Key Takeaways
- Electric utilities remain attractive targets for malicious actors attempting to access proprietary customer data or cause economic and social disruptions or for financial gain.
- Although we view a utility's compliance with the North American Electric Reliability Corp.'s cyber standards as providing a high degree of protection, we nevertheless believe management teams must continually update practices to address evolving risks.
- To date, cyberattacks and physical attacks have not led to any rating actions in the power utility sector, partly due to utilities' sound risk management practices.
- We believe a successful attack would harm a utility's finances and reputation, which could adversely pressure ratings.
Given the critical infrastructure it oversees, the power utility sector--including investor-owned utilities (IOUs), municipal owned utilities, rural electric cooperatives, and merchant generators--faces a high probability of cyberattacks (see chart 1). A successful cyber or physical attack can cause blackouts and other operational fallouts that herald wide-ranging economic and social ripple effects.
While a successful attack against a U.S. electric utility has not prompted us to take a rating action to date, we view the threat landscape as constantly evolving. Recent events, including an extreme uptick in physical attacks on electric substations and hybrid cyber-kinetic attacks on Ukraine's power grid amid the Russia-Ukraine conflict, underline the sector's heightened vulnerabilities in both the cyber and physical dimensions. Compounding this risk is increased digitalization and system decentralization that inherently enables hackers to exploit potential weaknesses. In the midst of rapid digital transformation, electric utilities face an ever-narrower window in which to effectively prepare for, and respond to, increasingly complex threats. S&P Global Ratings believes that having comprehensive cyber and physical preparedness practices that support continual improvement can help power utilities minimize their credit vulnerabilities.
Chart 1
Recent Threat Trends Underscore Sector's Evolving Challenges
Facing a constant array of threats, many issuers have achieved substantial progress in their cyber defenses to swiftly respond to ever-changing tactics from bad actors. One telling sign is increased investment: In 2022, the average information security budget across all sectors increased by 26% (for more information, see "Cyber Trends and Credit Risks," published Oct. 25, 2022, on RatingsDirect). Nevertheless, a handful of headline-grabbing events highlight the extent to which the power utility sector is exposed to high-impact cyber and physical risks (see table 1).
Table 1
Key threat trends pose increased challenges for the power utility sector | ||
---|---|---|
Threat | Nature of the risk | Related research |
Sovereign-backed risks | Cyber risks could escalate in the face of geopolitical instability, as evidenced by the Russia-Ukraine conflict where cyberattacks can precede or accompany military actions. The ‘NotPetya’ attack in 2017 targeting Ukrainian institutions, including the central bank and Chernobyl nuclear plant, caused weeks of disruptions for about 7,000 companies across 65 countries at an estimated cost of $10 billion, highlighting knock-on effects for the region and beyond. S&P Global Ratings believes sovereign-linked cyberattacks, along with disrupting society, could lead to massive monetary loss or collateral financial damage if they cause systemic events across sectors and geographies, potentially triggering widespread rating actions. | “How Worried Should We Be About Cyber Attacks On Ukraine?” Feb. 22, 2022. |
Third-party risks and negative spill over | Although S&P Global Ratings believes outsourcing and procurement of third-party managed services will continue offering substantial cost-saving benefits and improve efficiency, it can also introduce new vulnerabilities to cyberattacks if risks are not properly mitigated. This trend highlights growing concerns over shared risks – whether from third-party vendors or a government ecosystem that a utility interacts with – and negative externalities caused by these risks. Many high-profile attacks stem from third-party vulnerabilities, including the ransomware attack on Colonial Pipelines in 2021. | “Cyber Risk In A New Era: Are Third-Party Vendors Unwitting Cyber Trojan Horses For U.S. Public Finance?” Oct. 25, 2021 |
Physical attacks | A series of physical attacks on electric substations that took place in multiple states, some of which left many residents without power during freezing weather, renewed concerns over the security of power utilities’ physical assets. This trend, which will likely continue, adds an extra layer of complexity to the evolving cyberthreats, amplifying potential credit vulnerabilities. Further compounding this is extended lead-times of substation transformers in the U.S. as a result of global supply chain challenges, which could delay an issuer’s response and recovery following a physical attack. | |
Financially motivated cyberattacks | Cyberattacks prompted by monetary gain have been prevalent in the public utility sector, in part due to the relatively high quantity and sensitivity of data it obtains and the essential services it provides. Such attacks tend to manifest as ransomware attacks – whereby money is extorted in return for the release of encrypted data or for the lifting of an impediment to operations – and could create financial losses and contingent liabilities that pressure credit quality. We believe increasingly sophisticated attacks and growing presence of digitalization will likely expose issuers to a higher likelihood of losses, underscoring the need for issuers to enhance strategy and spending around cybersecurity. | “How Cyber Risk Affects Credit Analysis For Global Corporate Issuers,” Mar. 30, 2022 |
Properly implemented CIP standards provide baseline risk protection
The power utility sector has long been subject to federal standards and guidelines, providing it with baseline security protection against bad actors. A notable one is the mandatory and enforceable Critical Infrastructure Protection (CIP) reliability standards, developed by the North American Electric Reliability Corporation (NERC), with a focus on the Bulk Electric Systems (BES). S&P Global Ratings typically assesses how an issuer prepares for cyberattacks and how it plans both its response and recovery from a successful attack. Viewing CIP standards through this lens, S&P Global Ratings believes utilities establish a baseline for managing risk exposure in terms of asset identification, information monitoring, and incident response. The chart below illustrates selective highlights from the extensive requirements that we view as supportive for effective prevention, response, and recovery.
U.S. entities that generate and deliver electricity through high-voltage transmission lines are considered BES stakeholders and thus are subject to compliance oversight (including compliance audits and spot checks) conducted by six regional entities on behalf of NERC. Distribution utilities, typically serving smaller loads, are outside the CIP scope. However, many of these smaller utilities have voluntarily aligned their cyber defense practices with CIP standards and engage in information sharing through nationwide platforms established by leading industrial associations, all of which we view positively.
We also believe that NERC plays an important role in guiding utilities to level the playing field through its continuous reviews and updates of standards, as highlighted by its enhanced requirements for vendor-related remote access control (effective October 2022) to address supply chain risks, as well as ongoing studies of physical security standards pertaining to all BES transmission stations, substations, and primary control centers.
Chart 2
Within our criteria, we typically factor in cyber and physical risk management as part of our overall assessment of management (see below). Other assessments related to market position and financial metrics could become relevant, particularly following a successful attack. We view alignment with CIP standards as a way to inform our analysis of an issuer's commitment to cyber defense and implementation of risk mitigation practices. Nevertheless, our analysis of an issuer's cyber risk exposure generally considers the function, size, and scope of its operations and focuses on its overarching cybersecurity strategy pertaining to preparedness, response, and recovery. Although rare, if an issuer lacks the understanding of asset vulnerabilities or does not have a plan to monitor cyber and physical security systems, we may consider its preparedness as insufficient to detect or recover from potential security incidents that could result in system shutdowns or monetary losses. This could weaken our view of the issuer's overall management, possibly leading to a lower rating than its similarly positioned peers.
Chart 3
Aging cyber infrastructure is a sector-wide vulnerability
Utilities face roadblocks on the path to meeting evolving industrial standards, providing opportunities for systems to be exploited. One main challenge in the industry is that many of its IT systems are antiquated. Many supervisory control and data acquisition systems (SCADA), a critical digital infrastructure adopted by U.S. utilities since the 1970s, are aging and may lack the capability to keep up with updated compliance standards. Consequences stemming from lags in network upgrades and missing security applications could be far-reaching, as seen in examples of SCADA breaches among water and sewer utilities that involved poisoning the water supply and facility shutdowns (see "Cyber Risk In A New Era: U.S. Utilities Are Cyber Targets And Need To Plan Accordingly," published Nov. 3, 2021).
Even if a utility checks all the boxes when it comes to compliance standards, maintaining effective cybersecurity measures requires ongoing vigilance. Management must constantly coordinate and monitor cyber defense efforts, and employees must stay highly vigilant and aware of their roles and responsibilities to understand, detect, and minimize risks. Among S&P Global Ratings' rated power utilities across ownership classes, data breaches accounted for the majority of cyberattacks in 2018-2022, as compared with ransomware, denial-of-service, and other attack types, as per Guidewire (see chart 4).
According to the 2022 Verizon Data Breach Investigations Report, 82% of cybersecurity breaches can be attributable to human elements (such as errors, misuse, stolen credentials, and phishing) that can be prevented. This suggests that without a constant, long-term effort to train and improve user behavior, all facets of human interaction with physical and digital assets can open the cyber door for criminals to compromise systems. Conversely, if an issuer maintains a cyber-aware workplace culture and conducts regular, comprehensive staff training programs, we view it as supportive of mitigating human susceptibility and enhancing the baseline protection provided by compliance standards.
Chart 4
Successful Attacks Could Pressure Various Credit Rating Factors
After a successful attack, S&P Global Ratings would assess its magnitude based on the type and scale of the damage done and how it affects various aspects of an issuer's credit quality (see table 2). We view the immediate damage primarily as financial risks, where attacks that disable billing systems and disrupt revenue streams, ransomware payments, regulatory fines, or operation restoration result in meaningful, or sometimes compounded, monetary losses that pressure an entity's margins and liquidity. Given this context, we view an issuer's liquidity and cyber insurance levels to be important credit factors that can provide short-term financial buffers following a disruption in cash flows that can mitigate the likelihood of adverse financial effects. However, we note that cyber insurance premiums continue to rise due to the increased frequency and severity of cyberattacks and greater systemic vulnerabilities (See "Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market", published July 26, 2022).
Another notable post-attack risk is reputational damage, which can create equally challenging and potentially long-term pressures. Customers and third parties could lose confidence in the reliability of critical services or their administrative leaderships, adversely affecting a utility's market standing, pricing power, demand growth, and member stability.
Assessing The Credit Implications Of A Cyber Or Physical Attack
- Management: A cyber or physical attack can raise questions about deficiencies in day-to-day defense strategies, effectiveness of incident response plans, overall comprehensiveness of risk management, and other governance factors, which could lead to a lower management assessment.
- Financial metrics: Factors including ransomware payments, litigation, customer attrition, and system restoration costs could constrain liquidity, generate thinner margins, and increase leverage.
- Market Position: Rate competitiveness could weaken if utilities increase electric rates to pass through financial losses stemming from a cyber incident to ratepayers. A successful attack can also cause significant reputational damage to utilities facing direct market competition for customers, negatively influencing their market standing.
Continual Risk Management Improvements Are Key To Preventing Cyber And Physical Attacks
The evolving threat landscape indicates that cyber and physical risks have moved beyond a siloed, local risk to a near-ubiquitous priority that must be addressed on a regional or national level. As malicious actors continue to ramp up targeted attacks against utilities, we believe it is a matter of when, not if, an entity will be attacked.
We generally assess whether utilities have proactively integrated cyber and physical risk management into a wider risk management framework, monitor federal regulatory developments, and evaluate the level of credit protection they provide to issuers.
At the same time, we expect well-prepared issuers to continually improve their risk mitigation strategies to keep up with the sector's rapid digitalization and stay ahead of malicious attacks.
This report does not constitute a rating action.
Primary Credit Analyst: | Nicole Shen, New York (1) 332-323-4605; nicole.shen@spglobal.com |
Secondary Contacts: | David N Bodek, New York + 1 (212) 438 7969; david.bodek@spglobal.com |
Gabe Grosberg, New York + 1 (212) 438 6043; gabe.grosberg@spglobal.com | |
Aneesh Prabhu, CFA, FRM, New York + 1 (212) 438 1285; aneesh.prabhu@spglobal.com | |
Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.