Here’s Why It’s Absolutely Crucial Utility Companies Put Cyber Security at the Forefront of Risk Management

State-sponsored cyber attackers have all the time and resources they need to probe and then inflict damage on critical infrastructure.
By: | February 4, 2019 • 3 min read

There is vast computing power now available to individuals and companies. But guess what? State-sponsored cyber attacks have even more resources.

Advertisement




And unlike terrorists, they don’t want high-profile failures or obvious denial-of-service storms. Quite the contrary.

The general M.O. for state-sponsored attackers is to take months or years to probe for small weaknesses on broad fronts, then slowly link the small breaches and work inward. As Leo Tolstoy put it, “the two most powerful warriors are patience and time.” (терпение и время; terpeniye i vremya; patience and time).

So Far, So Bad

A 2017 cyber attack on a small construction company in Oregon was an early thrust in the broadest and heaviest known hack by a foreign government into the U.S. electric grid. The company is a subcontractor for regional utilities as well as government agencies.

In that case the attack was big but not particularly sophisticated. It set off so many alarms that U.S. officials took the unusual step in early 2018 of publicly blaming the Russian government. Still, some experts believe two dozen or more utilities were penetrated.

A reconstruction of the attack revealed a glaring vulnerability at the heart of the country’s electric system. Rather than strike the utilities head on, the hackers went after the system’s unprotected underbelly — hundreds of contractors and subcontractors like All-Ways who had no reason to be on high alert against foreign agents. From these tiny footholds, the hackers worked their way up the supply chain.

More Connected = More Vulnerable

The problem gets worse as the growth of distributed networks (the “Internet of Things” or IoT) create potentially critical issues. Consulting firm Wood Mackenzie estimated there are 30 million grid-connected devices already in U.S. homes, with millions more to come.

The company forecasts 88,000 megawatts (MW) of ‘residential flexible potential’ by 2023 (by way of context, the total generation capability of the Texas grid is just under 80,000 MW).

From a cyber security perspective, that means there are tens of millions of potential connections that can allow hackers to connect to utilities. It also means the bad actors don’t have to go after the utilities’ centralized and relatively well-protected control systems.

To destabilize the grid, hackers may soon have tens of thousands of megawatts of relatively unprotected distributed flexible devices they can manipulate.

Worst Case Scenario

A “Business Blackout” scenario by the University of Cambridge Centre for Risk Studies and Lloyd’s of London suggests a range of $61 billion to $223 billion in economic losses, depending on the number of affected generators and whether it took two, three or four weeks to restore 90 percent of the power.

Read More: Cyber Grid Attack: A Cascading Impact

“This is a real risk management issue facing the power sector around the world right now,” said Nick Beecroft, emerging risks and research manager, Lloyd’s of London, who worked on the “Business Blackout” project. But even more, he said, it is a risk that “all of society has to confront as more and more of our infrastructure and economy become connected to digital networks.”

A Cause for Hope

It’s not surprising that the risk of state-sponsored cyber attacks is very much akin to reports of secret weapons by rival nations — Russian plans to develop a submarine drone armed with a nuclear weapon that would be detonated offshore and cause a tsunami; or Chinese development of “aircraft-carrier killer” ballistic missiles.

Advertisement




Presumably by the time the public becomes aware, authorities are already working on countermeasures. And so it goes with cyber threats to the power, water, and communications infrastructure.

In the summer of 2018, the Department of Homeland Security warned utilities of a new infiltration that could cause blackouts.

“Grid operators have been working closely with government on this particular threat for the better part of the last year,” said Scott Aaronson, vice president of security and preparedness at the trade association Edison Electric Institute.

“We are keenly aware of those threats and have been working to mitigate them ever since they were communicated to us.” &

Gregory DL Morris is an independent business journalist based in New York with 25 years’ experience in industry, energy, finance and transportation. He can be reached at [email protected]

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]