Convergence creates exposure
As the Australian Cyber Security Centre warns, the very complexity of critical infrastructure – its networks, supply chains and management systems – makes it an irresistible target for malicious actors.
Yet more than six in 10 (62%) energy and resources cyber leaders say they’re either not consulted at all, or consulted too late, when strategic business decisions are made. That’s according to the 2025 EY Global Cybersecurity Leadership Insights Study.
The consequences are clear. Around the world, ransomware has forced oil pipelines offline, water treatment plants have been disrupted, mining companies have had sensitive commercial data stolen and grid operators have faced attempted electricity network disruption.
In each case, what begins as a digital incident can quickly escalate into a cyber-physical disruption that can cause an immediate economic and community impact.
Infrastructure lasts decades, attacks change daily
In other industries, technology cycles turn quickly. But in energy and resources companies, operational technology is built like the infrastructure it supports: mines, turbines and transmission assets are designed for decades.
This mismatch between slow-moving physical assets and fast-moving digital adoption creates a widening gap in cyber protection. Legacy equipment was never designed for today’s interconnected reality. Trying to retrofit cyber controls to this legacy infrastructure is like turning a cruise ship.
Risks that ripple
Cyber is unlike other risks. We can model a maintenance failure rate. We can’t model when a ransomware strike will hit. That’s why posture – knowing where you stand, what you can tolerate and how prepared you are to respond – is critical. We recommend a ‘three-speed’ cyber response:
- Remediate continuously: Patch vulnerabilities and close loopholes as they appear.
- Uplift strategically: Define risk appetite at board level, then build capability to strengthen cyber posture over time.
- Invest in automation and AI: Invest now to stay competitive as the velocity of change accelerates and the ability to ‘do more, with less’.
Cyber is not a one-off investment. It’s an ongoing capability, as essential as the infrastructure it protects. Without this approach, cost pressures are likely to hollow out cyber budgets.
Yet 42% of CISOs in the energy and resources sector admit it’s hard to articulate their role beyond risk protection. That makes it harder to win the leadership focus and budget required to support the energy transition.
The answer isn’t to simply spend more. It’s to reframe cyber as a value creator and embed it into the energy transition itself.
From protector to value creator
Traditional security spend defends, but rarely multiplies value. In contrast, EY research finds value-creation spend generates 6.6 times greater returns. When embedded early, cyber builds trust, protects commercially sensitive information, sustains productivity and enables innovation. Our research shows it adds US$38 million of value to every major initiative in the sector.
Cybersecurity has long been treated as the cost of protection. But in a sector that keeps the lights on, drives GDP and enables the energy transition, it is the linchpin of safe transformation.