Guidehouse
Keshav Sarin is a director and leads the cybersecurity and compliance solutions team in Guidehouse’s Communities, Energy & Infrastructure segment, helping commercial clients, state and local governments, and federal agencies with cybersecurity strategy and implementation. Keshav brings more than twenty-eight years of professional experience in a variety of cybersecurity roles related to risk management, information systems development, and security controls management.
Where are utilities currently lagging best practices for managing risks to critical infrastructure? What immediate actions can they take today to mitigate those risks?
Keshav Sarin: Despite providing essential services such as electricity, water, and gas, many utilities lag in best practices for managing risks to critical infrastructure. Often, utilities are most comfortable on the lagging side of the technology curve, especially with operational technology, where refresh rates are measured in decades rather than years.
Key issues contributing to risk include outdated systems, a retiring workforce, interconnected networks, lack of automation, insufficient cyber resources, and poor visibility into security controls. If utilities are to address these challenges, they must immediately strengthen their infrastructure’s resilience measures.
Legacy systems are one of the most pressing issues the industry faces. Many utilities make themselves highly vulnerable to cyberattacks by relying on aging infrastructure that lacks modern security features.
As utilities’ staff embrace digital transformation, interconnected networks increase the risk of cyber threats spreading across systems. Interconnectivity benefits efficiency and revenue generation, but it expands the attack surface, particularly when utilities have been slow to adopt automation and advanced cybersecurity technologies that could identify and mitigate threats in real time.
The loss of experienced workers can lead to decreased network reliability, construction project delays, and higher costs. A resulting lack of skilled resources exacerbates the problem, leaving utilities ill-equipped to respond to emerging threats. Lastly, because of poor visibility into operational risk indicators, utilities can have difficulty with security controls and vulnerabilities, detecting adverse conditions, securely responding to incidents, and ensuring compliance with best practices.
To mitigate these risks, utilities must identify, prioritize, and protect key systems and networks by upgrading legacy infrastructure and segmenting networks to reduce the spread of cyber threats. Continuous monitoring and enhanced threat intelligence capabilities should be implemented to detect and mitigate adverse conditions in real time.
Recognizing that human error is a major vulnerability, utilities should train all employees on cybersecurity risks and best practices. Leveraging automation in operational and security processes can improve efficiency, reduce human error, and lessen the burden on staff.
Automation, especially AI, can improve visibility into all systems, reduce the total number of resources needed to monitor increased efficiency, and improve the overall risk posture. AI can help utilities design resilient, high-capacity networks that ensure reliable power delivery while minimizing infrastructure costs. One caution is that AI-driven facilities can lead to voltage fluctuations and grid imbalances, which utilities must manage if they are to maintain a consistent power supply.
By taking these actions today, utilities can significantly enhance their resilience and protect critical infrastructure from evolving risks.
