Incident readiness: a playbook for your worst day

Over the last couple of years, the cyber threats to power and utilities (P&U) organizations have risen significantly, notably from increasingly sophisticated ransomware and malware attacks. Malware, in particular, can spread rapidly, disrupting processes, stealing data, threatening safety and cutting vital services to government, business and consumers.

Unlike IT, which tends to have a 3—5 year life cycle, many P&U OT estates run on old and often unsupported software and hardware. With digital transformation making OT increasingly IT—dependent, there is a growing attack surface that hackers can and will seek to exploit. In addition to traditional players, the threat extends to a host of smaller startups selling electricity and gas and supplying their meters. Many of these companies are essentially marketing and customer service operators with relatively immature cyber security.

In a digital world, where everything is connected, grid shutdowns can bring public services, businesses and homes to a standstill. Not everyone has a backup generator, and a power outage instantly exposes our growing dependence on electricity across every part of daily life. Connectivity also carries the threat outside the organization to millions of customers via IoT devices like smart meters in homes, and online access to billing accounts, opening up opportunities for phishing and other forms of unauthorized entry into P&U systems.

Aware of these dangers, regulators exert more significant pressure on companies to demonstrate secure cyber defenses. The EU’s Cyber Resilience Act seeks to establish a baseline of resilience across industries, with a strong focus on critical P&U infrastructure.¹⁰ In the US, the Transport Security Administration (TSA) Security Directives (published in the wake of a 2021 cyber—attack on Colonial Pipeline) requires electric and gas utilities to assess all their assets to ensure they meet new, higher safety standards and produce clear incident readiness plans.¹¹

A robust cyber security culture can significantly reduce the chance of an attack, but P&U organizations should also be ready should an incident occur. Incident readiness is about developing a playbook for that ‘worst case’ scenario, mitigating vulnerabilities in advance, and documenting a plan to respond quickly and decisively. Through training and exercises, it’s possible to build up invaluable ‘muscle memory.’

Readiness is the foundation of resilience, with a robust plan defining the roles and responsibilities of different stakeholders and the necessary actions to respond and recover swiftly to help minimize the impact on the organization and its customers. Plans should be in both secure electronic format and hard copy to ensure access should systems go down. The three components of a readiness plan are:

Simulations or ‘tabletop’ exercises are a regular feature of mature cyber security culture, helping P&U organizations improve their ability to detect network attacks earlier, enabling faster containment to prevent escalation. The drill should identify gaps in detection software and intelligence gathering to keep them on top of potential threats worldwide. And by showing up more clearly the links between physical hazards and cyber issues, it will build a greater appreciation of the broader impact of an attack and help reduce the risk of an incident occurring in the first place.

In a typical exercise, a facilitator walks staff through a tailored cyber incident, tasking the group to evaluate options and make decisions at crucial moments, exposing key individuals to real—life challenges to get operations back on track in the shortest possible time. This improves readiness, gets the players familiar with their responsibilities, and uncovers operational weaknesses.

By bringing together stakeholders — like the CIO, CISO, Head of OT Operations, or an OT shift manager — who don’t usually interact, incident readiness drills expose people to different ways of looking at the organization. OT staff tend to be concerned with operational safety, process optimization and reliability, while their IT counterparts think more about confidentiality, availability, and integrity. Bridging this mindset gap can help teams collaborate more effectively and think through practical questions that may never be discussed until an incident occurs, such as: how will we all connect? And where/how will we meet?

A robust and underlying security culture can make a difference when spreading cyber awareness and responsiveness. Many water and energy providers, including solar, wind, biomass, gas, and coal, have traditionally had relatively relaxed health and safety environments, without rigid restrictions save for the generator area. Now that cyber has become a recognized threat, these organizations must build awareness and encourage good habits.

Cyber attackers are becoming more active, and ransomware and malware incidents are increasing in both frequency and severity. P&U organizations may not be able to prevent every attack, but they can improve their incident readiness.

Armed with a tried and tested playbook, P&U organizations can respond at pace, with a documented set of tasks, a transparent chain of command, and knowledgeable individuals with the muscle memory to mobilize and close the threat down as quickly as possible, protecting the safety of all employees and keeping vital national infrastructure up and running.

However, an incident readiness plan is only as good as the people that operate it, so organizations need a strong focus on training and resourcing. This should ensure that relevant workers are skilled and drilled in containment and recovery, with the plan leader able to locate and deploy the appropriate individuals quickly. Given the enormous demands on staff — with the IT team often working around the clock — tiredness and mistakes can creep in, so it’s essential to have resources in reserve to take over.

Finally, P&U organizations should recognize that even the most efficient incident readiness plan has room for improvement. That’s why an external perspective can be invaluable in building resilience. A skilled third—party specialist can guide the readiness team through the various steps and carry out an incident readiness assessment with recommended actions to overcome gaps. 

At KPMG, we have carried out multiple incident readiness assessments and tabletop exercises for P&U and industrial businesses. We bring a wide range of highly qualified and experienced team members into incident readiness, from security and penetration testers to operational consultants, cyber readiness experts and recovery practitioners who have been directly leading recovery efforts for impacted clients. KPMG was delighted to be recognized as a ‘Leader’ in Worldwide Incident Readiness Services by IDC Marketscape in 2021.

Clients particularly value our multi—sector view. Too often, businesses are contained within their industry bubble and have limited awareness of best practices in other sectors that they may be able to import and apply. KPMG professionals have worked on incident readiness and simulations across many industries, including financial services, automotive, chemicals and manufacturing.