In late 2017, West Monroe Partners surveyed utilities to understand the challenges they face as they modernize their grids in an increasingly competitive environment and amid rapid technological change.
With it, your utility increasingly will integrate legacy operational technology (OT) and modern information technology (IT) systems. According to our recent research, many utilities’ IT and operational teams now use the same asset management (66%), knowledge management (61%), and ticketing (59%) systems.
As you navigate this convergence, one of your biggest concerns is likely the evolving threats posed by legacy OT systems that were never designed for internet connectivity and cybersecurity in the first place. You are not alone. In our survey, nearly two thirds of utility executives surveyed said that half or more of their environment still comprises legacy serial versus packet-based technology. Far and away, cybersecurity of OT systems and devices is their top concern about managing converged IT and OT systems
You may also be concerned about having adequate cybersecurity skills. In our survey, executives cited cybersecurity/ NERC-CIP skills/certifications as those most lacking in their workforce. Smaller utilities with stretched IT staffs are particularly concerned about this skill gap, as are corporate executives (versus their operating company counterparts) and C-level executives (versus those in managerial roles). While IT/OT convergence poses particular issues for utilities, cybersecurity is now a board-level conversation in all industries due to the visible impact on corporate reputation and financial performance.
We know it won’t be easy to alleviate these concerns as IT/OT convergence accelerates. Expect to work hard to find and/or develop people with the right aptitude for cybersecurity in your industry. Because demand for people with cybersecurity skills far exceeds current supply, the price tag has increased significantly. For some utilities, the cost of cybersecurity talent could approach executive compensation levels. You may need to consider new investments in training, especially in IT disciplines that haven’t always been a training priority. Outsourcing may also be an option – but understand that this market is competing with everyone else for the same scarce resources.
There are some other ways to begin closing the cybersecurity gap. For example, as you build out your network operations center (NOC) to manage increasingly modern infrastructure, make sure a well-integrated security operations center (SOC) is part of that effort.
Consider ways to improve communication as a means of facilitating the right actions and investments. By nature, boards and executive teams are concerned by what they can’t see or don’t understand. Are they asking the right questions? How can your IT and operational teams do a better job of presenting information and risks in business terms?
Finally, and perhaps most significantly, cybersecurity will challenge you to change traditional investment cycles. The idea that capital investments in operational technology will last 30 years is simply not feasible in a connected world – but the concept of spending regularly to update technology is a hard pill to swallow when regulation won’t allow you to recover such costs from the marketplace.
In short, this isn’t an easy fix. But with targeted action, you can start to close the cybersecurity gap – and address the growing concerns within your organization.
To read the full survey report or to learn more about the cybersecurity implications of converging IT/OT systems, please contact us.