Key Takeaways
- S&P Global Ratings evaluates cyber security risks at U.S. utilities in our Operational and Management Assessment and as a component of environmental, social, and governance risks.
- Given that water and sewer services are critical to health and safety as well as the economy, the sector is particularly attractive to bad actors and cyber attacks could be devastating if not properly managed.
- Many U.S. utilities have historically prioritized the maintenance of their physical assets over their data-related systems, but the allocation of resources will need to be rebalanced to fully mitigate cyber risk.
- Failure to implement the most basic standards of cyber security indicates potential credit vulnerabilities, which can result in a lower rating given that a cyber incident can cause financial, legal, and reputational risk and even result in loss of life.
Cyber attacks on utilities have increased substantially year-over-year and while most U.S. attacks have been domestic in origin, globally, utilities have been the target of nation states or rogue actors seeking to disrupt operations. In particular, there were several reported breaches of informational (IT) and operational technology (OT) assets, in 2020 and 2021, resulting in data and financial loss and compromised assets, through phishing and other techniques.
Along with a presidential executive order and Justice Department memo from earlier in the year, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Environmental Protection Agency, and the National Security Agency recently released a joint cyber security advisory related to ongoing cyber security threats to the water and wastewater sector. The joint advisory included recommendations for how to manage cyber threats to protect safety and reliability. Given that U.S. utilities not only provide an essential service to millions of people but also provide water for fire suppression, national defense, health care, ecosystem support, and critical infrastructure, they continue to be attractive targets for cyber criminals. The advisory did not suggest the industry was an outsized target; rather, that the water and sewer sector should increase its mitigation measures and resourcing given the risk profile.
Our Operational And Management Assessment Considers Risk Management
In the U.S. Public Finance group at S&P Global Ratings, we evaluate cyber security preparedness at water and sewer utilities through the Organizational Effectiveness subcategory within our Operational and Management Assessment (OMA). Where we view a utility operator as lacking sufficient risk management policies and practices, it can weaken our view of the issuer's OMA, often resulting in a lower rating than otherwise comparable peers with stronger policies. As cyber attacks increase in sophistication and frequency, we believe U.S. public finance issuers must embed cyber security into their comprehensive risk-mitigation strategies. Along with the OMA assessment, we also consider risk management and mitigation a governance factor under environmental, social, and governance (ESG) as discussed in "ESG Brief: Cyber Risk Management In U.S. Public Finance", published June 28, 2021, on RatingsDirect.
The risks are not just financial
Cyber attacks can cause reputational, regulatory, and financial risks if information breaches occur. These events may also influence a utility's relationship with the customer base, weakening management's rate-setting flexibility. In addition to our evaluation of IT exposures and general cyber hygiene, utilities have a number of potential OT vulnerabilities related to supervisory control and data acquisition (SCADA) systems among other physical asset considerations.
SCADA or industrial control systems are critical to most U.S. utility systems and have been in use since the 1970s. SCADA systems collect, analyze, and visualize data from industrial equipment. Systems are designed to promote efficiency and transparency, which supports operations. From a credit perspective, we view these capabilities as supporting an issuer's operational management. However, if not managed appropriately, these systems can open the door to potential cyber intrusions. This is especially acute when systems are online. Many SCADA systems are aging and lacking in cyber security protections. While systems that are closed or "air-gapped" are less exposed, they are not immune from exposure. Even relatively secure systems can be accessed by laptops and USB drives. Third-party vendors can significantly increase this risk with backdoor access requirements, as further detailed in the report "Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance," published Oct. 25, 2021. Several operationally based attacks have stemmed from SCADA vulnerabilities, many of which include ransomware introduced through SCADA or through the network to SCADA. There have been recent examples of OT cyber attacks that involve poisoning the water, shutting down cleaning and disinfection capabilities, changing chemical levels in the supply and shutting down critical operations.
What We Are Watching
Our approach to understanding OT exposure focuses on the tenets of "prepare, respond, recover," which includes understanding the degree of access controls that are in place, system redundancies, and monitoring processes. Monitoring systems support early detection which is one of the most important strategies to reduce the potential impact of an attack. There have been SCADA breaches that have not been uncovered for weeks, which can result in exponentially worse outcomes. If an operational asset is impaired or if an integrated system is shut down (intentionally or by a cyber intrusion), it is important to understand the response and recovery plans, including whether assets can continue to function off network and independently and whether safeguards, such as physical safety systems are in place to respond to a "worst case" scenario.
Issuer disclosure is critically important to determine not only the potential risks but also the mitigation measures. These could include incorporating drafting response plans for a potential cyber security attack and ensuring those plans are updated and tested through walkthroughs as well as tabletop, functional, or full-scale exercises.
Chart 1
Cyber Preparedness Is An Important Credit Consideration
While there isn't a single standard for cyber preparedness, industry associations and federal agencies have provided guidance, recommendations, and tools for utilities to assess cyber resilience. In lieu of a single standard, we look to the utility to demonstrate how it incorporates best practices into its asset inventory, risk assessment, and employee training.
We will continue to track cyber resiliency in the sector as well as whether a federal standard will be set, which we believe would be beneficial for the industry as it would set a minimum floor for cyber resilience and provide guidance for smaller utilities that may not have the sophistication or budget to implement sufficient planning.
Of the utilities that have taken the steps to identify their potential cyber exposures, most have also begun to improve their security. However, survey results from the 2021 Water Sector Coordinating Council and discussions with utilities, especially smaller systems, suggest that many have not taken sufficient steps to assess and address their cyber risks. In our view, failure to implement the most basic standards of cyber security indicates potential credit vulnerabilities. Issuers with strong organizational effectiveness will demonstrate comprehensive cyber readiness which will continue to be a driver of our management assessment for utilities.
We recognize that utilities have significant infrastructure needs. We will continue to evaluate how managers are identifying budgetary resources and prioritizing cyber projects to meet their cyber security needs while balancing other system requirements and rate affordability. Cyber preparedness isn't necessarily measured by a certain percentage of budget. Effective strategies can be scalable and accessible for all utilities.
The U.S. water and sewer sector continues to be an attractive target for cyber attacks given the essential nature of service provided and the depth of information and data within a utility's network. The physical nature of the water and sewer business introduces complexity into organizational decision making with respect to cyber management. A number of technologies that interconnect various physical assets to improve efficiency and transparency may also increase exposure to cyber risks. It is critical for management to balance operational efficiencies with potential cyber disruption. Our OMA evaluation will assess management's approach to determining the appropriate level of interconnectivity and how to mitigate associated risks. The strongest cyber preparedness will include comprehensive policies to assess IT and OT risks as well as detailed response and recovery plans that protect the system and the ratepayers.
Chart 2
This report does not constitute a rating action.
| Primary Credit Analyst: | Jenny Poree, San Francisco + 1 (415) 371 5044; jenny.poree@spglobal.com |
| Secondary Contacts: | Geoffrey E Buswick, Boston + 1 (617) 530 8311; geoffrey.buswick@spglobal.com |
| Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw or suspend such acknowledgment at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain non-public information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.standardandpoors.com (free of charge), and www.ratingsdirect.com and www.globalcreditportal.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.standardandpoors.com/usratingsfees.
Any Passwords/user IDs issued by S&P to users are single user-dedicated and may ONLY be used by the individual to whom they have been assigned. No sharing of passwords/user IDs and no simultaneous access via the same password/user ID is permitted. To reprint, translate, or use the data or information other than as provided herein, contact S&P Global Ratings, Client Services, 55 Water Street, New York, NY 10041; (1) 212-438-7280 or by e-mail to: research_request@spglobal.com.