Large, privately-owned regulated utilities tend to be more prepared to combat cyber threats than smaller energy companies, according to a new report from Moody's Investor Services. The ratings agency called cybersecurity preparedness an "increasingly important component of credit analysis" for electric utilities.
The report also concludes security posture is stronger among vertically integrated utilities, which also own generation, than it is for those owning only transmission and distribution, due to the greater risk of severe operational disruptions for utilities that own power plants.
Smaller utilities, and not-for-profits in particular, lean more heavily on cyber insurance to mitigate risk, according to Moody's. But according to the American Public Power Association (APPA), smaller utilities face less risk and utilize information sharing tools to boost security.
Moody's is digging into the growing threat faced by utilities, and says its Wednesday analysis is the "first of a series of cyber themed research reports" it will release as security plays a growing role in assessing company financials.
"Our survey of global electric utilities shows that large, privately owned regulated utilities have more robust cyber risk governance and management practices in place than state-owned or unregulated and not-for-profit peers," Moody's analyst Lesley Ritter said in a statement. "Smaller utilities, not-for-profits in particular, favor a risk transfer approach to cyber risk mitigation".
The report is based on a survey of 115 utility companies across North America, Europe and the Asia Pacific region. Moody's concluded investment-grade utilities are increasing cyber staffing and cyber budgets, "while speculative-grade utilities plan to keep both flat."
Moody's pointed to closer alignment between security teams and executives, at larger utilities. At large regulated utilities, the survey showed 80% of cyber risk managers report directly to a C-suite executive. At smaller utilities, that statistic falls to 60%, Moody's said.
CEOs of large utilities are "more likely to have cyber objectives written into their compensation package, making the company leadership directly responsible for managing the risk," Moody's said.
The correlation between utility size and its security posture reflects the greater risk cyberattacks pose for utilities that operate capital intensive equipment, according to Moody's analysts.
"We see closer links between cyber managers and the corporate executive team, a more diverse and sophisticated arsenal of cyber management practices, better management of supply chain risk, and more prevalent adoption of cyber insurance," Moody's analyst Cintia Nazima said in a statement.
Cyber insurance more effective for smaller utilities
Not-for-profit utilities are turning to cyber insurance to mitigate the risk, said Moody's, and see more benefit from it due to their relative size.
"Their broad adoption of stand-alone cyber insurance and the greater benefit they derive from the coverage they have helps offset some of their weaker cyber governance and risk management practices," the report found. "Not-for-profits are typically smaller utilities and the stand-alone cyber insurance coverage available to them is sufficient to provide more material financial mitigation than for larger utilities."
So far, said Moody's, the market for standalone cyber insurance remains small and as a result, "available policy coverage is relatively small, and limits the amount of proportionate coverage larger utilities can access."
Alex Hofmann, APPA vice president of engineering services, said the group does not track how many of its members have cyber insurance but that public utilities are utilizing all the tools available to them. And they face a lower risk from hackers in general, because of their relative lack of prominence.
Larger utilities have a "higher value as a target," Hofmann said. And "by their value as a target, larger organizations have to invest more ... to meet their needs and protect their assets."
There are about 2,000 public power utilities in the U.S., said Hofmann, and "the vast majority don't present a risk to the grid." Some may not even have supervisory control and data acquisition equipment installed on their systems, he said, which limits the ability of hackers to have an impact.
Information sharing, including with law enforcement and industry mechanisms like the Electricity Information Sharing and Analysis Center (E-ISAC), are also a boon for smaller utilities.
"It's pretty easy to get information on threats," said Hofmann. "There are lots of options."
Distributing threat information is a "shared responsibility" that helps all utilities address threats, according to Scott Aaronson, vice president for security and preparedness for Edison Electric Institute, a trade group which represents investor-owned utilities.
Working with E-ISAC, electric power industry stakeholders are able to "quickly report potential vulnerabilities and threats, and, in turn, the E-ISAC is able to distribute actionable information to system owners and operators," Aaronson said in an email.
Partnerships across the sector, and with all levels of government, "are critical to ensuring a strong security posture for our industry," Aaronson said.