Industry Coverage icon

Cybersecurity Report for Utilities

Safeguard the digital transformation.

Unlock a Free Sample

Your organization is in urgent need of a cybersecurity strategy that can transform with future needs.

You are having difficulty in:

  • Gauging the overall risk of the integrated IT, OT, and IIoT cybersecurity ecosystem.
  • Developing a strategic plan to protect your organization’s physical assets and brand.
  • Understanding the impact on people, processes, and technology.

Our Advice

Critical Insight

Implementation of basic cybersecurity hygiene practices can effectively protect you against easy and low-effort attacks. Adoption of a risk-based approach to secure IT, OT, and IIoT is required to protect you from devastating consequences.

Impact and Result

Info-Tech’s utilities cybersecurity report provides an overview of the cybersecurity landscape that leaders are facing today. It offers key insights and practical recommendations based on industry best practices globally. This report:

  • Provides an overview of the utility specific cybersecurity landscape.
  • Identifies the impact on People, Process, and Technology as a result of implementing cybersecurity programs.
  • Demonstrates how utilities are enhancing their cybersecurity capabilities.
  • Proposes recommendations based on best practices from the industry.

Cybersecurity Report for Utilities Research & Tools

1. Utilities Cybersecurity Report – This report provides an overview of the cybersecurity landscape that leaders are facing today.

This trends deep-dive report discusses the risk-based approach to manage utilities’ complex cybersecurity program and highlights the impact of people, process, and technology on building a cybersecurity culture. It offers key insights and practical recommendations based on industry best practices globally.

Unlock a Free Sample

Utilities Cybersecurity Report

Safeguard the digital transformation.

Analyst perspective

Digitalization is a double-edged sword. On one hand, it propels automation and enhances control in utilities, driving operational excellence and improving service reliability. On the other hand, it introduces greater risks of cyberattacks due to increasing interconnections across the IT, OT, and IIoT domains.

Security leaders within utilities face a dynamic and complex landscape. Protecting common IT systems and business applications remains important. For many, securing critical infrastructure through developing OT cybersecurity capabilities has become the top priority.

With the increasing adoption of IIoT technologies, utilities are struggling with the sheer volume of devices they now need to protect against sophisticated cyberattacks or breaches. Existing IT cybersecurity experts do not fully understand how OT operates or how to comply with industry-specific regulations and standards. Furthermore, many leaders find themselves reacting to the ever-evolving government policies and regulations.

Cybersecurity has become a prominent topic on the agenda at executive and board meetings. Most of the executive leaders and board members do not have deep knowledge of cybersecurity. To protect the organization from cyberattacks, security leaders are expected to bridge the gap between strategy development and tactical implementation.

Info-Tech's utility cybersecurity report provides an overview of the cybersecurity landscape that leaders are facing today. It offers key insights and practical recommendations based on industry best practices globally.

This is a picture of Jing Wu

JING WU
Principal Research Director,
Utilities Research
Info-Tech Research Group

Executive Summary

Your Challenge

Your organization is in urgent need of a cybersecurity strategy that can transform with future needs.

You are having difficulty in:

  • Gauging the overall risk of the integrated IT, OT, and IIoT cybersecurity ecosystem.
  • Developing a strategic plan to protect your organization's physical assets and brand.
  • Understanding the impact on people, processes, and technology.

Common Obstacles

Holistically managing a cybersecurity program among IT, OT, and IIoT systems, often with competing priorities.

Implementing effective cybersecurity strategies with limited funding and resources.

Uncertainties about how and where to start among the complex cybersecurity landscape and evolving regulations.

Reservations about addressing cybersecurity trends, determining how applicable they are to your organization, and what to prioritize.

Info-Tech's Approach

Provide an overview of the utility-specific cybersecurity landscape.

Identify the impact on people, process, and technology as a result of implementing cybersecurity programs.

Demonstrate how utilities are enhancing their cybersecurity capabilities.

Propose recommendations based on best practices from the industry.

Info-Tech Insight

Implementation of basic cybersecurity hygiene practices can effectively protect you against easy and low-effort attacks. Adoption of a risk-based approach to secure IT, OT, and IIoT is required to protect you from devastating consequences.

Integrate cybersecurity in digitalization plans

Digitalization creates new possibilities for utilities

Digitalization enables intelligent utility operations such as optimization of the electricity grid and effective management of natural gas distribution. Technology advancements create opportunities to improve customer services such as alerts about water consumption peaks for potential leakages.

New capabilities bring unique cybersecurity challenges

The cyber threat landscape has changed rapidly. The attack surfaces have enlarged for utilities due to OT connectivity expansion, IT-OT convergence, and growing adoption of cloud and IIoT technologies. Internally, utilities are struggling with antiquated OT systems, a shortage of cybersecurity talent, and a lack of knowledge of cybersecurity regulations. The increasing rate and sophistication of cyberattacks exacerbated the situation.

A comprehensive cybersecurity strategy is a top priority

IT systems have been protected for more than a decade. They have gone through many evolutions through numerous attacks and have reached a certain level of maturity. However, a steep learning curve is anticipated to develop the maturity level for the OT and IoT operating environment. The good news is that OT can fast track by leveraging lessons learned from IT cybersecurity evolution. The bad news is that OT has its unique situations that IT has not gone through. IT-OT collaboration and innovation are required.

560

common vulnerabilities and exposures are disclosed with 172 associated products for the first half of 2022. Energy is among the top five sectors affected by the pronounced vulnerabilities.

(Nozomi Networks, 2022)

45%

of organizations experienced attacks involving IoT/OT assets according to Ponemon Institute surveys conducted in 2018 and 2019 involving utilities.

(Industrial Cybersecurity Pulse, 2021)

217%

increase in 2021 over 2020 in data compromises in the United States in the Manufacturing and Utilities sector.

(ITRC, 2022)

Utility cyberattack risks are diverse

Utilities own and operate a collection of systems, assets, facilities, equipment, and devices that are interacting with the physical world and are interconnected via various communication networks. Beyond the traditional information security domain, a utility's cybersecurity program must have a broader scope to protect against a wide range of targets. Emerging technologies such as IIoT and the antiquated ICS environment create a dynamic landscape. The diverse cybersecurity risk levels and their consequences of cyberattacks add to the complexity. More utilities need to recognize the importance of cybersecurity risk, with only 56% of organizations claiming they use a risk-management approach to assess risks and protect high-risk areas (Siemens, 2020).

This is a list of icons for the various utilities, color coded using the following pattern: Blue - Electricity; Black - Natural Gas; Green - Water and Wastewater

Cyberattacks have significant consequences

Recent cyberattacks against nations' critical infrastructure are wakeup calls for utilities because the consequences of cyberattacks can be devastating. Based on risk assessment of the various attack surfaces, it is imperative for security leaders to weed through technical details and hyperfocus on the broader impact. When discussing cybersecurity impact with leadership and staff, leverage real-time stories besides metrics.

Business, Customer, and Societal Impact

This is an image of a mountain range, showing the technical implications of Personnel Safety, Public Health and Safety; Environmental and Reputation Damage; Financial Losses ; Customer Service Disruption; and Regulatory Noncompliance.

Cybersecurity is about culture, not about checking a box

Developing a cybersecurity culture in utilities takes extra effort. IT and OT teams should stay curious about each other's challenges.

Alex Tremblay, manager of cybersecurity at H2O Power company, shared a well-received practice called A day in a life. IT and OT teams spend the time on job shadowing and experiencing the reality firsthand, instead of just discussing the risks and documenting them.

Don't assume your counterpart does not understand how to manage risks. Build trust through appreciation and understanding.

Walk the extra mile to build the culture

"Cybersecurity is first and foremost about people. We can implement security controls in the systems, but it is the people that use them that are the maker- breaker."
– Ross Lettau,
Principal, Cyber Security, Jacobs

Info-Tech Resources:

Talent shortage is creating a risk

Staff shortage impacts daily operations and opens the utility to cybersecurity risk with three primary consequences related to:

  1. Systems Misconfigurations
  2. Lack of Time for Risk Assessment and Management
  3. Critical Systems Patching Delay

Global cybersecurity workforce supply

does not meet the demand.

65%

increase

of global workforce supply required to protect critical infrastructure effectively according to estimation done by (ISC)(2).

Total utility cybersecurity job openings from Oct. 2021 to Sept. 2022 in the US.

4,765

out of 769,736

across all sectors

Utilities offer less than 1% of opportunities in the highly desired job market.

(Data collected on Dec. 12, 2022, Cyberseek)

A world map is depicted, showing the average salary for North America, Europe, Latin America, and APAC.

Address the workforce gap

Invest in People

Organizations are focusing on staff development and retention as their top strategy to address the gap. The top five people-centered investments are listed below.

36%

Training investment

33%

Work flexibility

31%

Certifications

29%

DEI initiatives

28%

Hiring for potentials

[(ISC)2, 2021]

Info-Tech Resources:

Offer Multiple Career Pathways

Utility cybersecurity professionals traditionally start out their career in IT or OT engineering. New generations expect to transition to cybersecurity from either education or other related fields.

Leverage Technology

Implementing automation tools to replace manual tasks and highly repeatable processes as well as leveraging cloud services.

Share Resources

The non-competitive nature of the utility industry offers its unique advantage of sharing common cybersecurity personnel. Acquirement through consulting services on an as-needed basis could also be cost effective for smaller utilities.

IT/OT Cross Training

Utilities possess large protected surfaces on the OT space where cross training of the regulations and IT/OT security best practices are mandatory.

[(ISC)2, 2021; NARUC 2021; Fortinet, 2022]

Case Study

Western Power
Providing electric services to more than 2.3 million customers in Western Australia

INDUSTRY: State-Owned Electricity Utility

SOURCE: ICS Security Summit , 2018; Western Power, 2022; Business of InfoSec, 2022

Challenge

Western Power is faced with various challenges to secure its critical infrastructure to be compliant with evolving government regulations.

The convergence of IT and OT increased the interdependencies between traditionally isolated systems. It needed to find effective and efficient ways to secure the ICS to defend against cyberattacks.

Empower modern technologies to transform business operations while not being exposed to increased cybersecurity threats.

Solution

Western Power developed an information and communication technology cybersecurity framework that aligned with updated government regulations.

This new framework enhanced existing corporate security and cybersecurity strategy to create a dedicated operational and technology cybersecurity strategy.

Western Power prioritized investments in safety by highlighting the risks and emphasizing the ROI benefits such as reliability and increased uptime and security.

Results

Western Power has formed a cybersecurity operations team to deliver and improve coreand holistic operational capabilities.

An integrated information and communication technology cybersecurity standard was developed and updated to always align with evolving government regulations.

Western Power has also diversified its hiring strategy to counter the global cybersecurity talent shortages. On-going recruitments are focusing on prescriptive qualifications and experiences such as cybersecurity change management skill sets.

Holistic governance is a work in progress

Human-enabled processes are accountable for most of the misconfigurations such as incorrect permission, missing authentication, and weak passwords. A company-wide cybersecurity governance program can enforce policies and embed a cybersecurity mindset into your organization culture.

Major effort is required to raise the overall level of maturity across the utility industry.

56%

of organizations claim they are at level 3 (predictive behavior established) or level 4 (leverage orchestration and automation) of OT security maturity.

(Fortinet, 2022)

42%

of global utilities organizations reported readiness and response to cyberattacks as high.

(World Economic Forum, 2020)

13%

of organizations claim they have 100% visibility of OT activities according to more than 500 OT security professionals worldwide.

(Frontinet, 2022)

21%

of utilities never update their senior management on cybersecurity actions according to a 2022 UK Cyber Security Breaches Survey.

(Government of UK, 2022)

Increase oversight and transparency

Manage Visibility Wholistically

Globally organizations are making progress in reporting basic OT cybersecurity issues to executive leaders in the following areas. Data also shows that almost half of the organizations are not tracking and reporting OT security metrics.

52%

Security standard compliance

51%

Security assessments

50%

Industry regulation compliance

48%

Penetration test results

47%

Security comprises

(Fortinet, 2022)

Manage Cybersecurity Oversight

(HBR, 2022; Forbes, March 2022)

Address Business Concerns

One of the most effective ways to gain executive buy-in is to speak business language. Addressing cybersecurity issues should focus on business risk, reputation, and business continuity, not on technical discussions.

Create a Cybersecurity Culture

Leaders set the tone for a comprehensive IT/OT cybersecurity culture. Everyone is accountable for keeping the organization safe.

Analyze Gap per Industry

Each utility sector, including electricity, natural gas, water, and wastewater, faces unique challenges and regulations. Besides the overarching enterprise-wide analysis, utilities should use industry-specific frameworks to evaluate maturity and identify gaps.

Ensure Budget Aligns With Risk

No amount of investment can sufficiently protect the organization 100%. Based on the risk tolerances, utilities must allocate investment according to the risk analysis and where funding is most needed.

Case Study

Raleigh Water, North Carolina
Providing water and sanitary sewer services to a population of about 600,000 people in Raleigh and six other nearby areas

INDUSTRY: Public Water Utilities

SOURCE: Water World, 2019

Challenge

Like other utilities, Raleigh Water was concerned about external threats such as ransomware and internal security risks including human error whether it was intentional or unintentional.

Not having the visibility of the overall networks, devices, systems, and equipment was the biggest challenge.

In addition, keeping the IT components of OT environments always up to date required a mindset change given its short obsolete cycle compared to a much longer lifespan of OT components.

Solution

Several security initiatives were carried out. The effort was recognized and led Raleigh Water to win the 75th CSO50 Awards for security projects that demonstrated outstanding business value and thought leadership.

Leveraging automated tools, it started with collecting a detailed inventory of systems and protected surfaces. For example, tools can gather the versions of Windows that are running and the firmware levels on PLCs. Furthermore, the security team kept up with the ICS-CERT advisories and actively applied fixes to known vulnerabilities.

Results

Keep track of vendor/supplier security postures and understand the industry cybersecurity risks of third-party vendors.

Leverage free services to the water and wastewater industry provided by the Department of Homeland Security.

Implement continuous processes to improve security postures to handle the new threats.

Technology maturity requires development

The large volume of OT devices and multiple vendors increases complexity of cybersecurity operations

39%

of organizations worldwide report having between 1,001 to 10,000 OT devices in operation while 4% have more than 10,000 OT devices.

35%

of organizations worldwide report having five to ten different technology vendors for OT devices while 6% use nine or more vendors.

(Fortinet, 2022)

No one-size-fits-all technology solution in cybersecurity

There are an overwhelming number of cybersecurity tools and technology offerings in the marketplace.

37 different security features grouped by seven categories such as platforms, networks, users, devices, data, workloads, automation & orchestration, visibility & analytics, and managed security service providers offered by hundreds of vendors.

(The Demo Forum, n.d.; Cloud Security Alliance, 2019)

Diversity in technology offerings provides options for utilities

As the utility cybersecurity landscape continues evolving, the cybersecurity technology market will become a battle ground between various types of suppliers:

  • Multi-domain IT vendors such as Microsoft and Cisco
  • Multi-domain ICS vendors such as GE and Schneider Electric
  • OT cybersecurity specialists such as Nozomi Networks
  • Specialist technology vendors such as Aclara and Landis+ Gyr for IIoT as well as Xage Security and Radiflow for DER

Cost-effective technology adoption

Various security features in use

Organizations are approaching cybersecurity differently with no dominant solutions in use. A various list of features are used (see below) but no one single feature is used by more than half of the organizations according to the 2022 Fortinet Report.

40%

Remote access control

39%

Security orchestration, automation, and
response (SOAR)

35%

Internal network segmentation

32%

Network access control

31%

Advanced persistent threat
(sandbox, deception)

(Fortinet, 2022)

Unique OT challenges

Although there are common governance and control management practices applicable across digital domains (IT, OT, IoT), the reality is that there are unique challenges within the OT environment that require different approaches.

Vulnerability Scanning

Legacy embedded systems cannot be scanned, and false alarms can be equally devastating. Not all devices will be detected to the level of accuracy such as devices that are in peer-to-peer connection.

Patching

Not all assets in OT can be patched or upgraded. In some instances, source code is missing for an effective patch. Alternative compensating controls should be in place.

Endpoint Protection

Standardized security tools such as anti-virus cannot be easily applied to specifically designed devices without degradation of functional performance. Diversity in the device types increases complexities..

Encryption

Encryption of all ICS control traffic might not achieve effective protection due to its low requirement for confidentiality.

(SAN, n.d.)

Info-Tech Resources:

Case Study

Major natural gas distributor, North America

Providing gas services to millions of residential and commercial customers

INDUSTRY: Natural Gas Distributor

SOURCE: Automation, 2020

Challenge

This local gas distribution company with geographically widespread remote sites needed a secured and efficient way to grant access to the gate stations to replace its legacy paper-based recording practices.

Typical IT solutions such as multi-factor authentication (MFA) and virtual desk infrastructure (VDI) were too complicated and expensive to implement in the OT environment.

Solution

The organization decided to implement an OT-specific platform with the combination of enhanced MFA and encrypted browser- based display of the virtual desktop solution to secure its infrastructure at gate stations both physically and remotely.

In addition, it used a remote operations access management solution to record session log-ins and screen recording to monitor remote access activities.

Results

The integrated IT and OT secured access control systems allow utility workers to gain access to gate stations via browser-based multi-factor authentication using any mobile devices.

A cost-effective simple solution was implemented to allow centralized monitoring and control of remote sites.

Effective multi-factor authentication mechanism secured local access to reduce cyber risks.

Evolving utility cybersecurity regulations

Globally, government agencies take different approaches to cybersecurity laws and standards, and updates continue to be proposed and enforced worldwide. Utilities must comply with cybersecurity laws and regulations enacted by governments on a national or regional level. Regulations sometimes incorporate standards established by trusted organizations. Cybersecurity standards could be cross-industry frameworks such as ISA/IEC - 62433 or industry-specific best practices such as American Water Works Association (AWWA)'s Cybersecurity Guidance and Assessment Tool.

Laws enacted by government legislative authorities

This image shows the flow of regulations, from laws enacted by government legislative authorities, to adoption leading to standards/best practices.

Critical Infrastructure (CI):
Energy (Electricity, Gas), Water

Operating Essential Services (OES):
Electricity, Gas, Water

Critical Infrastructure (CI):
Electricity, Gas, Water, and Wastewater

  • North American Electric Reliability Corporation enforces the Critical Infrastructure Protection (CIP) standards (NERC CIP) for North American electricity infrastructure but only covers Bulk Electric System (BES).
  • U.S. Cybersecurity and Infrastructure Security Agency (CISA) will develop and implement regulations responding to 2022 CIRCIA to report covered cyber incidents and ransomware payments to CISA.
  • U.S. Nuclear Regulatory Commission (NRC) approved Cyber Security Plan for Nuclear Power Reactors (NEI 08-09) developed by industry in 2010.
  • The U.S. Environmental Protection Agency's (EPA) will soon introduce new cybersecurity requirements for water facilities as announced by White House in August 2022.

The European Union Agency for Cybersecurity (ENISA) implements and maps OES requirements to specific sectors; it helps member states to address common cybersecurity issues, support reporting process, and agree on common approaches and procedures.

The Cyber and Infrastructure Security Centre (CISC) of the Australian Department of Home Affairs monitors industry compliance with the Register of Critical Infrastructure Assets and Mandatory Cyber Incident Reporting.

("Cyber Incident…," CISA, 2022; NIST 2021; Water World, 2022; Australian Government Department of Home Affairs, 2022; Industrial Defender, 2021; ENISA, n.d.)

Adopting standards prior to compliance obligations

Well-constructed regulations can be tricky to establish as they need to strike a balance between cybersecurity compliance benefits versus the cost to the utility and customers. As dynamic as the utility cybersecurity technology landscape is, the regulations continue to be evolving as regulators respond to government legislation updates or reforms over time. There are often delays between laws and regulations for utilities to implement specific details.

Reputable and well-respected international or national organizations have developed many extensive utility relevant standards, frameworks, and guidelines covering many domains.

Internet of Things
(IoT)

  • NIST SP800-213, IoT Device Cybersecurity Guidance for the Federal Government
  • Cloud Security Alliance (CSA) IoT Security Controls Framework
  • EU Cybersecurity Market Analysis – IoT in Distribution Grid

Distributed Energy Resource (DER)

  • Institute of Electrical and Electronics Engineers (IEEE) Standard 1547-2018 for DER Grid Support
  • The U.S. Distributed Energy Resource Cybersecurity Framework (DERCF) developed by National Renewable Energy Laboratory (NREL)

Industry Control System
(ICS)

  • NIST SP 800-82, Guide to Industrial Control Systems Security
  • IEC/ISA 62443 Security for Industrial Automation and Control Systems Series
  • The Cybersecurity and Infrastructure Security Agency (CISA) created the Cybersecurity Best Practices for Industrial Control System

(IEEE, 2018; Cloud Security Alliance, 2019; NIST, Nov. 2021; ENISA 2022; NREL, n.d.; Mission Secure, n.d.)

Instead of reacting to the changing regulations, it is prudent for utilities to adopt well-vetted, internationally recognized standards. Cost-effectiveness is a key consideration for utilities when evaluating the level of cybersecurity governance and management controls to implement. Without proper planning, resources and budget will become a constraint when forced to implement large changes to the utilities that are less matured in its cybersecurity program.

Follow basic cybersecurity hygiene

Utilities should start and focus first on the basic cybersecurity hygiene while conducting a comprehensive risk assessment. The utility industry community has provided cost-effective baseline recommendations collectively across both IT and OT domains. In addition, certain anti-patterns are also established to advise what not to do by the Australian Energy Sector Cyber Security Framework (AESCSF).

Areas

Do's Don'ts
Security Culture and Awareness
  • General and job-specific security training programs are offered to all personnel including employees, contractors, and third-party users.
  • Maintain an up-to-date situational awareness of relevant threats
  • Cybersecurity capabilities are dependent on one or two key personnel.
Identify and Access Management
  • Apply restricted administrative privileges, and review privilege accounts regularly.
  • Multi-factor authentication should be used by all personnel to access an organization's internet-facing services.
  • No confirming of needs before granting use access to assets.
Data Security and Privacy
  • Programs established to ensure compliance with the minimum payment and personal data information requirements.
  • The function is unaware whether personal information is collected.
Configuration and Change Management
  • Changes to internet-facing assets are tested to identify potential cyber security vulnerabilities.
  • Authorization process established for making changes to facility.

Changes to internet-facing assets not tested to identify potential cybersecurity vulnerabilities.

InfoSec in Business Continuity Planning
  • Business impact assessment (BIA) can help ensure business-critical services are supported appropriately in the event of a disaster.

Critical business functions or services have not been identified.

Drive cybersecurity maturity holistically

It is crucial to perform an assessment to identify your organization's current state and future state of IT/OT cybersecurity maturity. Mapping out the initiatives strategically is essential to bridge the gaps, and this is a continuous and iterative process. Info-Tech has developed a strategy blueprint to help organizations develop business-aligned, risk-aware, and holistic security strategy. The comprehensive security framework is a best-of-breed based on several industrial standards that utilities can adopt to develop maturity levels across IT, OT, and IoT domains.

Info-Tech's best-of-breed security framework

This is an image of Info-Tech's best-of-breed security framework

Use this utility cybersecurity trends report as an input to different blueprints

Utility Cybersecurity Report

This can be used as a standalone report or as an input to digital strategy, IT strategy, reference architecture, and more.

Utilities BUSINESS Architecture

  • Capability Map
  • Key Capabilities
  • Prioritize Capability Gaps

Define your digital business strategy

  • Innovate the Business
  • Transform Processes
  • Build Customer-Centricity

Build a business-aligned IT Strategy

  • Current State
  • Strategic Initiative Plan
  • Foundational Elements

Future of UTILITIES TRENDS Report

  • Challenges
  • Key IT Element
  • Future Trends

Contributing Experts

Ross Lettau
Principal, Cyber Security,
Jacobs

Alaisdar Graham
Executive Counselor,
Info-Tech Research Group

Robert Dang
Principal Advisory Director,
Info-Tech Research Group

Ida Siahaan
Research Director,
Info-Tech Research Group

Bibliography

"15 Cybersecurity Fundamentals for Water and Wastewater Utilities." Water ISAC, n.d. Accessed December 2022.
"2021 Data Breach Report." Identify Theft Resource Center (ITRC), n.d. Accessed December 2022.
"2022 State of Operational Technology and Cybersecurity Report." Fortinet, 2022. Accessed December 2022.
"2022 Thales Data Threat Report Critical Infrastructure Edition." THALES, 2022. Accessed December 2022.
"A Comprehensive Guide to Operational Technology (OT) Cybersecurity." Mission Secure, n.d. Accessed December 2022.
"A Guide for Public Utility Commissions: Recruiting and Retaining a Cybersecurity Workforce." National Association of Regulatory Utility Commissioners (NARUC), February 2021. Accessed December 2022.
"A National Study of Infrastructure Risk"" Australian Government, October 2021. Accessed December 2022."
"A National Study of Infrastructure Risk." Australian Government Infrastructure Australia, October 2021. Accessed December 2022.
"A Resilient Cybersecurity Profession Charts the Path Forward (ISC)2 CYBERSECURITY WORKFORCE STUDY, 2021." (ISC)2, 2021. Accessed December 2022.
"ACSC Annual Cyber Threat Report, July 2021 to June 2022." Australia Cyber Security Centre (ACSC), 2022. Accessed December 2022.
"AESCSF framework and resources." AEMO, 2022. Accessed December 2022.
Anderson, Erin. "A Guide to NEI 08-09 Compliance for Nuclear Power Operators." Industrial Defender, April 2021. Accessed December 2022.
"Are utilities doing enough to protect themselves from cyberattack?" World Economic Forum, January 2020. Accessed December 2022.
Atkins, Betsy. "Cybersecurity and The Role of The Board." Forbes, March 2022. Accessed December 2022.
"Australian Energy Sector Cyber Security Framework." Australian Government Department of Climate Change, Energy, the Environment and Water. Accessed December 2022.
"Australia's cyber security strategy 2020." Australian Government, 2020. Accessed December 2022.
"Boards and cybersecurity." McKinsey & Company, February 2022. Accessed December 2022.
"Bridging The Cybersecurity Gap Of IT/OT Convergence" Forbes, May 2022. Accessed December 2022.
"Case Study: A Natural Gas Distributor Solves Local Access Challenges" Automation, November 2020, Accessed December 2022.
"Caught in the crosshairs: are utilities keeping up with their industrial cyber threat?" Siemens, 2020. Accessed December 2022.
"CISA Strategic Plan 2023-2025" CISA, 2022. Accessed December 2022.
"Conduct a Drinking Water or Wastewater Utility Risk Assessment." EPA, n.d. Accessed December 2022.
"CSA IoT Security Controls Framework." Cloud Security Alliance, March 2019. Accessed December 2022.
"Cyber Incident Reporting For Critical Infrastructure Act of 2022 (CIRCIA)." CISA, 2022. Accessed December 2022.
"Cyber Readiness Report 2022." Hiscox via Statista, 2021. Accessed December 2022.
"Cyber security as a percentage of IT spend among U.S. and European companies from 2020 to 2022, by country." Hiscox via Statista, May 2022. Accessed December 2022.
"Cyber Security Breaches Survey 2022." Government of the United Kingdom, July 2022. Accessed December 2022.
"Cyber Security Breaches Survey 2022." Government of UK, July 2022. Accessed December 2022.
"Cyber security for water utilities." Water Canada, n.d. Accessed December 2022.
"Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid." U.S. Department of Energy (DOE), October 2022. Accessed December 2022.
"Cybersecurity Reference Architecture: Security for a Hybrid Enterprise." Microsoft, June 2018. Accessed December 2022.
"Cybersecurity Supply/Demand Heat Map." Cyberseek, 2022. Accessed December 2022.
"Cybersecurity, IT/OT" Industrial Cybersecurity Pulse, June 2021. Accessed December 2022.
"Cybersecurity, IT/OT." Honeywell Forge, n.d. Accessed December 2022.
"Demystifying Australia's Recent Security of Critical Infrastructure Act Reforms." Herbert Smith Freehills, October 2022. Accessed December 2022.
"Demystifying Cybersecurity for Water Utilities." Water World, November 2022. Accessed December 2022.
"Distributed Energy Resource Cybersecurity Framework." The National Renewable Energy Laboratory (NREL), n.d. Accessed December 2022.
"Energy and utilities 2022 cyber outlook: It's everyone's priority." PWC, 2022. Accessed December 2022.
"EPA to introduce new cybersecurity requirements." WaterWorld, 2022. Accessed December 2022.
"EPA to introduce new cybersecurity requirements." WaterWorld, August 2022. Accessed December 2022.
"Essential Eight." Australia Cyber Security Centre (ACSC), 2022. Accessed December 2022.
"EU Cybersecurity Market Analysis IoT in Distribution Grids." ENISA, April 2022. Accessed December 2022.
"EXECUTIVE ORDER 14028, IMPROVING THE NATION'S CYBERSECURITY." NIST, 2021. Accessed December 2022.
"Have the breaches or attacks experienced in the last 12 months impacted your organization in any of the following ways, or not?" GOV.UK via Statista, 2022. Accessed December 2022.
"IEEE Standard for Interconnection and Interoperability of Distributed Energy Resources with Associated Electric Power Systems Interfaces." IEEE, 2018. Accessed December 2022.
"Improving Security Posture Post-Pandemic." Water World, n.d. Accessed December 2022.
"Information and Communication Technology Cyber Security Standard." Western Power, 2022. Accessed December 2022."
"IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements." National Information Technology Laboratory (NIST), November 2021. Accessed December 2022.
"IoT Statistics and Trends to Know in 2022." Leftronic, July 2021. Accessed December 2022.
"It's Time to Make the IT/OT Merger Finally Happen." EE Times, December 2020. Accessed December 2022.
"MITRE ATT&CK, n.d. Accessed December 2022.
"NIS Directive." European Union Agency for Cybersecurity (ENISA), n.d. Accessed December 2022.
"NIS Directive: Who Are the Operators of Essential Services (OES)?" Tripwire, January 2020. Accessed December 2022.
"NIST SP 1800-1800-32C: Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity." NIST, n.d. Accessed December 2022.
"OT/IoT Security Report Cyber War Insights, Threats and Trends, Recommendations." Nozomi Networks, August 2022. Accessed December 2022."
Pearlson, Keri, and Nelson Novaes Neto. "7 Pressing Cybersecurity Questions Boards Need to Ask." HBR, March 2022. Accessed December 2022.
"Policy vs Standard vs Control vs Procedure." ComplianceForge, n.d. Accessed December 2022.
Resilient Energy. Accessed December 2022.
"Security Legislation Amendment (Critical Infrastructure Protection) Act 2022." Australian Government Department of Home Affairs, August 2022. Accessed December 2022.
"The Differences Between ICS/OT and IT Security." SAN, n.d. Accessed December 2022.
"Unfiltered: An Insider's View of Water Security." Water World, June 2019. Accessed December 2022.
"Water sector cybersecurity - Risk Management Guidance for small systems." American Water Works Association (AWWA), 2019. Accessed December 2022.
"Water sector cybersecurity risk management guidance." American Water Works Association (AWWA), 2019. Accessed December 2022.
"Water utilities: Six focus areas to help build cyber resilience." EY, n.d. Accessed December 2022.
"Western Power Integrating a 21st century cyber security framework for effective asset operation and maintenance." ICS Security Summit 2018. Accessed December 2022.
"Western Power's Head of Cyber Security Talks Critical Infrastructure, Renewables Shift." Business of InfoSec, November 2022. Accessed December 2022.
"Zero Trust Market Map." The Demo Forum, n.d. Accessed December 2022.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Jing Wu

Contributors

  • Ross Lettau, Principal, Cyber Security, JACOBS
  • Robert Dang, Principal Advisory Director, Info-Tech Research Group
  • Ida Siahaan, Research Director, Info-Tech Research Group
  • Alaisdar Graham, Executive Counselor, Info-Tech Research Group
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019