Podcasts

Leadership Lyceum

Leadership Lyceum: A CEO's Virtual Mentor

This podcast series focuses on corporate and industry strategy and trends from the direct vantage point of key industry leaders. Subscribe to the podcast at Apple iTunes. Several interviews are available here: See Podcasts

Public Utilities Reports

PUR Guide Fully Updated Version

Available NOW!
PUR Guide

This comprehensive self-study certification course is designed to teach the novice or pro everything they need to understand and succeed in every phase of the public utilities business.

Order Now

Risk and Utility Sector Cyber Attacks

Extreme Weather Events Give Insight to Regulators' Response

Fortnightly Magazine - March 2017
This full article is only accessible by current subscribers. Please login to view the full content.
Not a subscriber yet? Click here to subscribe for one year of Fortnightly Magazine, and gain access to the entire Fortnightly article database online.

On December 30 of last year, the Washington Post reported that Russian hackers had accessed the U.S. electric grid through a small utility in Vermont. While the initial report was immediately retracted, it sent shockwaves through the power and utility industry, given the serious threat that malicious cyber activities pose to U.S. energy security.

Over the past several years, Moody's Investors Service has published original research on cyber risk as a factor of growing importance to credit analysis. Lesley Ritter leads Moody's cyber risk research from the perspective of the utilities sector, and addresses some key questions from PUF.

How Does Cyber Risk Factor into Moody's Credit Analyses?

We consider a cyber-attack a type of event risk. That is, it's an adverse event with a low probability of occurrence but a potentially high impact. To be clear, we don't explicitly incorporate cyber risk as a principal ratings driver.

But across all sectors, our fundamental credit analyses incorporate a number of stress-testing scenarios, and a cyber event, like other event risks, could trigger one of those scenarios. The severity and duration of a successful cyber-attack would be the key to determining any credit impact.

Several years ago, right around a series of high profile attacks on the retail sector, Moody's identified cyber-crime as a significant risk to debt issuers across a variety of key industries. In September of 2015, we published a report identifying cyber risk as a factor with growing importance to our credit analyses.

However, given limited event disclosure and the increasing complexity of attacks, it can be difficult to assess an individual issuer's risks, which differ from one sector to the next.

How Does that Specifically Apply to the Utilities Sector?

Critical infrastructure industries like the utility sector are increasingly interconnected. More distributed generation and automated technology mean more potential entry points for hackers, so the question is not "if" but "when"?

In our view, a successful, large scale cyber-attack on a utility's industrial control system akin to the attack on the Ukrainian power grid in December 2015 would be more devastating than the type of data theft experienced by retailers. A successful breach of a utility's industrial control systems could result in a widespread disruption of service and costly infrastructure damage. It hasn't happened in the U.S. yet, but the risk remains.

In the absence of precedent for a massive outage caused by hackers, we use extreme weather events as a proxy for cyber risk to utilities. Both instances are forms of event risk, as both can significantly disrupt service and cause widespread physical damage to utility infrastructure.

While a cyber-attack of that extent would be materially credit negative for the utility, we see a high likelihood that government, at all levels, would lend support to recovery efforts, since an extended outage could have serious health, safety and economic consequences.

In 2015, we published a report examining government responses on behalf of utilities after two weather-related events. Hurricane Katrina caused approximately six hundred-thirty million dollars of damage to

This full article is only accessible by current subscribers. Please login to view the full content.
Not a subscriber yet? Click here to subscribe for one year of Fortnightly Magazine, and gain access to the entire Fortnightly article database online.