Nearly 3 in 10 utilities have ‘weak’ cybersecurity: report

Photo by Rivage on Unsplash

Nearly 38% of 445 utility companies globally had weak cybersecurity management programs as recently as 2022, according to new research by Morningstar Sustainalytics.

The figure did improve to nearly 27% in 2023, but Sustainalytics said it believes cybersecurity has become a major concern for utilities companies, according to the report, The Downside of Digital Transformation for Utilities: Data Privacy and Cybersecurity Risks.

“The growing adoption of digital technologies by utilities, while leading to significant customer benefits, unfortunately can expose the industry to cyberattacks affecting both physical and digital infrastructure,” said Ratih Pujiastuti, ESG Senior Research Analyst, Utilities, Morningstar Sustainalytics. “Such cybersecurity attacks, if successful, can disrupt a company’s operations and impact customer trust. These are material and growing ESG risks and how a company addresses them can make a major difference for investors.”

Strength of cybersecurity management programs in the utilities sector, 2022 vs. 2023 (Credit: Morningstar Sustainalytics)

Though utilities in Europe show varying levels of cybersecurity management, the region has the highest percentage of companies with “very strong” management programs (26%), while utilities in North America generally have adequate management of the issue (46%), the report said. Utilities in the rest of the world also have varying levels of cybersecurity management, where the highest percentage (27%) of utilities with no cybersecurity program are located outside North America and Europe.

Among the recorded incidents affecting the companies tracked in the Morningstar Sustainalytics to date, the majority of data privacy and cybersecurity incidents in the utilities sector involved breaches that compromised thousands of customers’ personal information. Some incidents were related to regulatory non-compliance, such as violations of the EU’s General Data Protection Regulation (GDPR). Enel was fined a total of EUR 85 million in Feb. 2024 by authorities in Spain and Italy over allegations of multiple violations of the GDPR. 

Cyberattacks have also caused service disruptions. For example, Luma Energy, a grid operator in charge of modernizing the power infrastructure in Puerto Rico, suffered a cyberattack in 2021 that blocked users from accessing their customer portal accounts during outages. Similarly, Colombian utility, Empresas Públicas de Medellín, experienced a cyberattack in 2022 that caused disruptions to its office operations as well as to customers’ meter and bill payments. Hydro-Quebec, a major grid operator in Canada, suffered an attack in 2023 that caused its app and website for verifying outages to go offline.

Data breaches are on the rise worldwide, and the energy sector is among the top five industries targeted most often for hacking and ransomware attacks. The recent uptick in security-related incidents targeting U.S. electrical substations and utilities has set off alarm bells. With a 71% increase in incidents over the past year, experts predict that this worrying trajectory will continue beyond 2024. 

Trump’s ‘unpredictability’ shakes investors – This Week in Cleantech

This Week in Cleantech is a weekly podcast covering the most impactful stories in cleantech and climate in 15 minutes or less.
wind turbines in front of an orange sunset

Renewables permitting has been ‘paralyzed’ by Trump – This Week in Cleantech

This Week in Cleantech is a weekly podcast covering the most impactful stories in cleantech and climate in 15 minutes or less.