By Nirpendra Ajmera
Electrical and water utilities are crucial as societies rely on electricity and clean water to run institutions and personal well-being. Interruptions in these areas affect public health, economic stability, and, in some cases, national security.
Major Risk Factors Affecting Electrical and Water Utility Companies
Electricity and water utilities face several risks, the key ones are outlined below.
1. Physical Risks
The U.S. Department of Energy reported that 70% of power generation and distribution infrastructure in the United States is over 25 years old and requires expansion and upgrading. Infrastructure, including transformers, pipelines, and similar networks, is more likely to fail as it wears out or reaches the end of its expected life span.
In Water Utility Organizations, water pipes to reservoirs, pump stations, sewage pipes, and treatment plants rely on a network of pipes to deliver and treat the water, but many of these pipes are near the end of their useful life. Per the AWWA “American Water Works Association” report on the State of the Water Industry (SOTWI) 2023, “Rehabilitation and replacement of aging water infrastructure ranked as the most pressing issue facing the water sector, as it has for these five years and more than a decade.”
The frequency of natural disasters has been rising in the last decades. Thus, in 2020, the National Oceanic and Atmospheric Administration (NOAA) disclosed that there were twenty-two weather and climatic events in the United States, each of which costed a billion dollars in the form of hurricanes, wildfires, and severe storms. Events such as these put intense pressure on utility infrastructure, needing action and repair at a significant cost.
2. Operational Risks
Operational risks are defined as the factors that create difficulties for a utility to provide uninterrupted service. The report published by Protiviti for 2024 identifies supply chain uncertainty remains a key concern. The overall uncertainty has reduced but remains one of the top five risks for 2024.
Also, inadequate human capital can be considered a severe limitation to utilities since they require professional workers to manage and operate their facilities. A workforce shortage in the utility sector will increase the operational risks. The Bureau of Labor Statistics of the United States estimates that the organization’s energy sector will lose 20 percent of its human resource base by 2030 because of retirement and poor recruitment, making the energy sector more prone to operational failures. A 2023 report by Electrical Human Resources Canada indicated that 83% of employers anticipate difficulties in attracting workers to the sectors by 2028.
3. Environmental Risks
Out of all the environmental threats that may threaten utility companies, climate change remains a significant risk. Climate variability, including increased temperatures, unpredictable rainfall, and frequent disasters, affect both water and electrical usage in utilities.
According to the Intergovernmental Panel on Climate Change, water demand is expected to rise from 2000 to 2050, and water supply could be reduced due to climate change factors. Such projections place immense pressure on water utilities to increase the efficiency and flexibility of their service delivery.
4. Cybersecurity Risks
Since technology increases with time, it also introduces new kinds of risks in the management and operations of utilities. As an example, the electrical grids and water utilities use Supervisory Control and Data Acquisition (SCADA) to control and monitor physical processes such as transmission of electricity, transportation of oil and gas in pipelines, water distribution and can often be prone to cyber attacks in absence of proper network segmentation and access controls.
In a World Economic Forum survey that was conducted in 2020, about 60% of utility organizations claimed that they have become victims of one or more severe cyber-attacks in the last one year. For example, the attack on the Colonial Pipeline Company in 2021 was depicted – the largest fuel pipeline in the U.S. A similar type of attack on electrical or water utilities would create a similar disaster result.
5. Regulatory Risks
Utility companies also face the legal environment strings attached at the local, state, and federal levels. Environmental, safety, and reporting regulations are being updated in developed countries, which poses a challenge to utilities. This can lead to severe fines, the loss of public trust and restrictions on operations.
For example, the recent changes to the Clean Water Act and the Clean Air Act have imposed more regulatory conditions on water utilities when seeking to limit releases and the introduction of pollutants into the water. This is evident with the extra layers of cybersecurity rules by the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards.
Use of Risk Management to Enhance Operational Resilience
Thus, it is crucial to introduce a risk-based approach to operational resilience when addressing the numerous threats present in the utility sector.
1. Risk Identification and Assessment
The first of these is risk identification and evaluation, which forms the foundation of the risk-based model. Utilities must also engage in periodic risk analysis to identify risks that may exist in their infrastructure, functionality, and security. This can be done through suitable trend analysis. The past incidents and claims are particularly valuable to do prediction of future. Better reporting tools can significantly save the time of the risk and reporting managers.
2. Risk Mitigation and Adaptation
When risks are ascertained, utilities need to develop risk management measures. For physical risks, this could mean injecting capital into replacing old transformers and strengthening substations to prevent failure due to physical causes, such as floods. For the regulatory risks, water utilities might be forced to reduce water consumption through water rationing or exploring other water sources in instances where the water supply is inadequate due to drought. It is important to benchmark against various federal and state cyber security regulations and recommendations and key frameworks such as NIST (The National Institute of Standards and Technology Framework).
In the field of cybersecurity, it is crucial for utilities to implement key protection measures such as (this is not an all-inclusive list):
- Cybersecurity Management Controls include Security Information and Event Management (SIEM), Patch Management, and Log Management.
- Network Controls such as Firewalls, Network Intrusion Detection System and Network Behavior Anomaly Detection
- Information Controls: Encryption, Public Key Infrastructure (PKI), Secure File Transfer Protocol (SFTP).
- Asset Controls such as Antivirus and server and desktop hardening.
It is critical for any utility organization to imbibe safety culture amongst its employees. Similarly, it is also important to prepare crisis and reputation management plans in advance.
3. Business Continuity Planning
Top management within the utilities should develop and implement detailed business continuity strategies, which will include procedures to conduct during emergencies to maintain the service. This includes having backup power sources, identifying emergency communication means in case normal communication channels are disrupted, and entering mutual aid agreements with other utilities in the region in case they are overwhelmed.
Critical threats to electrical and water utilities include older and deteriorating infrastructure, climate change, regulatory compliance, and cybersecurity. A risk-based approach to operational resilience means that utilities can enhance their ability to prevent, detect, respond, and recover from adverse events. These precautionary measures will not only support the protection of essential services but also address the necessary structural changes for sustainable and secure societies in the future.
(The author is an internal audit leader in a utility organization. Views are personal)