Some of the biggest cyber-attacks in 2021 and 2022 focused on the energy industry. As a result, it is now apparent that energy cybersecurity needs to be a priority for industry leaders. Without an emphasis on digital security, we can expect that the entire sector will lose resources solving the aftermath.
The attack on the Colonial pipeline in 2021 was one of the few attacks to gain national and international interest. However, more than two-thirds of large-scale cybersecurity breaches throughout the year targeted either the energy production industry or the distribution network.
These attacks include hacks, exploits, and different malicious attempts on industries such as:
- Oil and natural gas
- Electrical grid
- Drills and drill sites
Thankfully, nuclear power production did not suffer from any significant successful attacks. Unlike traditional power production methods, nuclear power plants and uranium enrichment facilities are important for national security.
But, all energy-related entities are just as crucial for the smooth operations of all other industries. Diminished capacities and disrupted supply chains would skyrocket the business costs in most industries. Additionally, many companies might cease to operate altogether.
The Energy Sector Is a Prime Target
Cybersecurity breaches in the energy sector can be viewed purely through the lens of digital security. In that case, energy companies, including those in distribution, are a target because of the frequent obsolescence of their equipment and standards.
In many cases, energy production facilities do not compete on a plant-to-plant basis. They generally have little interest in investing in aspects of the business that do not directly improve operations. This leaves issues like energy cybersecurity on the back burner until disaster strikes.
But, the attacks on the energy sector can also be viewed through the lens of social pressure and influence. In that regard, cyberattacks that aim to disrupt and hold for ransom the energy distribution grid have more in common with terrorism than with digital attacks.
Namely, criminals know that electric companies will likely pay the ransom. That’s because these companies need to re-establish the power supply. In a way, the hackers are keeping the public at ransom as much as the companies.
A Tradeoff between Accessibility and Security
The problem with providing increased energy cybersecurity is that the production and grid are under strict requirements to be efficient. Placing grid-wide checks where energy cybersecurity can be ensured might diminish that efficiency. It might also deeply cut into these companies’ profits.
The only alternative is new encryption solutions to protect communications between producers, distributors, and users. New energy cybersecurity experts entering the market will need to find new solutions that will protect the giant energy companies without compromising efficiency. Energy cybersecurity should also not spike investment costs.
This task will not be an easy one. However, as more companies in the energy sector become aware of the risks, the political will should also increase. Only then will we finally solve the issue of energy cybersecurity.
Energy Cybersecurity Challenges
Speaking for The Cyber Priority survey, the cybersecurity managing director for the Norwegian drilling company DNV, Trond Solberg has pointed out several challenges that are plaguing the industry.
Solberg affirmed that energy cybersecurity is vital. He also pointed out the requirements for a good cyber-defense. The companies and the experts working for them need to have a deep and intricate knowledge of their field. However, according to Solberg, that is not enough. Experts also need to know the energy sector as a whole, including nuclear, renewable, or fossil energy.
First of the issues detected when it comes to energy cybersecurity is the inert nature of the energy companies. Given this approach, energy companies will not take adequate moves to improve cybersecurity, unless they are hit with a significant attack.
The second issue is the quickly closing gap between operational technology (OT) and information technology (IT) industries. In many cases, energy companies simply do not understand that their OT solutions often exist in an IT environment.
Finally, available cybersecurity talent is clearly lacking, and this is affecting companies globally. Without novel ways to attract, educate, and retain valuable talent, companies will have very few ways to improve their cybersecurity.
Looking for Talent
Top cybersecurity talent has become a very hot commodity across industries globally. Last week, Citigroup, a US financial behemoth, announced that they will be hiring 4000 new cybersecurity personnel.
But, expressing a desire to hire cybersecurity experts and attracting them is not the same thing. Most companies are struggling to find adequate employees. They also frequently need to look in new places and focus more on training than direct hiring.
Even when it comes to global talent, top talent is reluctant to move for new opportunities. This is due to the advantages of remote working, as well as some countries still experiencing lockdowns from the pandemic.
An additional issue when it comes to hiring talent and executing energy cybersecurity plans is an obsolete environment. Equipment, software, and digital standards are frequently decades old. As a result, any team hired to innovate would need to pass that hurdle before progressing to futuristic solutions.
For new talent, that might not be an inviting environment. This is because the risks for failure are considerable. Top talent cannot be sure about a company’s dedication to prioritizing energy cybersecurity. In turn, they will avoid the sector regardless of the financial compensation.
The Industry Is Changing
OT and IT are closing down, so the energy industry as a whole is bound to change. Integration is growing, and so are the customers’ needs. As a result, the fragility of the energy supply shouldn’t be overlooked in the coming years.
But, unless energy company management increases agility, the entire sector will be overlooked. As a result, energy companies will be open to new attacks. This will also create future losses and future pressure on all other industries due to the rising energy prices.