Public power utilities will need to continue to increase and prioritize investments in cyber security, including operational technology and information technology investments and robust cyber policies and practices, in order to address heightened risks, Fitch Ratings said.
“Robust cyber resiliency and risk management helps support current ratings,” Fitch said in late October.
“Broadly speaking, the power utility sector continues to remain well positioned to withstand attacks on digital and network infrastructure,” the rating agency said.
Electric utility critical assets have been bolstered by over a decade of compliance with the North American Electric Reliability Corporation’s critical infrastructure protection mandatory cyber hygiene security standards, Fitch said.
“Public power utilities across Fitch's rated portfolio have reported increased screening efforts, targeted staffing and training, system upgrades and improved restrictions on vendor access,” Fitch noted.
At the same time, “the risk landscape for the sector is rapidly growing due in part to the use of artificial intelligence by threat actors, including nation states.”
Also contributing to risk is the growing dependence of the sector on IT assets, industrial control systems for grid operations, and smart internet of things devices such as smart meters and sensors that increase the accessibility surface, Fitch said. “The integration of IT and OT will only increase with greater use of such devices.”
Fitch said that cyberattacks on OT are higher risk than those on IT and are more likely to have a credit impact.
It noted that OT encompasses the computing systems that manage industrial operations and prioritize availability and human safety.
“The vulnerability of critical OT to cyberattacks is amplified if ICS have remote access or remote monitoring capabilities. However, utilities typically take steps to disconnect operating systems from the internet, reducing the risk of OT infiltration.”
Significant vulnerabilities could also stem from “technical debt” -- deferred digital maintenance -- and overreliance on legacy systems, which are not designed with specific cybersecurity protections or modern authentication capabilities, it said.
“This may be a particular issue for small and mid-sized public utilities, which are typically not rated by Fitch.”
The ability to protect infrastructure from attacks is considered under Fitch’s U.S. public power rating criteria as part of its assessment of management quality and governance, which is an asymmetric credit factor where weaker characteristics may constrain a rating.
“No public power ratings are currently constrained by cyber preparation issues, as attention to and investments in addressing this risk have been robust in accordance with NERC guidelines,” Fitch noted.
Fitch said that in the event of a cyberattack, it would assess the effect on financial metrics and performance of halts in service, delays in revenue generation, ransomware payments or unexpected capital costs.
The American Public Power Association offers a wide range of resources to its members related to cybersecurity.