Security and Resilience (Cyber and Physical)

Public Power Utilities Well Positioned To Weather Cyberattacks: Fitch Ratings

Public power utilities are well positioned to weather cyberattacks “due to the electric sector's years of attention to cyber threat mitigation and regulatory requirements, which offers a heightened level of protection relative to other infrastructure assets,” Fitch Ratings recently said.

The rating agency on April 21 noted that federal warnings of cyberattacks targeting U.S. critical infrastructure coincide with news reports of probing of the Texas energy infrastructure, which can be used to scan and monitor networks for weaknesses. “Risks are amplified, and increased information technology investment and spending will be necessary,” Fitch said.

The rating agency noted that the Department of Energy (DOE), Cybersecurity and Infrastructure Security Agency, National Security Agency, and the FBI jointly released an alert in mid-April to warn that certain advanced persistent threat actors are capable of gaining full system access to multiple industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices using custom-made tools that target ICS/SCADA.

“Electric utilities are exposed to these threats as they use ICS to connect into the electric grid and SCADA to gather and process data from substations. Events caused by operating technology (OT) breaches can threaten human safety and the availability of essential assets and are much more severe than IT breaches,” Fitch said.

The costs to maintain and update cybersecurity will rapidly increase to keep pace with elevated ICS threats amid geopolitical tension, the rating agency said. “System lifecycles are decreasing along with rapid evolution of technology and sophistication of cyber intrusions. Strengthening of cyber hygiene culture through investment in human capital and technology is critical to continue effective mitigation of fast-evolving” threats from advanced persistent threat actors.

Fitch also said that electric utility critical assets have been hardened by over a decade of compliance with the North American Electric Reliability Corporation’s critical infrastructure protection mandatory cyber security standards.

Moreover, the renewed emphasis on partnerships as threats increase “is supported by platforms allowing utility operators to share cyber threats in real time without compromising competitive or sensitive information,” Fitch said.

Public power groups such as the American Public Power Association and the Large Public Power Council provide their members with cybersecurity support programs, the rating agency noted, and CISA and the FBI updated the CISA Shields Up program in March 2022, providing best practices, technical guidance, free tools and resources that are available to all organizations.

APPA is helping member utilities across the country create a more resilient and secure electric grid that is prepared for both cyber and physical threats. Public power utilities are working with their communities, states, and the federal government to ensure compliance with stringent security standards and to manage risk. For additional details on how APPA is helping members with cybersecurity, click here.

Fitch said that the ability to protect infrastructure from attacks is considered under Fitch’s U.S. public power rating criteria as part of its assessment of management quality and governance, which is an asymmetric credit factor where weaker characteristics may constrain a rating.

Fitch assesses utilities’ cyber security policies, investment and training, their maintenance of insurance against cyberattacks and their protocols to address cyber incidents.

“No public power ratings are currently constrained by concerns regarding a utility management's lack of preparation. In the event of a cyberattack, Fitch would assess the effect on financial metrics and performance of halts in service, delays in revenue generation, ransomware payments or unexpected capital costs,” the rating agency said.