New Study Sheds Light on How Utilities Protect OT Environments

By CISO Collective Editorial | May 26, 2022

The Utilities Technology Council (UTC) recently released a report commissioned by Fortinet titled Utility Operations Cybersecurity Study. The purpose of the study was to “gain an understanding of utilities’ current approaches and status in protecting their operational technology (OT) environments.”

The study is based on the responses to a 2021 year-end survey by the 400 members of UTC. Jointly developed by Fortinet and UTC, the survey consisted of 27 questions. The respondents ranged in size from large investor-owned utilities down to small electric distribution cooperatives.

UTC membership is made up of organizations from electric, water, and natural gas utilities of all ownership types (investor-owned, publicly-owned, and cooperatively-owned). Founded over 70 years ago, UTC uses advocacy, education, and collaboration to create “a favorable business, regulatory, and technological environment for organizations that own, manage, or provide critical utility telecommunications systems.”

Staying Aware of Latest Threats

One of the primary goals of this utilities trade association is to stay abreast of the latest cyberthreat trends along with the newest cybersecurity solutions to combat them. According to UTC, this latest study represents a broad range of perspectives on operational security at utilities and is divided into five areas covering these specific topics:

  • Protection of OT Environments
  • Grid Modernization and Cybersecurity
  • Key Cybersecurity Issues
  • Cybersecurity Governance
  • Consistency Across the Organization

Key Takeaways

Two-way Network Traffic

As with many industries, the utilities are always evolving and expanding, and, as a result, so are their cybersecurity needs. One of the current drivers is two-way network traffic between IT and OT environments. Today’s utilities allow for a significant amount of traffic to travel from IT to OT environments and back, and this is likely to increase as grids become more complex.

Consequently, best practices for utility operational security must by applied across the organization. This has led to a positive development where “cybersecurity finally has a permanent seat at the table in planning key utility business and technology initiatives.” And now, most utilities are saying that their cybersecurity teams are involved in grid modernization projects at the earliest planning stages.

Universal Cybersecurity Adoption

The survey revealed that some cybersecurity technologies have been adopted by most utilities. The organizations typically have deployed cybersecurity foundational solutions like firewalls, intrusion detection, security incident response, and malicious input detection. And while many utilities indicated that they have not yet added a zero-trust architecture to their defenses, many are planning to roll out a ZTA solution soon.

One Size Doesn’t Fit All

The utilities’ responses to the question asking them to rank a set of cybersecurity risks shows that utilities do not all prioritize the same risks. This indicates there is no one-size-fits-all cybersecurity solution for utility industrial control systems (ICS) that manage and monitor cyber-physical systems and physical processes.

Isolating the OT Environment

Utilities tend to place strict controls on what traffic is permitted from Enterprise IT networks into an OT network. In fact, “most utilities employ overlapping approaches to isolate OT environments from IT” and that DMZs and firewall rules are the most popular “isolators” and both are used by over 80% of the respondents.


The deep analysis of the survey data reveals some recurring themes and suggests some appropriate next steps for utilities to ensure that their cybersecurity programs meet the coming challenges of more complex grids.

  • Be prepared for more network traffic between Enterprise IT and OT environments.
  • There are no one-size-fits-all cybersecurity solutions. The security for each utility will be built on the risk tolerance of the utility based on a risk assessment.
  • Take time to discuss internally and then externally with your security technology providers exactly what your cybersecurity needs to accomplish.
  • Hire a third-party to do annual firewall audits and annual penetration testing. Be sure the firewall auditors or penetration testers have experience with the nuances of testing OT environments.
  • Get mesh cybersecurity solutions that are integrated, not point solutions for each individual problem.

Learn more and read the full report: Utility Operations Cybersecurity Study.