The ability to attack, compromise, and cause damage has existed since the utility industry began connecting these systems on the Internet. Examples, including the European nation that was attacked 24+ months ago, are easy to locate. Yesterday an attack (more proof of concept than anything it could have really been) occurred. The current public awareness of cyber attacks, the nation state theater risks, and transparency of this action has raised the resulting awareness beyond the closed professional circles within Information Security. There is a number of interesting writeups and I would suggest carefully reading a few for a balanced perspective. Two that I would recommend include:
What this means for your Utility company is that the abstract threat modeling exercise that considers these attack vectors should be conducted more thoroughly with real risk and mitigation decisions progressing up to the Board of Directors.
As for everyone else who is a customer of such utility companies, the BCP/DR plans should be updated to reflect the possibility of such a loss of services. Business enterprise information security / risk management programs (+vendor management) should elevate utility service providers (including cellular operators). These actions should directly impact the annual/ongoing risk assessments and establish an expectation of security assessment and assurance on a regular basis from these service providers.
It is an interesting quandry that Cloud service providers are vetted and assessed more rigorously than that of Utility service providers, the original cloud.
Thoughts .. challenges?
James DeLuccia iV