendered useless due to human error. That’s why it’s critical to educate and empower employees with strong administrative policies that reduce risks from social engineering, phishing and related attacks.

Upgrade your control system.

Downtime is costly and should be avoided as much as possible. By applying timely patches and system upgrades, you can minimize downtime while eliminating the risk of having unprotected servers and workstations.  

Go beyond perimeter protection.

Attackers will often assume perimeter protection is in place and therefore use common protocols and known service ports to compromise control system components. To tackle targeted attacks, control the system perimeter and protect potential entry points by deploying customizable, adaptable firewalls and continually scanning for security gaps.

Keep remote access in the right hands.

Almost all control systems are deployed with some type of remote connectivity – but just because remote access is the norm, doesn’t make it a safe practice. On systems where remote access is a must, make sure it’s monitored and implemented securely. You may even consider multiple layers of authentication for added security.

Know your control system.

After you’ve developed and deployed your risk-based approach to cybersecurity, ensure you’re constantly monitoring risks along the way and identifying potential attacks and threats as soon as possible. The right approach to cybersecurity is one that constantly evolves and adapts.

For power companies or municipal utilities looking to innovate and keep pace with competitors today, digital transformation is no longer a “nice to have” – it’s nonnegotiable. And while there can be risks, they shouldn’t stop companies from reaping rewards like enhanced collaboration and innovation among their workforce, breakthrough operational improvements and more.

Plus, in the ever-evolving landscape of cybersecurity, the above practices are just a starting point. To truly optimize their operations and risk-based approach to protecting them, power and water companies today are automating and seamlessly integrating industry-leading cybersecurity solutions – like Emerson’s Ovation™ control system that is both Designated and Certified as Qualified Anti-Terrorism Technology by the U.S. Department of Homeland Security – into their businesses.

Regardless of where a company is in its cybersecurity journey, it’s important to remember there are always opportunities to improve, evolve and better prepare for the next potential attack or threat lurking around the corner.

Just because an attack hasn’t happened yet, doesn’t mean it won’t. So, take the time today to develop the right approach and work with the right partner. You’ll thank yourself tomorrow.