Published May 11, 2023
Nicole ShenNew Yorknicole.shen@spglobal.com
Electric utilities remain attractive targets for malicious actors attempting to access proprietary customer data or cause economic and social disruptions or for financial gain.
Although we view a utility's compliance with the North American Electric Reliability Corp.'s cyber standards as providing a high degree of protection, we nevertheless believe management teams must continually update practices to address evolving risks.
To date, cyberattacks and physical attacks have not led to any rating actions in the power utility sector, partly due to utilities' sound risk management practices.
We believe a successful attack would harm a utility's finances and reputation, which could adversely pressure ratings.
Given the critical infrastructure it oversees, the power utility sector--including investor-owned utilities (IOUs), municipal owned utilities, rural electric cooperatives, and merchant generators--faces a high probability of cyberattacks (see chart 1). A successful cyber or physical attack can cause blackouts and other operational fallouts that herald wide-ranging economic and social ripple effects.
While a successful attack against a U.S. electric utility has not prompted us to take a rating action to date, we view the threat landscape as constantly evolving. Recent events, including an extreme uptick in physical attacks on electric substations and hybrid cyber-kinetic attacks on Ukraine's power grid amid the Russia-Ukraine conflict, underline the sector's heightened vulnerabilities in both the cyber and physical dimensions. Compounding this risk is increased digitalization and system decentralization that inherently enables hackers to exploit potential weaknesses. In the midst of rapid digital transformation, electric utilities face an ever-narrower window in which to effectively prepare for, and respond to, increasingly complex threats. S&P Global Ratings believes that having comprehensive cyber and physical preparedness practices that support continual improvement can help power utilities minimize their credit vulnerabilities.
Facing a constant array of threats, many issuers have achieved substantial progress in their cyber defenses to swiftly respond to ever-changing tactics from bad actors. One telling sign is increased investment: In 2022, the average information security budget across all sectors increased by 26% (for more information, see "Cyber Trends and Credit Risks," published Oct. 25, 2022, on RatingsDirect). Nevertheless, a handful of headline-grabbing events highlight the extent to which the power utility sector is exposed to high-impact cyber and physical risks (see table 1).
The power utility sector has long been subject to federal standards and guidelines, providing it with baseline security protection against bad actors. A notable one is the mandatory and enforceable Critical Infrastructure Protection (CIP) reliability standards, developed by the North American Electric Reliability Corporation (NERC), with a focus on the Bulk Electric Systems (BES). S&P Global Ratings typically assesses how an issuer prepares for cyberattacks and how it plans both its response and recovery from a successful attack. Viewing CIP standards through this lens, S&P Global Ratings believes utilities establish a baseline for managing risk exposure in terms of asset identification, information monitoring, and incident response. The chart below illustrates selective highlights from the extensive requirements that we view as supportive for effective prevention, response, and recovery.
Threat
Nature of the risk
Related research
Sovereign-backed risks
Cyber risks could escalate in the face of geopolitical instability, as evidenced by the Russia-Ukraine conflict where cyberattacks can precede or accompany military actions. The ‘NotPetya’ attack in 2017 targeting Ukrainian institutions, including the central bank and Chernobyl nuclear plant, caused weeks of disruptions for about 7,000 companies across 65 countries at an estimated cost of $10 billion, highlighting knock-on effects for the region and beyond. S&P Global Ratings believes sovereign-linked cyberattacks, along with disrupting society, could lead to massive monetary loss or collateral financial damage if they cause systemic events across sectors and geographies, potentially triggering widespread rating actions.
“How Worried Should We Be About Cyber Attacks On Ukraine?” Feb. 22, 2022.
Third-party risks and negative spill over
Although S&P Global Ratings believes outsourcing and procurement of third-party managed services will continue offering substantial cost-saving benefits and improve efficiency, it can also introduce new vulnerabilities to cyberattacks if risks are not properly mitigated. This trend highlights growing concerns over shared risks – whether from third-party vendors or a government ecosystem that a utility interacts with – and negative externalities caused by these risks. Many high-profile attacks stem from third-party vulnerabilities, including the ransomware attack on Colonial Pipelines in 2021.
“Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?” Oct. 25, 2021
Physical attacks
A series of physical attacks on electric substations that took place in multiple states, some of which left many residents without power during freezing weather, renewed concerns over the security of power utilities’ physical assets. This trend, which will likely continue, adds an extra layer of complexity to the evolving cyberthreats, amplifying potential credit vulnerabilities. Further compounding this is extended lead-times of substation transformers in the U.S. as a result of global supply chain challenges, which could delay an issuer’s response and recovery following a physical attack.
Financially motivated cyberattacks
Cyberattacks prompted by monetary gain have been prevalent in the public utility sector, in part due to the relatively high quantity and sensitivity of data it obtains and the essential services it provides. Such attacks tend to manifest as ransomware attacks – whereby money is extorted in return for the release of encrypted data or for the lifting of an impediment to operations – and could create financial losses and contingent liabilities that pressure credit quality. We believe increasingly sophisticated attacks and growing presence of digitalization will likely expose issuers to a higher likelihood of losses, underscoring the need for issuers to enhance strategy and spending around cybersecurity.
“How Cyber Risk Affects Credit Analysis For Global Corporate Issuers,” Mar. 30, 2022
U.S. entities that generate and deliver electricity through high-voltage transmission lines are considered BES stakeholders and thus are subject to compliance oversight (including compliance audits and spot checks) conducted by six regional entities on behalf of NERC. Distribution utilities, typically serving smaller loads, are outside the CIP scope. However, many of these smaller utilities have voluntarily aligned their cyber defense practices with CIP standards and engage in information sharing through nationwide platforms established by leading industrial associations, all of which we view positively.
We also believe that NERC plays an important role in guiding utilities to level the playing field through its continuous reviews and updates of standards, as highlighted by its enhanced requirements for vendor-related remote access control (effective October 2022) to address supply chain risks, as well as ongoing studies of physical security standards pertaining to all BES transmission stations, substations, and primary control centers.
Within our criteria, we typically factor in cyber and physical risk management as part of our overall assessment of management (see below). Other assessments related to market position and financial metrics could become relevant, particularly following a successful attack. We view alignment with CIP standards as a way to inform our analysis of an issuer's commitment to cyber defense and implementation of risk mitigation practices. Nevertheless, our analysis of an issuer's cyber risk exposure generally considers the function, size, and scope of its operations and focuses on its overarching cybersecurity strategy pertaining to preparedness, response, and recovery. Although rare, if an issuer lacks the understanding of asset vulnerabilities or does not have a plan to monitor cyber and physical security systems, we may consider its preparedness as insufficient to detect or recover from potential security incidents that could result in system shutdowns or monetary losses. This could weaken our view of the issuer's overall management, possibly leading to a lower rating than its similarly positioned peers.
Utilities face roadblocks on the path to meeting evolving industrial standards, providing opportunities for systems to be exploited. One main challenge in the industry is that many of its IT systems are antiquated. Many supervisory control and data acquisition systems (SCADA), a critical digital infrastructure adopted by U.S. utilities since the 1970s, are aging and may lack the capability to keep up with updated compliance standards. Consequences stemming from lags in network upgrades and missing security applications could be far-reaching, as seen in examples of SCADA breaches among water and sewer utilities that involved poisoning the water supply and facility shutdowns (see "Cyber Risk In A New Era: U.S. Utilities Are Cyber Targets And Need To Plan Accordingly," published Nov. 3, 2021).
Even if a utility checks all the boxes when it comes to compliance standards, maintaining effective cybersecurity measures requires ongoing vigilance. Management must constantly coordinate and monitor cyber defense efforts, and employees must stay highly vigilant and aware of their roles and responsibilities to understand, detect, and minimize risks. Among S&P Global Ratings' rated power utilities across ownership classes, data breaches accounted for the majority of cyberattacks in 2018-2022, as compared with ransomware, denial-of-service, and other attack types, as per Guidewire (see chart 4).
According to the 2022 Verizon Data Breach Investigations Report, 82% of cybersecurity breaches can be attributable to human elements (such as errors, misuse, stolen credentials, and phishing) that can be prevented. This suggests that without a constant, long-term effort to train and improve user behavior, all facets of human interaction with physical and digital assets can open the cyber door for criminals to compromise systems. Conversely, if an issuer maintains a cyber-aware workplace culture and conducts regular, comprehensive staff training programs, we view it as supportive of mitigating human susceptibility and enhancing the baseline protection provided by compliance standards.
Maintaining effective cybersecurity measures requires ongoing vigilance.
After a successful attack, S&P Global Ratings would assess its magnitude based on the type and scale of the damage done and how it affects various aspects of an issuer's credit quality (see table 2). We view the immediate damage primarily as financial risks, where attacks that disable billing systems and disrupt revenue streams, ransomware payments, regulatory fines, or operation restoration result in meaningful, or sometimes compounded, monetary losses that pressure an entity's margins and liquidity. Given this context, we view an issuer's liquidity and cyber insurance levels to be important credit factors that can provide short-term financial buffers following a disruption in cash flows that can mitigate the likelihood of adverse financial effects. However, we note that cyber insurance premiums continue to rise due to the increased frequency and severity of cyberattacks and greater systemic vulnerabilities (See “Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market,” published July 26, 2022).
Another notable post-attack risk is reputational damage, which can create equally challenging and potentially long-term pressures. Customers and third parties could lose confidence in the reliability of critical services or their administrative leaderships, adversely affecting a utility's market standing, pricing power, demand growth, and member stability.
Management: A cyber or physical attack can raise questions about deficiencies in day-to-day defense strategies, effectiveness of incident response plans, overall comprehensiveness of risk management, and other governance factors, which could lead to a lower management assessment.
Financial metrics: Factors including ransomware payments, litigation, customer attrition, and system restoration costs could constrain liquidity, generate thinner margins, and increase leverage.
Market Position: Rate competitiveness could weaken if utilities increase electric rates to pass through financial losses stemming from a cyber incident to ratepayers. A successful attack can also cause significant reputational damage to utilities facing direct market competition for customers, negatively influencing their market standing.
The evolving threat landscape indicates that cyber and physical risks have moved beyond a siloed, local risk to a near-ubiquitous priority that must be addressed on a regional or national level. As malicious actors continue to ramp up targeted attacks against utilities, we believe it is a matter of when, not if, an entity will be attacked.
We generally assess whether utilities have proactively integrated cyber and physical risk management into a wider risk management framework, monitor federal regulatory developments, and evaluate the level of credit protection they provide to issuers.
At the same time, we expect well-prepared issuers to continually improve their risk mitigation strategies to keep up with the sector's rapid digitalization and stay ahead of malicious attacks.
Given the critical infrastructure it oversees, the power utility sector faces a high probability of cyberattacks. A successful cyber or physical attack can cause blackouts and other operational fallouts that herald wide-ranging economic and social ripple effects.
This report does not constitute a rating action.