Blog Posts Business Management

Cybersecurity: An essential condition for the digital transformation of utilities

Blog: Capgemini CTO Blog

Energy operators are accelerating their digital transformation in order to meet the challenges of energy transition, adapt to new consumer uses, and optimize their operations. However, digitalization, together with structural changes in the sector, such as decentralization or the arrival of purely digital players, significantly increases the risk of cyberattacks. Multifarious, these now affect all segments of the energy value chain.

Changes in the sector that are making cyberattacks easier

Despite the means put in place—the creation of the European Union Agency for Network and Information Security (ENISA), the adoption of the Directive on Security of Network and Information Systems (NIS directive), and the strengthening of regulatory frameworks worldwide—the conclusions are alarming: the number and sophistication of cyberattacks are on the rise.

Recent large-scale cyberattacks, such as Wannacry in May 2017, show that all companies are threatened while the probability of identifying and prosecuting hackers remains limited.

Certain strategic sectors, such as the energy sector, have experienced a surge of cyberattacks over the past decade, with a rising trend toward sabotage attempts. Between 2010 and 2015, the number of cyberattacks on Utilities worldwide increased six-fold, placing the sector in second place among the most-targeted companies. According to the Ponemon Institute, in 2015 the energy sector suffered the heaviest financial losses caused by cyberattacks; second only to the financial sector.

These risks are exacerbated by the following trends:

All segments of the sector’s value chain have already been hit by cyberattacks, showing that repercussions can be significant in human, material, and financial terms.

Cyberattacks in Utilities

            Source: Capgemini, 2018

Finding a middle ground between protection and competitiveness

France’s cybersecurity regulatory system makes the country a leader in this subject. Through decrees developed in close collaboration with Operators of Vital Importance (of which many players in the energy sector are a part), the French State provides a precise framework for companies to evaluate and address their risks. This French specificity also places a national authority—the ANSSI (National Agency for the Security of Information Systems), backed by an arsenal of available measures—at the disposal of the private sector.

While reporting cybersecurity incidents to the ANSSI is, for example obligatory, in France, it remains optional in the US, where incident reporting to competent authorities is voluntary. Moreover, the European Union is trying to replicate the ANSSI model in all Member States.

These measures allow Utilities to pursue their digital transformation strategies without neglecting to protect their assets—but at the cost of a significant increase in the cost and time required to implement digital projects. They particularly hamper innovation in open data or API and limit the possibilities of data recovery.

Operators must thus fully segregate the network upstreaming the information from the communicating meters (Advanced Metering Infrastructure) and SCADA in order to manage electricity distribution. This measure does not allow for the real-time use of the data collected by the counters to balance the network.

In other words, this configuration severely limits evolved smart grids. It also limits the speed and ease of on-site intervention by technicians, who can’t use the data collected by SCADA in real time (on their tablets, smartphone, etc.)

In a context where digital levers help reduce operational costs to improve customer satisfaction and create new services, helping companies digitalize is critical for the French energy industry to remain competitive. The answer will, perhaps, be found in cooperating on a European scale to develop viable solutions.

Reimaging cybersecurity around major structuring principles

Energy players also have an opportunity to change their operating posture to support the emergence of these solutions and adapt to changes in the sector in a way that is adequate to current security requirements. Cybersecurity is still too often treated as just a costly constraint on digital projects and cybersecurity professionals intervene in projects late in the game.

They must in particular:

  1. Start thinking about cybersecurity as a profitable (financial risk-reducing) activity, and not just a simple expense as is the case now and monitoring its economic impact on projects. This would, in many cases, justify increasing cybersecurity budgets, which are still low, given the stakes.
  2. Enhance the role of Chief Information Security Officer (CISO) by:
  1. Support innovation by provisioning APIs and secure application co-development environments for an open ecosystem comprising universities, SMEs, start-ups, and large groups.
  2. Internally develop the skills and new positions that bridge the areas of expertise (information security, development of digital services, and industry knowledge). Training employees to have information security reflexes is also an essential part of cybersecurity, because employees are in almost always a vector of attack without being aware of it.

An organizational paradigm shift is needed within Utilities if they are to digitalize their operations at minimum risk and benefit from the levers of competitiveness related to innovation—in particular, the possibility of creating an open ecosystem of players developing digital services. Cybersecurity must no longer be treated as a separate component, a mere corollary of digital projects. It must be an integral part of the organization and its operational modalities.

Written by Pierre Duchesne, Director; Gabrielle Desarnaud, Consultant—Capgemini Consulting

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples