ey-power-of-interconnected-intelligence

Plugged in, exposed: Why cyber is the new risk frontier for industrials and energy


Plugged in, exposed: Why cyber is the new risk frontier for industrials and energy


The convergence of energy and resources is accelerating the net-zero transition. But it’s also multiplying the cyberattack surface. So why are just 12% of the sector’s cyber specialists consulted early in strategic decisions?

The energy transition is erasing established sector borders. Critical minerals move from pit to panel to battery to turbine, and back into the systems that power daily life. Oil and gas companies are investing in renewables. Utilities are becoming digital platforms that connect homes, vehicles and grids. What were once parallel industries are now an interdependent circuit.

As these sectors converge, they must share data across boundaries and manage infrastructure never designed for interoperability. This interconnectivity multiplies the cyberattack surface.

Convergence creates exposure

As the Australian Cyber Security Centre warns, the very complexity of critical infrastructure – its networks, supply chains and management systems – makes it an irresistible target for malicious actors.

Yet more than six in 10 (62%) energy and resources cyber leaders say they’re either not consulted at all, or consulted too late, when strategic business decisions are made. That’s according to the 2025 EY Global Cybersecurity Leadership Insights Study.

The consequences are clear. Around the world, ransomware has forced oil pipelines offline, water treatment plants have been disrupted, mining companies have had sensitive commercial data stolen and grid operators have faced attempted electricity network disruption.

In each case, what begins as a digital incident can quickly escalate into a cyber-physical disruption that can cause an immediate economic and community impact.

Infrastructure lasts decades, attacks change daily

In other industries, technology cycles turn quickly. But in energy and resources companies, operational technology is built like the infrastructure it supports: mines, turbines and transmission assets are designed for decades.

This mismatch between slow-moving physical assets and fast-moving digital adoption creates a widening gap in cyber protection. Legacy equipment was never designed for today’s interconnected reality. Trying to retrofit cyber controls to this legacy infrastructure is like turning a cruise ship.

Risks that ripple

Cyber is unlike other risks. We can model a maintenance failure rate. We can’t model when a ransomware strike will hit. That’s why posture – knowing where you stand, what you can tolerate and how prepared you are to respond – is critical. We recommend a ‘three-speed’ cyber response:

  1. Remediate continuously: Patch vulnerabilities and close loopholes as they appear.
  2. Uplift strategically: Define risk appetite at board level, then build capability to strengthen cyber posture over time.
  3. Invest in automation and AI: Invest now to stay competitive as the velocity of change accelerates and the ability to ‘do more, with less’.

Cyber is not a one-off investment. It’s an ongoing capability, as essential as the infrastructure it protects. Without this approach, cost pressures are likely to hollow out cyber budgets.

Yet 42% of CISOs in the energy and resources sector admit it’s hard to articulate their role beyond risk protection. That makes it harder to win the leadership focus and budget required to support the energy transition.

The answer isn’t to simply spend more. It’s to reframe cyber as a value creator and embed it into the energy transition itself.

From protector to value creator

Traditional security spend defends, but rarely multiplies value. In contrast, EY research finds value-creation spend generates 6.6 times greater returns. When embedded early, cyber builds trust, protects commercially sensitive information, sustains productivity and enables innovation. Our research shows it adds US$38 million of value to every major initiative in the sector.

Cybersecurity has long been treated as the cost of protection. But in a sector that keeps the lights on, drives GDP and enables the energy transition, it is the linchpin of safe transformation.

 

This is part of five article series, Cyber at the speed of machines. If you missed it, catch up on Richard Bergman’s overview and Meaghan Stackpole’s perspective on consumer businesses. And look out for the instalment on how cyber can help governments strengthen citizen trust with Dave Ruzicka and view on New Zealand by Louise Theunissen.

The views expressed in this article are the views of the author, not Ernst & Young. This article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.

About this article