The hype over smart grid has become focused on the idea of “advanced distribution management systems” (ADMS). But so far, few utilities have implemented ADMS beyond pilots and incremental tests....
Risk and Utility Sector Cyber Attacks
Extreme Weather Events Give Insight to Regulators' Response
On December 30 of last year, the Washington Post reported that Russian hackers had accessed the U.S. electric grid through a small utility in Vermont. While the initial report was immediately retracted, it sent shockwaves through the power and utility industry, given the serious threat that malicious cyber activities pose to U.S. energy security.
Over the past several years, Moody's Investors Service has published original research on cyber risk as a factor of growing importance to credit analysis. Lesley Ritter leads Moody's cyber risk research from the perspective of the utilities sector, and addresses some key questions from PUF.
How Does Cyber Risk Factor into Moody's Credit Analyses?
We consider a cyber-attack a type of event risk. That is, it's an adverse event with a low probability of occurrence but a potentially high impact. To be clear, we don't explicitly incorporate cyber risk as a principal ratings driver.
But across all sectors, our fundamental credit analyses incorporate a number of stress-testing scenarios, and a cyber event, like other event risks, could trigger one of those scenarios. The severity and duration of a successful cyber-attack would be the key to determining any credit impact.
Several years ago, right around a series of high profile attacks on the retail sector, Moody's identified cyber-crime as a significant risk to debt issuers across a variety of key industries. In September of 2015, we published a report identifying cyber risk as a factor with growing importance to our credit analyses.
However, given limited event disclosure and the increasing complexity of attacks, it can be difficult to assess an individual issuer's risks, which differ from one sector to the next.
How Does that Specifically Apply to the Utilities Sector?
Critical infrastructure industries like the utility sector are increasingly interconnected. More distributed generation and automated technology mean more potential entry points for hackers, so the question is not "if" but "when"?
In our view, a successful, large scale cyber-attack on a utility's industrial control system akin to the attack on the Ukrainian power grid in December 2015 would be more devastating than the type of data theft experienced by retailers. A successful breach of a utility's industrial control systems could result in a widespread disruption of service and costly infrastructure damage. It hasn't happened in the U.S. yet, but the risk remains.
In the absence of precedent for a massive outage caused by hackers, we use extreme weather events as a proxy for cyber risk to utilities. Both instances are forms of event risk, as both can significantly disrupt service and cause widespread physical damage to utility infrastructure.
While a cyber-attack of that extent would be materially credit negative for the utility, we see a high likelihood that government, at all levels, would lend support to recovery efforts, since an extended outage could have serious health, safety and economic consequences.
In 2015, we published a report examining government responses on behalf of utilities after two weather-related events. Hurricane Katrina caused approximately six hundred-thirty million dollars of damage to