Is your cyber approach to IT/OT convergence strategic or siloed? Seven steps can help energy companies build resilience.
IT/OT convergence is now top of mind for every energy CISO. But are approaches to securing this converged environment sufficiently strategic to provide genuine resilience?
It’s no surprise that the rapid escalation in attacks against operational technology (OT) assets and industrial control systems (ICS) is a focus of most energy companies’ cybersecurity agenda. On a recent visit to the EY OT Center of Excellence (CoE) in Warsaw, my conversations with clients, colleagues and industry analysts highlighted the urgent need for the sector to build greater resilience against more sophisticated threats. As outlined in a report by Dragos, the sector was the second most vulnerable industry to cyber attackers (after critical manufacturing) in 2022, according to disclosed US Computer Emergency Readiness Team (CERT) advisories (CERT is part of the Department of Homeland Security). More than one-third of attacks targeting power and utilities are focused on ICS/OT assets, compared with just 26% for all other industries.
But while companies are doing more to secure OT assets from cyber threats, I’m concerned that many approaches are siloed, not strategic. Convergence is happening almost by stealth as digitalization proliferates across the business and, bit by bit, legacy systems are connected to modern IT. New OT technology is supplied by a variety of vendors, and the energy ecosystem is ever expanding to include more third parties (and even fourth and fifth parties as part of the extended supply chain). Lack of governance, communication and support means technology is sometimes adopted in different parts of the business, without the knowledge of the CISO. And, as I’ve written about previously, gaps in governance can undermine clarity around who is ultimately responsible for securing this environment.
The result is a clutter of disjointed cyber approaches that create a confusing, complex landscape that hampers effective threat detection and response (and hence increased costs). Eighty-six percent of electricity companies struggle to gain visibility over their OT network, and energy CISOs are less confident than their counterparts in other industries, according to the EY 2023 Global Cybersecurity Leadership Insights Study; only 35% said their organization is well positioned to take on the threats of tomorrow, compared with 48% in all other industries.
Steps to success
There is no one-size-fits-all solution to the problem. Just as every energy organization’s IT/OT convergence journey is different, so too will be the approach to solving it. But taking a strategic view can help companies get ahead of risks, build resilience and gain the confidence to push forward with digital transformation. CISOs can lead the way through a step-by-step approach:
Chart your own IT/OT convergence journey
IT/OT convergence across energy will only grow — as will the risks (and consequences) of cyber threats. Energy companies can’t allow this threat to slow down digital innovation and transformation. Instead, getting a strategic cybersecurity approach in place can build resilience while accelerating transformation.
For a discussion on how to secure your own IT/OT environment, please get in touch.
领英推荐
This blog is part of a series about cybersecurity in energy — you can read the other articles here:?
Is there another energy cybersecurity topic you’d like us to cover? Please leave a comment below or get in touch.?
The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.
Seasoned Cybersecurity Advisory & Business Development | Decades of experience - Middle East, Turkey & Africa
1 年Interesting read Clinton. Thanks for sharing.
CEO | Certified CISO & CISM | Entrepreneur, investor, author. Co-Founder & CEO of Streaming Defense, a cybersecurity firm for enhanced SOC XDR, AOT Proven leader in building and scaling innovative, high-growth companies.
1 年Has been for a while IMHO. Mike
??Digital Marketing Expert ??6012-3458846 | SME Funding, Loan, Angel, VC | Open to Cofounding | Services: B2B Sales, B2B Leadgen, SEO, SEM, Content, Email, KOL, ABM, Meta Ads (FB), Google Ads, TikTok Ads
1 年Great insights on building a strategic approach to OT cybersecurity in the energy industry, definitely a must-read!
EMEIA Cybersecurity Oil and Gas Leader
1 年Great points Clinton Firth! Diverse teams, cultural understanding and board buy in are often the underestimated items.
Partner | Digital Operations | Asset Management | Industry 4.0 | Industrial Automation | Mining & Metals | Oil & Gas
1 年Clinton, great blog! Asset-intensive industries must have an integrated IT/OT cybersecurity program that encompasses governance, risk management, policies and procedures. Business and operations need to be accountable for OT cybersecurity (not only IT team) and operating model needs to cover check and balance from second line of defense. Thanks for sharing!!!