Senior Partner & Managing Director
In March 2018, a cyberattack struck the platform of an electronic communications system provider. But the impact went far beyond that one company. Cascading through the ecosystem, the attack disrupted the operations of several natural gas pipeline and utilities customers.
As this example shows, cyberrisk is first and foremost a business and systemic risk, not an IT risk. Cyberthreats affect all industries but are especially challenging for the electricity industry because of the interconnected ecosystem in which electricity organizations operate. In addition, the grid is so vital to our infrastructure that a large-scale blackout would have enormous socioeconomic impact, with damaging consequences for households, businesses, and vital institutions alike.
Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards, a 2019 report developed by the World Economic Forum and Boston Consulting Group, addresses three challenges to cyberresilience in the electricity ecosystem:
You might be interested in
CybersecurityBrowse the Collection
The first step in addressing cyberresilience challenges is to understand what needs to be protected. In an interconnected universe like the electricity industry, this means answering two questions:
Who. A mapping of the electricity ecosystem includes not only the core industry value chain but also a business ecosystem of suppliers, customers, and peers, and an extended ecosystem that includes policymakers, regulators, and law enforcement. (See Exhibit 1.) It’s also important to consider parties that are even more distant from the core, such as suppliers of suppliers and customers of customers.
How. Connections among stakeholders in the electricity industry fall into three categories: physical, network, and strategic. Physical connections enable the flow of electricity from generation to use, while network connections include the system connections that enable data flow. Traditionally, cyberattacks occurred only in the network domain. But the IoT enables the connection of physical devices to the internet, meaning that a cyberattack can have physical consequences as well. To identify and manage these potential vulnerabilities, an organization needs to understand which network and physical systems connect to the systems in its value chain and extended ecosystem.
The nature of strategic connections is slightly different. Once the physical and network connections have been identified, leaders need to jointly define strategies for mitigating the cyberrisks that these connections pose. For example, a generation facility and its fuel suppliers should outline ways to manage cyberattacks that could compromise the generation facility’s fuel supply. Leaders of electricity organizations also need to develop strategic partnerships with stakeholders in the extended ecosystem. This might include engaging relevant law enforcement agencies to respond to cyberattacks and working with regulators and policymakers to develop regulations with appropriate incentives.
Boards of directors need to take responsibility for and oversee cyberrisk management in the organization and across the ecosystem. This is critical for building systemic cyberresilience.
The 2019 report by the World Economic Forum and BCG provides guidance for boards in this undertaking. Augmenting the cyberresilience strategies report that BCG and the World Economic Forum developed in 2017, the new report identifies seven principles and guidelines for boards of directors in the electricity industry. (See Exhibit 2.) To help companies implement these principles, the report offers assessment questionnaires and case studies from leading electricity organizations around the world.
For electricity companies, cyberrisk is an ecosystem-wide challenge. But the electricity industry is not alone. Cyberrisk threatens the aviation, automotive, and health-care ecosystems as well—and the number of affected industries will continue to grow. As digitization continues, ecosystem stakeholders will increasingly need to come together to manage cyberrisks. Such collaboration will be critical to improving systemic cyberresilience in the long term.