From threats to anti-fragility

How you can embed resilience across an organization

Power systems today face the risk from an array of threats such as natural disasters, technological threats, human-induced events and, most recently, health emergencies. These threats pose significant risks to the reliability, safety, and resilience of power utilities, potentially leading to widespread blackouts, economic disruptions, and compromised public safety. Worldwide, the average cost of a data breach hit a new record high in 2022, costing US$4.72 million in the energy sector.^[1] Fortunately, there are ways in which chief information security officers at power and utilities can develop greater resilience both for the organization and everyone who depends on them. And while threats have arguably become more numerous and sophisticated, so too have the strategies to tackle them. KPMG professionals have identified some of the most rapidly increasing — and harmful — threats to utilities and developed a practical framework for helping to prepare for, combat and overcome them.

Source: IEA. ‘Cybersecurity – is the power system lagging behind?’. 2023

Climate-related natural events

Power systems have always been threatened by natural events, including earthquakes and extreme weather, but in many parts of the world climate change is increasing the frequency and severity of storms and floods. In the US, the share of extreme weather events causing large scale outages (affecting at least50,000 customers) over the past two decades has been on average90 percent, with at least 75 percent across the period and all (or almost all) of the events in certain years.^[2] To help better deal with future storms, local utilities can set up emergency restoration systems, 24-hour control rooms, real-time monitoring of faults and response teams at critical sub-stations.

Utilities can better anticipate and mitigate the impacts of climate-induced disasters on grid infrastructure and service delivery by enhancing organizational readiness and strategic planning, two of the key attributes of resilient organizations.

Plugged In

Harnessing technology to power the future

Download magazine (2.35 MB) ⤓

Download exec summary (360 KB) ⤓

The rise of technology threats

People with harmful intentions and criminal groups have continually posed risks to physical assets and business processes. In December2015, a cyberattack on power companies in Ukraine affected more than 200,000 customers in the west of the country for severalhours.^[3] In response, the companies identified security lapses in both IT and supervisory control and data acquisition systems (SCADA)equipment control systems as well as how staff responded. It led them to improve scanning for malware and introduce cybersecurity training for staff.

Energy utilities in many countries have worked to secure their own digital infrastructure over recent years, but are increasingly (if inadvertently) threatened by the large adoption of digital appliances by their customers. This is partly because of increased demand from those adopting electric vehicles, home generation and battery storage systems, with the last sometimes supplying grids as well as drawing power from them. These developments can increase customers‘ autonomy but also create new risks as many of these appliances and others are now connected to data networks, which can massively increase the potential for cyberattacks.

An attack that forces thousands for charging electric vehicles in a city to cycle simultaneously between drawing and, in some cases, even returning power would likely cause massive and unexpected spikes on the local grid, with similar attacks possible on smart home appliances. Utilities can educate technology manufacturers and lobby for increased cybersecurity of electric vehicles and other networked appliances, including promoting compliance with governmental cybersecurity directives, as well as considering their resilience to such attacks.

Such threats can be mitigated through robust technological investments and cybersecurity measures, as well as training and support for both workforce and customers. These measures can help strengthen utilities ‘defenses against cyberattacks while safeguarding critical systems and customer data. Stakeholders could also consider regulation that creates an ecosystem of shared accountability, where organizations together are responsible for the security of the whole and of individuals.

Why operations teams should own their technology

When operational technology (OT), used to manage industrial processes in sectors including utilities, went digital, IT services typically took over the management of several of these tools and provided cybersecurity. In some cases, no one took over the management, as often it was left unclear who was ultimately responsible. However, as digitalization has expanded, there is now a strong case for keeping OT, including both IT used for OT and dedicated OT hardware, and corporate IT separate and for operations teams to take clear ownership and action on OT. Corporate IT can be defined as anything that is needed to run a company, but it has nothing to do with direct operations like generating or transporting power or manufacturing products. Creating this shift of systems should prevent an ever-increasing set of unnecessary and uncontrollable connections between operations and corporate IT which can help strengthen security, improve accountability and reduce complexity.

Take, for example, a warehouse that relies on barcodes and scanners to manage stock movements. As digital tools, these are generally managed by IT. However, when they fail, the impact falls on operations. Several of the latest supply chain incidents involved companies that were able to produce but not ship products due to issues in IT. Some chief information security officers (CISOs) are reluctant to relinquish control of such OT to chief operating officers (COOs), but given that COOs are answerable for operations, it would make sense for CISOs and IT administrators to provide support rather than demand ownership while cooperating to keep everyone informed and aligned.

How grids can be destabilized by decarbonization

The decarbonization of power generation tends to make power grids less resilient by replacing small numbers of highly controllable fossil fuel plants with large numbers of renewable units with variable and often unpredictable output. Increasing reliance of renewables makes it harder to match supply and demand, particularly at peak demand times in early evenings when solar output is generally low or at zero. Utilities can tackle this by investing in balancing infrastructure, such as pumped hydroelectric plants and batteries, as well as embracing real-time markets that charge more at peak times, encouraging consumers to shift demand to other times.

Other existing threats are being intensified as societies increasingly rely on electricity and digitize physical processes, making a working grid ever more important. According to IEA estimates, technical malfunctions and equipment failures within the power grid alone led to power outages resulting in a worldwide economic loss of no less thanUS$100 billion in 2021.^[4] The primary economic impacts of these outages stem from decreased productivity in businesses due to interruptions, disruptions in the supply chain and potential damage to equipment.

Utilities can use improved strategic planning and technological innovation to adapt to the challenges posed by the transition to renewable energy sources, helping to ensure grid stability and reliability.

Part of society: from COVID-19 to perception

Power and utilities should be ready to cope with society-wide emergencies. The COVID-19 pandemic did not threaten power supplies but caused utilities a wide range of problems, including lower revenues from less consumption, deferred payments and difficulties collecting money. In the US, utilities gained access to short-term debt financing. In India, some offered rebates for consumers to provide their own meter readings, given staff could not do this.

Finally, power and utilities should engage with threats of perception. Moving to net zero will require vast spending, but customers, regulators and policy makers tend to resist higher charges that will pay for this. In some cases, governments ask utilities to comply with conflicting agendas, such as decarbonizing operations while continuing to provide security of supply that is only possible through use of carbon-emitting fuels.

Utilities can weather economic downturns and external crises, as well as maintain service continuity and support communities in times of need by fostering financial resilience and organizational readiness.

A framework for resilience and anti-fragility

To face this range of threats, power and utilities can leverage the following framework to help increase resilience and ultimately move to anti-fragility, with proactive resilience embedded across the organization. The framework includes immediate actions and considerations across five areas: organizational, technological, financial, planning, and workforce and customer.

Key attributes of a resilient organization

While improving technology, financial mechanisms and planning are all important, developing a resilient organizational culture can underpin such work. This means having strong and swift governance processes that allow companies to make good decisions quickly. It also means developing employees’ competency and confidence in an industry where staff tend to take a thoughtful approach and stay for many years, meaning that change management should be carried out with care.

In our view, culturally resilient utility is better prepared to take opportunities when they arise, even if this involves reversing existing strategies. One nuclear plant operator has pivoted from managing decline to taking advantage of its country’s new commitment to nuclear power through planning to build commercial small modular reactors.

At present, many utilities react to crises when they happen, rather than embedding resilience into everyday work and the organization’s culture. Taking the second approach can help develop anti-fragility, the ability to learn from and be strengthened by setbacks, allowing utilities to deal more confidently with day-to-day challenges as well as occasional disasters.

How this connects with what we do

KPMG professionals can support increased resilience by identifying gaps between what utilities have in place and what they would ideally need, then developing a plan to help fill these gaps, whether they involve building new facilities, strengthening existing ones or introducing new technology. KPMG firms combine experience in risk and technology, including cybersecurity, large computing systems and operational technology, with strong experience in supporting utilities to become resilient and future-proof. KPMG firms also offer a KPMG Cyber Risk Insights Platform, a service that puts a price on cybersecurity risks and solutions. KPMG professionals can also provide training, awareness and monitoring, as well as incident response services when required.