Looking back at the 2022 World Economic Forum Annual Meeting in Davos, Switzerland, few global policymakers and business leaders could have predicted the year ahead. However, the sudden effects of the global pandemic, the invasion of Ukraine, and critical supply chain disruptions have destabilized the entire global energy ecosystem.
These crises fundamentally changed geopolitics and threatened energy and economic security. But they also explained how digital technology can be used to address these issues and the existential threat of climate change through an efficient energy transition.
Digitization: Threat and opportunity
The solution to energy security and the energy transition is an ecosystem driven by the electrification, decentralization, and diversification of energy technologies, all supported by digitalization.
This future is possible because the energy industry has embraced the Industrial Internet of Things (IIoT). It enables operational technology (OT) to digitally manage physical energy assets and integrate them with information technology (IT) software applications that leverage artificial intelligence (AI), machine learning, and cloud storage.
But the Industrial Internet of Things and hyperconnectivity will also make tomorrow’s energy ecosystem vulnerable to cyberattacks.
Energy companies are rapidly adopting the Industrial Internet of Things to power their entire business model, and this shift presents an unprecedented security challenge for Chief Information Security Officers (CISOs).
CISOs are increasingly responsible for securing billions of physical and digital connections to enable low-carbon or carbon dioxide emissions. For example, they may need analytics and sensors to balance power grid fluctuations or predict electric vehicle charging demand. They may also need to enable smart meters on home solar devices to communicate with the utility.
Never before has so much of our physical infrastructure—a mix of machines and OT control systems—been so embedded in digital networks and vulnerable to cyberattacks.
Whether attackers want money or to cripple a rival country, the energy sector is an attractive target. Industry research shows that the number and sophistication of cyberattacks against energy organizations continues to grow. At the same time, countless reports suggest that energy companies—from CEOs to CISOs to middle management and early-career employees—are ill-prepared to protect the next wave of digitally connected critical infrastructure from cyberattacks.
If energy companies are going to adopt a digital business model, they must equally invest, prioritize, and train in cyber security. The combined force of digitization and carbon emissions has brought drastic change to energy companies. However, many CISOs lack the tools and skills to protect it. Essentially, the CISO role must evolve from a previously technology-focused position to a broader industry role to reflect the important role digital technology is playing in the new energy ecosystem.
CISOs must manage a new type of Security Operations Center (SOC) with equal IT and OT visibility and contextual capabilities to accommodate this new hyperconnectivity. They must also manage this era of persistent threats with a new framework of cyber-resilience principles spread across organizations.
Adapting to the digital future
Securing the energy transition starts with adapted management models, new technological solutions, and priority staff and solution investments. Here are four ways the energy industry can adapt to advance and secure its digital future.
1. Educate and update management
The CISO must have access to and open relationships with the company’s board members and senior management, as well as strong working relationships with government officials and regulators outside their organization. These relationships are essential for rapid communication and coordination around incidents and vulnerabilities before new threats emerge.
Through communication channels open to executives, CISOs can advocate for international standards and procurement policies, such as ensuring that National Institute of Standards and Technology cybersecurity frameworks are incorporated into new projects.
Externally, CISOs have an advantage over government officials in providing vulnerability updates and participating in resilience improvements. To see the importance of this, look at the US Department of Homeland Security’s “Shield’s Up” campaign, led by its Cybersecurity and Infrastructure Agency, to proactively protect energy companies from Russian cyberattacks following the Ukraine attack.
2. Monitoring and Detection Processes at Scale
Technologically advanced automation is transforming industrial cybersecurity monitoring and detection. AI tools enable automation that integrates a huge number of variables and observes their relationships, meaning that attacks on the OT can be detected based on the physical consequences they cause.
This information can help meet incident reporting requirements or be quickly shared with industry partners to help other vulnerable companies stay alert. New technologies designed specifically for industrial environments help CISOs monitor, identify, and resolve threats faster and more accurately than ever before. However, true cyber resilience prioritizes the security of the institutions and systems that make up the energy industry ecosystem.
3. Adopting a shared responsibility model across the organization
Although CISOs form the core of an organization’s digital and security transformation, no one person can be responsible for cyber resilience. Energy companies must embrace the ethos that cyber security is the responsibility of every employee. Personal and organizational success within an organization must be tied to meeting, maintaining, and exceeding cyber hygiene metrics and standards.
Shared responsibility includes ensuring compliance with basic IT measures such as implementing two-factor authentication, regularly changing passwords, and following zero-trust principles. Additionally, recruiting, training, and nurturing cybersecurity experts with expertise in the field is critical to long-term success.
4.Assert your organization’s cyber resilience.
Ultimately, resilience will fail without dedicated investments to integrate cyber security into every aspect of an energy company’s business model.
Industry leaders, investors, and shareholders must change their view of cyber security as an afterthought or an optional extra. Instead, cybersecurity must be seen as an advantage—even a competitive advantage. This is important for the security, reliability, and long-term reputation of the company.
Energy managers must invest more capital in new projects to ensure their security, as well as design and modernize existing projects with state-of-the-art solutions for threat detection and prevention. But investing in cybersecurity isn’t a one-time expense.
To meet long-term challenges, organizations must continuously invest in cyber security in terms of new technologies, operational budgets, and personnel.