Davies Consulting

Strategies for Complex Organizations

Energy Pulse: Unique Challenges of Cyber Attacks for Utilities

February 26, 2014

by Brooke Davies

This winter, Mother Nature has had consumers, governments, utility line workers, system managers, and CEOs all planning for the worst:  an extended power outage.  For the most part, utilities have been and are prepared to respond quickly and effectively to weather outage incidents, even where those incidents happen with little to no warning.  More recently, utilities have turned their attention to another kind of risk:  cyber attacks that could have similar impact on customers.

Today’s emergency response plans speak to the full range of potential hazards (flood, earthquake, cyber, hostile intruder, storm, etc.) and are evolving with the industry.

“Change alone endures.”  Trotsky’s statement couldn’t be more true than in today’s electric and gas utility environment.  Shifting weather patterns, evolving technologies, an increasingly digital business environment, boundless consumer demand for information, evolving regulatory policies, and steadily rising demand for energy expose our utility system to an incredibly diverse set of challenges and risks, some of which customers struggle to understand.  Utilities are discovering that prevention and restoration are not enough.  Well-timed, consistent communication is emerging as crucial, and it’s driven by what customers and other external stakeholders need, not solely on what the utility thinks is important.

Cyber risk does pose a unique challenge.  In the utility industry, cyber risks can be sorted into two broad categories: IT (information technology) attacks, like customer data breaches; and OT (operations technology) attacks that threaten the foundational systems that operate and manage the grid.  Utilities work diligently to detect and contain both types of cyber attack before they pose large risks to the system or feed into a catastrophic event.  And, as is the case with storm planning and response, utilities have done a remarkably good job on this end.

For customers, though, the idea (or reality) of an IT incident is much more personal than losing access to electricity. Loss of privacy, threat to one’s financial security, and the frightening potential for personal exposure jeopardize ourpersonal power.

We’ve seen utility communications strategies that address both kinds of power losses (system and personal) with great affect.  Most successful efforts prioritize a combination of factors, all of which keep the customer’s needs paramount:

  •   Timing of customer outreach both in terms of preventative customer education and responsive help for customers who are in reaction mode;
  •   Consistency in strategy and messaging to minimize confusion, ensure that the company is speaking in one voice, and that all stakeholders are receiving accurate, up-to-date, and relevant information;
  •   Coordination across all communications channels ensures that employees, customers, government leaders, critical infrastructure, and other stakeholders receive accurate and timely information; and
  •   Responsiveness that is timely and transparent to alleviate customer fears and help reduce the risk to the company’s brand.

Customers need to be educated about cyber threats, protected from the impacts of a cyber attack, and restored to power as quickly as possible.  For complex organizations like utility companies, connecting the dots among potential hazards, preparedness efforts, customer perspective, and response strategies, is increasingly important to customer satisfaction, the brand, and the bottom line.