Three reasons why cybersecurity in energy is more complex than ever

Has the war in Ukraine increased cybersecurity threats for energy and resources companies that own and operate critical assets? Perhaps. But in reality, the cyber threat landscape for utilities had been becoming more complex long before the conflict for three key reasons.

Broader digital transformation

Digital transformation is now integral to our working world. Every single organization has felt the impact of the proliferation of technology, and the data it generates, and most are rapidly embracing its potential.

For energy companies, the digital transformation is combined with the transition to renewable energy and the rise of distributed energy resources, amplifying its impact and driving a fundamental change in business strategy. Utilities are adopting completely different, digitally enabled ways of working - smart meters, remote operating centers, and autonomous trucks are just some of the examples of how technology is changing the industry. These offer huge possibilities for productivity, efficiency, and safety improvements, but they also significantly increase the potential surface area for cyber attacks.

?Increasingly complex technology

One of the biggest concerns I hear from cybersecurity teams in energy companies is the ability to keep pace with the sheer pace of technological change.?

The challenge is twofold. First, it can be difficult for some companies to understand how their digital landscape is changing as new tech-enabled assets and tools come on board. For example, I see global energy companies trying to manage the cybersecurity implications of having up to 10 different Cloud providers and trying to govern across these platforms. Recent research found that 87% of utilities say that the use of multivendor technologies is hindering visibility of their entire attack surface.

The second part of the challenge is the complexity of the tech itself. An increasingly advanced digital ecosystem is difficult to govern, review and provide assurance over. EY research found that half of utilities say they just don’t understand the new strategies they face from cyber criminals.

IT and OT integration

As digital transformation expands across energy, so too does the integration of IT and OT.

The challenge is that these two sides of the business are very different – traditionally designed to remain separate and run by people with different skills and different mindsets. While IT is leading the business to embrace the potential of technology, OT is focused on safety and availability. OT professionals run highly specialized digital assets, with particular requirements around operations, configuration and code. Many have been designed to operate for decades, in some cases, without the provision for security updates as technology evolves.

Integration between the two is being driven by technologies, including automation and IoT, that are fast becoming critical enablers of the business. These technologies enhance the operations of assets through, for example, predictive maintenance, and the data they produce guides broader organizational strategy in areas including the customer experience, supply chain optimization, and others.

The potential for an IT or OT integrated utility is enormous, but protecting it is problematic. Cybersecurity attacks on OT are rising – 87% of utilities say they’ve seen an increase over the past few years. Building resilience against a growing threat will require the business to come together and develop a holistic cyber strategy.

Has the war in Ukraine made it worse?

These three factors have created a more complex digital landscape for energy and resources companies.

We’ve seen ransomware attacks on gas pipelines, energy infrastructure companies, oil refineries and electricity grids, among others, with incidents causing widespread, prolonged disruption, even when ransom demands are paid quickly. ?Ransomware attacks have risen 150% in the past year, according to the World Economic Forum, and are focusing the attention of government and industry alike on exposure of critical infrastructure to an IT attack, the significant impact of these attacks and the need for businesses to urgently reassess their protection of these assets.

But what’s even more concerning to energy companies is an increase in nation-state-sponsored cyber attacks on critical infrastructure. There has been huge concern that the war in Ukraine would significantly increase these attacks – to date, the threat has not come to pass quite as feared.?But we have seen cyber used as a weapon, including in denial-of-service attacks where systems are overwhelmed, making them inaccessible. ?

These incidents highlight that cyber attacks don’t have to be particularly sophisticated to enact major outages or damage. The release of “zero-day vulnerabilities” in malicious software can indiscriminately cause collateral and unintended damage, bringing down operating systems that many organizations, including energy companies, depend upon to run their assets safely and reliably. ?

Get ready for a new era in energy cybersecurity

Perhaps the greatest impact of the war in Ukraine on the cyber landscape has been to encourage regulators to intensify their response to threats.

Governments were already doubling down on efforts to protect key assets. In 2021, the US Department of Homeland Security issued a directive requiring owners and operators of critical pipelines to implement urgent cyber protections. Earlier this year, Australia finalized reforms to its Security of Critical Infrastructure Act, imposing new cybersecurity obligations on operators of critical assets, such as utilities. Europe’s European Network of Transmission System Operators for Electricity (ENTSO-E) has announced a new cybersecurity code that aims to improve resilience of cross-border electricity supply.

These changes are just a snapshot of an evolving global regulatory landscape. Many of my clients tell me that navigating regulation – which for some, includes the increased presence of law enforcement in ensuring compliance – is now one of their biggest challenges. And more than half of US energy and utilities businesses rank cyber threats as their top risk.

How can energy and resources companies keep up with these changing compliance obligations? And, beyond compliance, how can they build the robust cyber resilience required for a more complex digital landscape?

I have some thoughts – but you’ll have to stay tuned for my next blog, where I’ll outline four steps that can guide a future-proof cyber strategy. In the meantime, please share your thoughts in the comments or get in touch.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.