CYBER IIoT IN THE ENERGY SECTOR

The energy transition imposed on the sector suggests a solid digital transformation of the business model in search of operational efficiency, emissions reduction, and intelligence anchored in data. Cybersecurity in the industrial environment plays an essential role in managing new risks to unlock value, accelerate transformation, and protect investment (RODI*).

?

ENVIRONMENT IN TRANSITION

New opportunities in an expanding and transforming market are associated with renewable energy, carbon capture, use and storage, low-carbon hydrogen, and e-mobility, and these go far beyond the traditional value chain of the oil and gas sector.

There are naturally growing concerns about the confidentiality, integrity, and availability of information that supports these critical industrial environments.

?

TRANSITION RISKS

Scalability challenges to guarantee the Return on Digital Investments (ROID) are not small and involve the quality and availability of data; the agility of the operational model; the adaptability of workforce skills; and also due to financing restrictions that support so many changes.

The risk that most stands out to me is associated with the effects of the need to converge information technology (IT) and operational technology (OT) environments. There is evident value generation when we promote an integrated operation model, which is fundamental to achieving business efficiency objectives. However, it is necessary to understand and address the particularities of each of these environments to eliminate new unwanted risks.

?

TRANSITION IMPACTS

There is a notable difference in the potential impact of an information risk materialized in a corporate information technology environment compared to an industrial operating technology environment.

Despite some similarities, the magnitude and materiality of impacts tend to vary substantially. On the list, we have the potential slowdown in production-operational activities, the loss of revenue and market value, the loss of data that produces non-conformities and legal responsibilities, the theft of confidential data and intellectual property, environmental erosion in general, and also the risk of loss of human life.?

By definition, OT assets tend to be more critical precisely because they produce the potential for more extensive, severe, and lasting impact and damage to a wider range of physical, technological, and human assets.

The sector has been witnessing a volumetric increase in cyber attacks and a significant increase in the average financial cost resulting from a data incident that supports the operation, rising from 3.1 million dollars in 2015 to 4.6 million dollars in 2021. According to IBM's Cost of Data Breach Report 2022.

TRANSITION CHALLENGES

The energy sector needs new practices, models, and technologies to thrive. Information security risks are omnipresent and magnified in times of change. The sector needs to leave inherited and isolated organizational hierarchies in the past to embark on an integrated and convergent model between IT and OT that transforms it and allows its companies to be digital, agile, scalable, intelligent, safe, and resilient.

The challenges of digital transformation and sector convergence are complex in themselves and include: - automation toward IP

• IT and OT integration
• virtualization and cloud
• accesses and identities
• mobility and remote maintenance
• updating obsolete industrial plants
• new regulatory requirements
• embedded artificial intelligence

?

As a complicating factor, we have to take into account Brownfield environments that restrict the possibilities typically applicable to Greenfield environments, such as implementing the security-by-design model. We also have to seek creativity with defense-in-depth approaches such as layered security (FTH), which respects the limitations and technical specificities of the environment and, even so, provides additional and operational control within acceptable levels of information security.

?

CONCLUSION

The Industrial Internet of Things (IIoTs) is driving companies toward a fully integrated architecture with IT (information technology) and OT (operations technology) systems functioning as a unified entity. This new operating model must be surrounded by new controls and security standards that keep up with new levels of exposure and risk.

Credit: This keynote presentation was developed and delivered by Marcos Sêmola, serving as EY Cybersecurity Energy Leader LATAM during the Petrobras IIoT Congress in 2023. The entire video record can be seen at https://www.youtube.com/watch?v=rdOrTfE1mo8