Cybersecurity Priorities and Opportunities in the Energy Sector

The energy sector is under constant attack from cybersecurity threats. Whether it’s a targeted attack
from a nation-state or an opportunistic malware infection, energy companies need to be prepared to
deal with any type of new threat and vulnerability. Fortunately, a “structured approach that applies
communication, organizational, and process frameworks can significantly reduce cyber-related risks,” as
McKinsey described in November 2020.

 

In this article, we look at the latest cybersecurity developments and trends in the energy sector. We
discuss some of the most effective solutions and biggest threats that energy organizations face today.
Finally, we offer recommendations for cybersecurity leaders in the energy sector about how to improve
their security posture in the years to come.

 

The Evolution of Energy Sector Cybersecurity

 

 

In the past decade, cybersecurity and cyber threats have evolved significantly in the energy industry. In
particular, the rise of nation-state actors and their increasing use of cyber weapons has made
cybersecurity a top priority for energy companies. “Ransomware attacks [against energy sector
organizations] have risen 150% in the last year and are increasingly successful with conventional
defenses often inadequate,” the World Economic Forum reported in February 2022.

 

Furthermore, the increase in digitization within the sector has created new opportunities for attackers
to exploit vulnerabilities. A 2021 MIT Technology Review report describes digitization as “widening the
surface for cybercriminals to attack.” Cybersecurity has become an increasingly complex and challenging
issue for organizations in the energy sector as a result.

 

One of the most notable vulnerabilities from the energy sector is characterized by outdated and
vulnerable industrial control systems (ICS) on which many energy organizations continue to rely. For
example, the recent Colonial Pipeline industrial control system hack “demonstrated the power of
malicious actors to shut down our nation’s critical energy infrastructure and disrupt our energy supplies,
economy, and everyday lives,” the U.S. Department of Energy describes.

 

Indeed, vulnerabilities in industrial control systems (ICS) represent one of the sector’s most unique
cybersecurity challenges. But the sector also faces a shortage of cybersecurity talent, which makes it
difficult to adequately staff cybersecurity teams. Furthermore, energy companies need to improve their
incident response capabilities and strengthen information sharing between organizations as new threats
arise.

 

Recent Progress Towards Cybersecurity Transformation

 

Fortunately, there has been progress thanks to several recent efforts to improve cybersecurity in the
energy sector. One such effort is the establishment of the Cybersecurity for Energy Delivery Systems
(CEDS) program by the U.S. Department of Energy. This program is designed to support utilities and
other energy companies as they work to secure their systems against cyber threats. Additionally, several
private-sector initiatives have been launched; this includes the Energy Security Leadership Council
(ESLC), which is a group of energy industry CEOs who are working to improve cybersecurity both at their
own organizations and across the industry at large.

 

There are several cybersecurity solutions that are especially effective within energy industries as well.
More advanced industrial control system (ICS) security suites help to secure critical infrastructure
against cyber threats. Additionally, data loss prevention (DLP) solutions can be used to prevent sensitive
data from being leaked, and incident response plans can help organizations to respond to cybersecurity
incidents quickly and effectively.

 

A Structured Approach to Cybersecurity

 

 

None of these changes is possible without a strategic approach to cybersecurity transformation. Next,
we will consider how energy companies can implement a structured approach to cybersecurity
progress. This includes transformation of communication, organizational, and process frameworks to
realize long-term improvements to these organizations’ security postures, even as new threats emerge.

 

Transforming Communication

 

A structured cybersecurity approach should include clear and concise communication between all
parties involved. Energy companies need to ensure that they are sharing information about
cybersecurity threats and incidents in a timely and effective manner. This includes cybersecurity teams,
executives, and other stakeholders.

 

Additionally, it is important to have a clear understanding of the organization's cybersecurity posture, as
well as its incident response plan. “One of the [COVID-19] pandemic’s most important legacies will be
greater communication between CISOs and CEOs and/or boards,” PwC described in August 2021. “This
welcome change is strengthened by a cyber strategy reset: nearly half (45%) plan on baking
cybersecurity and privacy implications into business decisions and a new process for cyber budgeting.”

 

Organizational Changes

 

Organizational changes that should be made as part of a structured cybersecurity approach include the
appointment of a cybersecurity leader, the development of a cybersecurity policy, and the
implementation of cybersecurity training for all employees.

 

 

McKinsey recommends implementing “a well-designed and well-tested incident response plan” that
features “enough institutional muscle memory from plan exercises to minimize the impact of a large-
scale attack quickly and decisively.”

 

Updated Process Frameworks

 

The term “process frameworks” refers to cybersecurity arrangements unique to the varied processes in
the energy sector—namely, the “different methods of production and parts of the generation,
transmission, and distribution chain” where technology differs greatly even in a single organization.
Defining cybersecurity solutions, methodologies, and responsibilities within these frameworks is
essential to reduce risks associated with a surface for attack that is wide by nature of the industry.

 

Recommendations for Energy Sector Cybersecurity Leaders

 

There are clear initial steps cybersecurity leaders in the energy sector can take to get their organizations
on the right path towards advanced security resilience. Some opportunities as they get started include:

 

•  Invest in industrial control system (ICS) security suites. Elements of ICS security suites include
  firewalls, intrusion detection and prevention systems (IDPS), and cybersecurity event and
  information management (CEIM) systems.

 

•   Implement data loss prevention (DLP) solutions. Elements of DLP solutions include data
  classification, encryption, and access control.

 

•  Develop and test incident response plans. Elements of incident response plans include the
  identifying and containing cybersecurity incidents; defining and practicing communication
  methods between stakeholders; and conducting post-incident reviews.

 

•  Staff cybersecurity teams with adequate personnel. Cybersecurity skill sets to look for when
  staffing in the energy sector include experience with the systems and methodologies listed
  above—ICS and DLP systems as well as test incident response plans. Successful individuals will
  be comfortable helping prepare and implement elements of a structured approach to
  cybersecurity—including transforming communication, supporting organizational changes, and
  assisting in updating process frameworks—as those needs arise.

 

Cybersecurity leaders in the energy sector should also consider partnering with other organizations with
cybersecurity expertise, such as law enforcement agencies and cybersecurity service providers. These
resources can supplement a lack of internal talent and help to improve their overall security posture.

 

Conclusion

 

Cybersecurity is a complex and challenging issue for the energy sector; with little doubt, it will become
more complicated over time. Even so, recent developments and trends suggest the energy sector is
beginning to take cybersecurity more seriously. These include the development of cybersecurity
frameworks, an increase in investment in cybersecurity solutions, and a greater focus on cybersecurity
training and awareness.

 

Partner with Semifly as You Begin Your Cybersecurity Transformation

 

If you are interested in identifying and launching successful cybersecurity methodologies at your own
organization, Semifly can help. Contact one of our cybersecurity experts for a free consultation today.