How cyber security can keep pace with the energy transition

New global research offers insights for cyber teams as they adapt critical infrastructure defences for a rapidly evolving energy landscape.

Cyber security needs to keep pace with Australia’s energy transition. As the nation’s energy landscape transforms at high speed, adding new types of generation, battery energy storage systems and smart grid technologies, the importance of cybersecurity has never been more pronounced. Businesses in the sector must not only embrace innovation but also fortify their defences against evolving cyber threats.

Every company in every sector is suffering from an expanding attack surface, with remote work and complex technology ecosystems creating a proliferation of emails, end points, identities, cloud apps and workloads. Energy organisations have to contend with all of this, plus the realities of a decarbonising electricity environment.

A smart grid powered by renewable energy, and all the assets within it, presents a massive and growing attack surface. For distributors, the energy transition has introduced a two-way flow of energy and information between renewable generators and batteries, solar rooftops and the grid, and a host of other connections.

Everything that enables reliable electricity delivery in a renewable energy environment – end-to-end connectivity, automated asset management, and continuous data and feedback – also increases vulnerability to attack. Every user, device and interaction is a potential threat and must be continuously authenticated, monitored and validated. Cybersecurity functions are finding it challenging to collaborate effectively with the managers who control operational assets. Original equipment manufacturers and legacy operational technology environments are also obstacles to change.

Against this backdrop, we are entering an era where the physical consequences from cyber are inevitable. The rapid convergence of IT with OT/IoT is blurring the boundaries between cyber risks and the physical world. Gartner is predicting that, by 2025, cyber attackers will have weaponised operational environments to successfully harm or kill humans. Viewed through this lens, it’s fair to say that most current visibility and monitoring are inadequate.

Cyber teams are also working in an environment where the velocity of the threat landscape is outstripping organisations’ ability to execute. WhiteHat Security estimates that two-thirds of all applications used by utilities had at least one exploitable vulnerability open throughout the year. Threat actors, including Wizard Spider, Electrum, Gold Southfirld, Dymalloy, Xenotine, Darkside and Parasite, are increasingly targeting utilities.

Cyber teams must consider a growing plethora of threats and risks, including ransomware on IT or OT networks, SCADA system and IoT compromise, credential disclosure, data theft, denial of services, zero-day attacks and web application hijacking.

Research finds room for improvement

The energy industry is well aware of these risks and has ramped up investment in cybersecurity in recent years. Globally, 44% of energy organisations are spending more than USD50 million per annum on their cyber capabilities. Cybersecurity budgets as a percentage of IT spend have increased significantly in the last year. Two-thirds of energy organisations now spend between 11%-20% of their IT budget on cybersecurity.

Energy’s status as critical national infrastructure has led to tightening regulatory and compliance pressures to ensure resilience against attacks and failures. Cybersecurity technology offerings have also improved significantly, helping energy firms to efficiently identify vulnerabilities and develop key controls like privileged access management, threat detection and response.

However, a global survey by the EY organisation has revealed that energy firms in particular are struggling with cybersecurity. Only 35% said their organisation is well-positioned to take on the threats of tomorrow, compared to 48% of all other industries. Energy companies are also more likely than other industries to take a “wait until technology is tried and tested” approach. Only 22% are satisfied with their non-IT workforce’s adoption of best practices.

The survey, which identified strategies used by the best-performing security organisations, suggests areas where CISOs should focus cyber investment. For energy companies, critical areas of focus will be utilising advanced solutions to simplify the security environment by adopting technology focused on automation and simplification, such as AI or ML, SOAR, DevSecOps, and cloud orchestration and automation.

Embrace security through simplification

While a number of energy companies have been investing similar amounts in cyber to financial services, they have more fragmented IT environments. We can see why this has occurred. Energy companies are “spider-like”. It is difficult to put in solutions that cover all areas of cyber risk. This is a common issue across most sectors where, according to IBM research, an enterprise of 10,000 employees will use, on average, 70 or more tools to manage cybersecurity and privacy.

However, simply bolting on new technologies may inadvertently create new vulnerabilities. Point tools don’t integrate, preventing end-to-end process automation and stopping energy companies from being able to achieve the gold standard of cyber protection: situational awareness to enable proactive threat detection and rapid response.

To this point, by 2024, Gartner predicts that 80% of critical infrastructure organisations will abandon their existing siloed security solutions providers and adopt hyper-converged solutions to bridge cyber-physical and IT risks.

Energy companies should be adopting platform strategies that rationalise security vendors to no more than around 10 security services, using scalable solutions – and even a single technology partner. This will save on security engineering and integration and operational costs. Fragmentation has increased operational overheads due to cyber teams having to glue disparate tools together, and patch and maintain siloed technology.

Increase the use of AI and automation

Threat actors are using AI and automation, so cyber teams must too. Attack disruption cannot rely solely on human intervention. Instead, it must be driven by automated responses that can swiftly contain and mitigate threats, even while they are in progress. Specifically, attack disruption must occur at machine speed, with automated response actions to contain an attack in progress using high-confidence, cross-workload signals. These advanced threat detection systems leverage AI and machine learning algorithms to identify anomalies and potential threats in real-time.

Another important area of investment is in automated incident response mechanisms that can isolate compromised systems, apply security patches and adapt defences in a coordinated manner.

Consider how cybersecurity can support value creation

Done well, cybersecurity can support innovation and value creation in the energy sector by:

• Building consumer trust in new energy products and services – As consumers adopt electric vehicles and home energy management systems, they will entrust their data and infrastructure to these solutions. Robust cybersecurity measures not only protect their sensitive information but also ensure the reliability and integrity of these offerings, encouraging their adoption and supporting reputational integrity.
• Supporting joined up security in collaborations – The energy transition is driving the formation of consortia to build renewables, especially regarding offshore wind and hydrogen. Equally, energy companies will increasingly partner with home energy management technology firms and the ecosystems supporting aligned areas like firming capacity, electric vehicle subscriptions and electric fleet transition services. By supporting the security of these joint ventures and partnerships, cyber teams can assist their organisations in rapidly putting on new revenue streams and driving growth.