Identity Security: Three Big Opportunities for Utility Providers

Authored by: Casey Herman, PwC Partner, ESG Leader; Brad Bauch, PwC Principal, Advisory; and David Manks, SailPoint Technology Alliances & Partner Marketing

If there was any doubt about the importance of cybersecurity in the utility industry, one needs simply to look at the recent news. Already this year, there have been two major breaking stories: In May, a cyberattack shut down the nation’s largest fuel pipeline for more than three days, disrupting gasoline supplies to much of the southeastern United States. In February, a malicious actor gained access to the water system of a Florida city and attempted to tamper with the water supply. Fortunately, in the case of the water company, the intrusion was detected in time, but the consequences could have been catastrophic.

Utility attacks are no longer a threat — they’re a reality

Critical infrastructure companies like utilities are prime targets for foreign and domestic threat actors. As providers have modernized through automation and digitized connections, they’ve opened the door to even more attacks — either directly or through a vast network of suppliers — requiring an updated approach to identity security for utility companies.

Even inside the walls, security can be compromised. In 2019, 30% of utilities’ data breaches involved internal actors,[1] and 37% of utilities experienced compromised employee credentials.[2] Simple tactics are surprisingly effective and extremely widespread, with 48% of organizations reporting spear-phishing attacks in the previous 12 months.[3]

The good news is there are three clear areas of opportunity utility providers can act on to begin creating a smarter identity security approach — areas that take full advantage of automation, artificial intelligence (AI), machine learning (ML), and the power of analytics to protect from attacks and increase overall system efficiency.

1. Enterprise-wide security begins with the worker

Each individual is either a risk or a roadblock in terms of identity security. Whether employed within the organization or working for one of the hundreds of suppliers the average utility partners with, their actions can put an entire utility — and millions of customers — at risk.

From leadership to contract workers, across teams and “power partners” like wind and solar, as well as traditional suppliers and even bots, it has become critical for utility providers to manage who has secure access to data, operational technology and infrastructure. Also important is how they have access and when, as well as ensuring users aren’t over-provisioned. The complexities involved have long outgrown manual processes for identity security and require a modern, smart solution.

2. Automate efficiency

Clearly, identity security and regulatory compliance at the individual level can be a massive, time-consuming effort. By automating previously manual identity and access management processes, utility providers are not only tightening security in the face of increasing risk exposure and ever-more-sophisticated attacks, they’re also creating much-needed efficiencies in management and compliance.

Automated systems give the opportunity for utility providers to reduce the amount of time spent on credentialing and de-credentialing literally hundreds, if not thousands, of users through manual and potentially error-prone processes. They also allow for greater visibility, transparency, reporting and control.

3. Keep up with compliance

It’s not news to utility providers that regulatory oversight is a mercurial master. The North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP) standards have been in place for over a decade. Additionally, the Department of Homeland Security’s (DHS) Transportation Security Agency (TSA) recently issued mandatory cybersecurity rules for critical pipeline facilities. These are just two instances of a multitude of always-shifting regulations utility providers face daily.

Because of the importance of the national power grid and pipelines to public safety, it is a focus of both threat and oversight. Much like a laptop’s security protocols, it’s a constant game of one-upmanship, updating and reacting.

Luckily, centralizing and automating identity security systems and utilizing state-of-the-art AI and ML platforms does more than just increase overall efficiency and protect from the individual up — it also allows for faster adaptation to changing compliance requirements.

PwC and SailPoint: Working together to help reset cyber strategy in the energy and utilities sector

With a global network of firms, PwC has a deep understanding of the unique challenges and opportunities facing power and utilities companies. PwC cybersecurity professionals guide leaders toward innovative approaches that enable success through cybersecurity — from automated defense technologies that protect new product landscapes, to securing new market entry.

SailPoint is the leader in identity security for the cloud enterprise. SailPoint helps customers provision access with confidence, protect business assets at scale and reduce compliance risk.

For more on how PwC and SailPoint can help provide a cybersecurity strategy for today’s smart grid, check out our whitepaper.

© 2021 PwC. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.


[1] Verizon, “2020 Data Breach Investigations Report”

[2] SailPoint, “Using Identity and Access Governance to Mitigate Data Breach Risks

[3] Ibid


Discussion