Are governance gaps exposing energy companies to cyber attacks?
Who owns the cybersecurity agenda in your energy company?
The answer’s more complicated than you might think. Most energy companies have a chief information security officer (CISO), chief security officer or equivalent but, in my experience, they don’t always have oversight of the enterprise-wide cyber risk. This is largely due to the growing convergence of information and operational technology (IT/OT) across energy, complex large organizations and operating models. IT/OT is not a new issue, but it’s one that’s expanding exponentially, driven by the energy transition and rapid digital enablement of both legacy OT systems and new Industrial Internet of Things (IIoT) technology.
Technology is now embedded across all aspects of operations, but it’s often fragmented. It’s worrying to see different parts of the business adopting “shadow” solutions to meet the needs of rapid business transformation, often beyond the visibility of CISOs. We also see some original equipment manufacturers (OEMs) investing heavily in technology to improve their product values — but some of these technology changes or additions aren’t well communicated, so they go unnoticed by utilities’ cybersecurity teams. This is resulting in cybersecurity gaps that could lead to catastrophic breaches.
Mitigating the risk of these attacks requires developing a converged cybersecurity governance approach across an energy company’s entire ecosystem — one that takes a whole-of-business view of all digital systems, from IT, legacy OT and the new IIoT adoption across the business. But this kind of holistic approach can only be achieved by first getting governance right.
Cybersecurity always starts with governance
Governance is the starting point for any effective cybersecurity approach. It begins with defining who is accountable for cybersecurity, and supporting the appointed leader with executive endorsement and organization-wide mandates. This person needs authority and accountability to truly lead, with clear policies, reporting structures and executive support to enable:
Consistent enterprise-wide cybersecurity strategy
You can’t guard against risks that can’t be quantified or measured. For many energy companies, a lack of visibility across the digital ecosystem leads to blind spots or siloed cyber approaches, which erode cyber resilience. A CISO with an executive enterprise-wide mandate can develop and align the business to holistically cover the approach to architecture, technology, monitoring, reporting and responding to threats.
Meeting evolving regulations and adopting best practice
Cybersecurity regulations continue to expand and evolve, with particular focus around uplifting the maturity of cybersecurity protection for critical national infrastructure.?
These regulatory mandates can certainly support the focus of energy company boards on the importance of cyber. But strong cyber leadership means going beyond what’s required, particularly in jurisdictions where regulations haven’t kept pace with technology, or where regulations across jurisdictions and industries overlap. ?
Proactively adopting best practice approaches is an energy company’s best defense as threats escalate arguably beyond regulatory reforms. For example, many consider the US government’s NIST Cybersecurity Framework to be best practice, and we see clients choosing to adopt its principles, regardless of where they operate.
Of course, each cyber leader will need to consider their own approach — and be ready to adapt it as regulations and risks change. Building regulatory resilience means creating future-proof compliance approaches. ?
Building a cohesive cyber culture
Increasing IT/OT integration brings to a head the culture clash between the technology and operational teams within energy companies. As I wrote in a previous blog, these two professions just see the world differently. IT wants to move at speed to transform the business through technology. OT teams run highly specialized assets and are focused on safety and reliability.
Energy companies have long wrestled with the challenge of bringing these two groups together, but increasing IT/OT integration means it’s now an urgent priority. Effective leadership will be needed to create a culture around the unified mandate of securing the enterprise.
Strong governance can accelerate the merging of minds by bringing clarity to roles and responsibilities and driving top-down cultural change. Mandates (i.e., use of KPIs) can encourage collaboration, but success will require a mix of strategies aimed at building awareness and understanding. For example, training that emphasizes the link between IT vulnerabilities and safety can “speak the language” of OT professionals. Similarly, cyber leaders with an OT background or experience can arguably be more credible and effective in creating a common culture than those with a pure IT background.
Growing digitization creates an imperative to act now
Cyber breaches are almost always disruptive, but an attack on a critical energy asset could have dire consequences for the organization, the community — even an entire nation or region. As energy companies increase digitization across the enterprise, an expanding attack surface across IT and OT assets means bad actors will potentially exploit more weaknesses at points of integration. Energy companies must enact empowered governance within the organization to address these issues.
This blog is part of a series about cybersecurity in energy — you can read the other articles here:?
Is there another energy cybersecurity topic you’d like us to cover? Please leave a comment below or get in touch.?
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.
Chief AI and Data Officer at BMO Financial Group | Associate Fellow Oxford | Author | Race Car Driver
1 年Excellent challenge here. I really like the notion of “empowered governance.”