Legal Blog

A Dangerously Weak Link: Why Utility Companies Need to Be Prepared for Cyber Attacks

By Edward Tolchin, Esq. Cyber Security Attorney Imagine you are a low-level computer hacker. You want to extort money—let’s say millions—through cybercrime, so you are looking for a vulnerability in a system that will pay out big, and quickly. Who or what do you target? The United States government is probably out of the question: too risky and intricate. Most banks are similarly well-protected. A retail chain, on the other hand, may be feasible; but after the recent attacks on Target, Home Depot, Dairy Queen (the list goes on), most are on high alert. You need to find an unsuspecting victim, a target with financial weight but poor cybersecurity preparedness and which could, if possible, allow you to get in and out undetected. What about energy and utility companies? Bingo. An attack on an energy or utility company could potentially leave millions without power or clean water. And we are not just referring to the giant corporations such as Exelon, PG&E, and First Energy, which have armies of attorneys telling them to comply with cyber standards. The weak link is smaller, regional providers. Outside of major metropolitan areas, for instance, smaller, local companies control the power and water system. These organizations are frequently unaware of legal cyber requirements, and worse, often do not have the capability or monetary resources to comply. The current paradigm needs to change as soon as possible, not just for the obvious reasons (threats to life and safety), but to mitigate the enormous legal liabilities. Imagine…

  • …if power was cut off to an individual in a breathing machine.
  • …if a school lost access to clean water.
  • …the myriad, serious industrial and manufacturing accidents that could happen as a result of a power failure.

Those are just three examples. Suffice it to say that no power or water company can afford to ignore cybersecurity risk, as even the smallest providers are responsible for thousands of lives. The good news: compliance is achievable, and may in fact cost less than you think. If your company is vulnerable, conduct due diligence. Search around. While popular products can cost up to $10 million, some cybersecurity protection systems that meet National Institute of Standards and Technologies’ (NIST) standards are priced far less. Make sure to familiarize yourself with current U.S. cybersecurity standards and recommendations. You can find NIST’s Cybersecurity Framework here. The White House’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity is available here. There are also plenty of cybersecurity cases, legal developments, and potential legislation to keep an eye on. Here, for example, are some recent case summaries. Whatever situation you are in, talk to a lawyer. A cybersecurity attorney can help you understand cyber requirements and stay updated on cyber mandates and policies.  And, if you are the victim of an attack, a lawyer can help you understand your legally required responses, such as customer and government notifications, and build your defenses to potential lawsuits. To learn more about Offit Kurman’s cybersecurity practice group, click here. If you have a question about compliance for utility companies, or any other cybersecurity legal matter, click here to contact us.


Social Media PolicyMr. Tolchin’s practice is focused on government contracting, cybersecurity, business litigation, and technology matters. In government contracting issues, Mr. Tolchin represents prime and subcontractors in contract negotiation and formation matters and in disputes involving both government and commercial business issues. He has been involved in procurement cases before many of the federal and state boards of contract appeal, Government Accountability Office, Small Business Administration, United States Court of Federal Claims, Court of Appeals for the Federal Circuit and other federal and state courts across the United States. His Business litigation practice involves large and small matters in federal and state courts and before numerous arbitration panels. In the technology arena, Mr. Tolchin has assisted in disputes, licensing, and business development matters for clients ranging from startups to Fortune 500 companies.