“Too big to fail” is an over-used phrase, but it’s relevant and appropriate in the case of power and utilities (P&U).

Electricity underpins virtually every aspect of our lives. Yet, power generation and delivery are under a growing threat from natural disasters, cyber-attacks, aging infrastructure and workforce, and supply chain interruptions. At the same time, the sector is getting to grips with complex, decentralized grid systems, renewable energy sources and digitization.



The European Union’s proposed NIS 2 Directive could oblige P&U (and other industries) companies to demonstrate new levels of cyber security.1



Power companies and utilities, public and private, have always been focused on keeping the lights on and the water running – but the changing nature of risks has shifted the emphasis from response and recovery to resilience by design to maintain services 24/7. Regulators expect higher operational, commercial, and financial resilience standards across the supply chain. The European Union’s proposed NIS 2 Directive could oblige P&U (and other industries) companies to demonstrate new levels of cybersecurity. Failure to take adequate preventative measures can leave companies – and their leaders – open to fines and custodial sentences.

In this article, we take a deeper look at the main drivers of resilience and discuss how P&U companies can integrate these elements to maintain their services.

  

Download PDF

Plugged In

A focus on geopolitical and cyber security risks.



Download PDF (2.27 MB) ⤓



  

Natural threats

Climate change is a vast and growing concern for the sector. Storms, forest and bush fires, flooding, winds, extreme hot and cold, and droughts are no longer freak events but frequently occurring natural phenomena in many geographies. The US has suffered 323 weather and climate disasters since 1980, with estimated damage of US$2.195 trillion.2  And between 2013 and 2020, the number of outage hours per year doubled from four to eight.3

In India in 2022, over a billion citizens have been struggling to cope with unbearable temperatures well over 40° Celsius – the hottest Spring in the country’s recorded history, preventing outdoor working and causing power outages, water shortages, state-imposed rationing, train cancellations, as well as reducing industrial and agricultural output.4

In addition to damaging physical infrastructure, such phenomena can also hold up supply chains of vital parts and materials. And P&U companies don’t just have to cope with the effects of climate change on their operations; they should also consider their own organization's impact on the environment and society, whether it’s carbon emissions or treatment of workers.

Decentralization and digitization

Grids are becoming more distributed, with swathes of smaller, localized sources, creating a hybrid mix of conventional/nuclear and, increasingly, renewable energy from small hydro, biomass, biogas, solar, wind and geothermal.5 It's quite a headache to orchestrate this complex web of players to maintain system integrity.

At the same time, digitization brings greater automation and sophistication to control systems, integrating operations and IT, with growing dependence on an external cloud network and as-a-service providers. With such an interconnected backbone, a single failure can have multiple consequences and potentially shut down the whole facility.

Any incident instantly exposes the many interdependencies in society, where one outage has a chain reaction impacting telecommunications, industry, transport and water. For example: if there is no mobile network or internet, it’s harder to contact engineers and other repair personnel. And if electric power is out and gas stations are not working, these same people cannot drive to reach the points of damage. Coping with surges is a further challenge when many players are involved in the grid, as the customer-facing providers seek to distribute energy from multiple locations.

As P&U providers transition to digital enterprises, where every piece of equipment, including hardware, IoT sensors, and personal devices are connected, and where many third parties are involved in transmission and billing, the threat – and the subsequent impact – of cyber-attacks has risen dramatically. Since the pandemic, the acceleration of hybrid working has increased awareness of how attackers can hack into systems on insecure networks. Deteriorating relations with other countries adds another layer of threat.

Operational threats

P&U organizations have often been targeted by cybercriminals and nation-states (sometimes both working in tandem) to disrupt enemies’ critical national infrastructure. Cyber weapon Stuxnet was believed to have been co-developed by Israel and the US to attack Iranian nuclear facilities, although both Israel and Iran deny this.6  Stuxnet took out SCADA systems within critical Iranian nuclear facilities.7

Another example is NotPetya, which experts claim has been aimed at Ukraine.8  McAfee states, “…this variant was designed to spread quickly,” targeting “complete energy companies, the power grid, bus stations, gas stations, the airport, and banks.”

Organizations may not be directly targeted but end up collateral damage as, malware released ‘into the wild’ exploits their vulnerabilities. Stuxnet may well have had a specific target, but the code used to develop the original malware has now been enhanced and can be used to attack a much broader audience across sectors and geographies.

NotPetya may have had the energy sector in its sights, and potentially Ukraine. Still, it has impacted many global organizations, including the aircraft Antonov in Ukraine logistics giant Maersk, and Russian oil producer Rosneft.9

It’s not uncommon for hostile hackers to follow up a cyberattack with a physical attack. The attack surface is vast because of the enormous networks of stations, pylons, and other facilities. The lack of a reserve power source makes it even more challenging to recover by getting a generator back up and running.



Stuxnet may well have had a specific target, but the code used to develop the original malware has now been enhanced and can be used to attack a much broader audience across sectors and geographies.



Aging assets and workforce

In an asset-heavy sector, cost-effective replacement and maintenance are constant factors. Climate change has reminded P&U companies how easily some equipment can become damaged. In the case of forest fires, in particular, fallen power towers and lines can be responsible for loss of life and livelihood, resulting in hefty fines or even criminal action against executives for failing to adopt suitable preventative measures.

Without the right people and skills, P&U networks may struggle to achieve the levels of continuity that customers demand. As the older generation of workers approaches retirement, it’s vital to attract new talent into the sector and pass on the decades of experience of older generations. And as roles become ever more digital, technological capabilities become essential in combination with automation.

Building a resilience framework and culture

As they strive to build safe and robust organizations that can provide 24/7, uninterrupted services to public and private organizations and citizens, P&U companies are treating resilience as a board-level imperative.

The UK has a National Resilience Strategy10  designed to cope with extreme weather, terrorism, pandemics, cyberattacks, geopolitical instability, and accidents. The country’s National Grid adopts a ‘Whole Systems’ approach.11  And in the US, the National Institute of Standards and Technology (NIST) provides a technical basis for improved design, construction, operation, and maintenance of buildings and infrastructure systems.12

Integrated resilience framework

A resilience strategy should exhibit the following characteristics:

Extreme weather event modeling

P&U planners should improve their scenario planning to cope with climate change threats. Historical events are no longer a reliable predictor of the future, so models must take in more real-time data and use innovations like digital twins to forecast the likelihood and the severity of the impact on the infrastructure and interdependent services.











Preparedness of equipment and people

Preparedness is equally critical, investing in newer, more robust infrastructure, stocking up on inventory, and having extra staff and contractors available on call to make repairs as quickly as possible. Procurement professionals may have to reconsider their just-in-time ambitions, given an outage’s enormous potential cost and inconvenience. This involves cost-benefit decisions: over-prepare and you will add significantly to expenses; under-prepare and you risk unacceptable outages, unhappy customers and massive repair bills. Equally, certain types of inventories like super grid transformers are so specific to different parts of a grid that it’s impossible to hold every stock item.



Cyber security

And, of course, cyber defense is becoming a big priority, with an urgent need to establish cyber-aware cultures and strict entry protocols. It’s also vital to identify and nullify potential threats and restore systems should they come under attack. Some are sweeping out old legacy technology and moving to the cloud to remove as many potential vulnerabilities as possible.




Creating a resilience culture

Finally, embedding knowledge in the system can help avoid ‘key person’ risk where organizations depend on individuals’ unique abilities. Strategic workforce planning identifies the skills and leaders needed and the working environment that will appeal to a new, diverse workforce. Investing in technical skills training and building new routes to recruitment and contractors/gig economy workers, will likely be crucial.



Hardening

There are many steps P&U companies can take to make their physical infrastructure more resilient, such as installing stronger poles, undergrounding overhead lines, trimming trees, and raising substations above predicted flooding levels. Longer-term scenario planning can guide the thinking to consider likely weather conditions in the coming decades.

Investments in replacement and maintenance must balance upfront costs now and potentially significant expenses later to remedy the damage. Studies tend to show that upgrades are many times cheaper than repairs – a US review concluded that every US$1 invested in disaster mitigation or ‘hardening’ was found to avoid US$6 in rebuilding costs.13 In one instance, by installing new transformer monitors, a company prevented an outage for 15,000 customers, saving approximately US$1 million in restoration charges.14

There’s growing interest in predictive maintenance, using sophisticated sensors, drones and other IoT, which, combined with advanced analytics, can help determine when equipment may fail, initiating proactive action. Cloud-based, predictive platforms use AI and automation to constantly improve their ability to spot asset defects and avoid equipment downtime. And by combining these with accurate extreme weather forecasts, companies can be better prepared.

One way to build resilience is through redundancy, so that different transmission lines can operate independently of each other; if one fails, the others continue to work. Monitoring is essential to this approach, detecting any operational problems – such as cyberattacks or mechanical failure – and enabling systems to isolate these to ‘fail safely’ to avoid broader system disruption.

Distributed generation builds more alternative sources into the grid, including an increasing usage of microgrids. Energy storage can increase resilience, providing an alternative energy source, acting as both load and generator.



Investing in a trusted and reliable future

Resilience doesn’t just keep the lights on; it builds trust and drives competitive advantage.
In a resilience-focused organization, leadership has clear accountability for protecting service delivery, supported by robust data insights that can inform investment in longer-term resilience, meet evolving regulatory requirements, and help ensure swift preventative action in the event of failures. Resilience planning has three main areas:

Prepare

  • Enterprise service management

  • Resilience control frameworks

  • Tolerance and scenario management





Assess

  • Non-stressed service resilience assessment

  • Service threat management assessment

  • Stressed service resilience assessment


Action

  • Reporting, solutions, and investment appraisal

  • Service enhancement

  • Recovery planning and management





How KPMG can help

KPMG power and utility professionals have extensive experience in building more robust organizations and can help you:

  • Make resilience and trust foundations of your organizational strategy and value proposition
  • Be agile and flexible in maintaining business outcomes after disruptive events
  • Keep your business connected internally and externally, before and after disruption
  • Make your resilience data-driven and tech-enabled to generate timely insights, reduce costs and improve scalability

This should give you clear visibility and control of services, resources and risks – leading to more assured stability of services in times of disruption. It can also support the business, customers, and financial markets so that resilience can become a critical competitive advantage and a driver of trust.

  

  

1 European Commission, Commission welcomes political agreement on new rules on cybersecurity of network and information systems, May 2022.
2 National Centers for Environmental Information, Billion-Dollar Weather and Climate Disasters, Accessed 10 June 2022.
3 U.S. Energy Information Administration, U.S. electricity customers experienced eight hours of power interruptions in 2020, November 2021.
4 Bloomberg, Climate Change Turned Up India’s Heat. But by How Much?, May 2022.
5 Power Grid International, A look towards the future: Integrating DERMS and ADM, May 2019.
6 The New Yorker, World War Three, By Mistake, December 2016.
7 Foreign Policy, Stuxnet’s Secret Twin, November 2013.
8 Wired, What is the Petya ransomware spreading across Europe? WIRED explains, July 2017.
9 BBC, Global ransomware attack causes turmoil, June 2017.
10 UK Government, National Resilience Strategy: Call for Evidence , July 2021.
11 National Grid, Our Whole System approach, March 2021.
12 National Institute of Standards and Technology, Resilience, accessed June 2022.
13 Federal Insurance and Mitigation Administration, Natural Hazard Mitigation Saves Interim Report, June 2018.
14 T&D World, Ushering in the Next Era of Grid Modernization, December 2021.