Skip to content Skip to footer

Loading Results

Powering the future: Three priorities for power sector cybersecurity

Richard Wilson Partner, Cybersecurity & Privacy, PwC Canada

Hand holding a mobile device beside a laptop with coding

The start of every year brings with it the chance to take stock. And when we look at what has happened in the last year, both on a global scale and here in Canada, it becomes apparent that now is a critical time for both the power sector and the organizations and ratepayers it serves.

Global power sector and utilities transformation has been gathering pace for the last several years, driven by changing customer expectations and the rapid adoption of increasingly networked technologies. And now this has all been accelerated in an unprecedented way by geopolitical events and COVID-19. In fact, our recent Canadian Digital Trust Insights 2021 survey of business and technology executives found that 44% of Canadian respondents say they expect accelerated digitization to be a likely outcome of COVID-19.

Make no mistake—events of the last year haven’t left the power sector untouched. Within our sector, many generators, transmitters and distributors are moving to the cloud and speeding up their digitization programs. Customer-first strategies are proliferating across utilities. And CEOs and boards are turning to their CISOs to secure these changes. Security teams are being asked to be enablers of change and not just protectors.

Security technology is maturing too. Emerging tools are offering more comprehensive capabilities, and as a result, security teams are being challenged to bring increased skills and capabilities to integrate these tools into the business as a whole. System replacement is increasingly important to upgrade earlier generation security tools that can’t keep pace with current-day threats and attack techniques.

So what will this all mean for the future of cybersecurity in our sector? Take a look at three priorities for power sector security as we move further into 2021.

1. Migrate securely to the cloud (if you haven’t already)

According to our Canadian Digital Trust Insights survey, almost a quarter (24%) of Canadian respondents strongly agree that moving more services and infrastructures to the cloud will be foundational for the next generation of business solutions in their organization. And a third of Canadian respondents (33%) strongly agree that new solutions exist to secure cloud infrastructures better than they have ever been in the past.

We’re seeing this reflected in the power sector. Many power companies are quickly moving more of their environment to the cloud. They’re doing away with static legacy systems in favour of more dynamic, nimble integrated cloud and network systems.

While most cloud systems claim security by design, CISOs understand that implementing secure transitions to the cloud is a complex process. Privacy, data residency and access management are just three requirements that need to be considered. Significant changes to enterprise architecture are also needed. We encourage CISOs to raise these requirements early and position their office as an enabler, as it’s important that management doesn’t view the security team as an impediment to technical advancement.

2. Pivot from data protection to Data Trust

We have noticed a merging of data security-related activities in recent years. Our data protection team has been intersecting with our data governance and privacy teams within the same clients. Why? These topics have significant interdependencies, and to manage data effectively and securely, collaboration needs to happen among them. Regardless of where you start, all these stakeholders and processes converge.

Power companies should develop an overarching Data Trust strategy to address these interconnected areas. Utilities, in particular, should consider this approach, given the importance of customer data to their reputation. Our formula is: Data Trust = Data Management and Governance + Data Protection + Privacy + Legal. This consolidated strategy reduces redundancy and effort, gives CISOs a full view of data locations and flows across the enterprise and reduces data silos or gaps within the organization.

3. Take advantage of access management success factors

Identity and Access Management (IAM) and Privileged Access Management (PAM) are a significant focus for the power sector right now. Our estimates place the percentage of local distribution companies (LDCs) considering a major program implementation between 30% and 40% in the next 24 months.

One of the biggest challenges in these implementations is having the necessary skills and knowledge within the company to engage with IAM and PAM implementation service providers. These are complex processes with equally complex decisions and approvals to be made. We encourage CISOs to include additional budgets to support IAM/PAM training and more rounds of review and approval than may be initially apparent.

Bringing it all together

We’re at a critical juncture for cybersecurity and the power sector. Amid the sweeping and fast-paced digitization we’re seeing, an important first step for business and security leaders will be to develop a business-driven cyber strategy that includes these three priorities, among others.

This reset will not only more clearly define the expanding role of the CISO, but it will also affect the way power companies set cyber budgets, invest in security solutions and resource their security organization.

This will position CISOs and their teams to become stewards of digital trust, able to lead their organizations securely through technical transformations with strategies to protect business value—and to create it.

Contact us

Richard Wilson

Partner, Cybersecurity & Privacy, Toronto, PwC Canada

+1 416 941 8374


Follow PwC Canada