Climate change. New market entrants. Evolving regulations. Shifting consumer habits. Hybrid working. Employee safety.
These are a just a handful of the challenges keeping utility executives awake at night. And they’re only the tip of the iceberg – because as our latest Digitally-enabled Grid research shows - the energy transition is also about technological transformation.
5G communication, secure cloud technology, increased automation and the digitalization of assets and operations are also critical. Then there’s the growing use of connected intelligent devices, rising regulatory pressure and a constant demand for remote asset management…
Clearly, the imperative to decarbonize, digitize and decentralize brings with it a need for renewed focus on operational security.
So how can security become a top priority without delaying other changes?
Know your enemy
Cyber criminals are becoming more sophisticated and motivated. And, thanks to increasing connectivity and digitization, cyber criminals have a bigger target area; and the potential to disrupt the entire value chain.
It’s partly a consequence of the fact that every organization is part of a broader, co-dependent ecosystem that can be crippled by an attack in any area, and partly because cyber criminals are specializing in different kinds of attacks.
Some may specialize in initial access, others in lateral movement and persistence in the target, while others, such as BlackEnergy3 and Crashoverride, relish deeply destructive asset compromise.
Last year’s EKANS malware attack is a perfect example of the devastating potential of these attacks. The impact of the Colonial Pipeline shutdown lasted for weeks, but the risk goes beyond financial loss and IP theft.
Losing sight and control of the system is not only costly – it is dangerous. Losing grid stability puts human life at risk.
The solution? Strategy + security
Being able to prevent or react to these attacks is important, but as technology and malware evolve, it is simply not enough.
Operational Security must be built in by design; it is not enough for security to be an afterthought, or a means to meet a specific compliance objective.
Rather, security should form an integral part of the broader business strategy: woven into the ambitions and operational plans at every stage of the organizations development.
For utilities and organizations focused on building a resilient grid, Security IS the strategy, because a vulnerable system will never be able to sustain the demands of the energy transition.
Becoming a security-led operation is another challenge in itself, and it’s a shift that has been adopted at different speeds across the industry.
Our research identifies 4 levels of readiness:
- Cyber Champions ensure that their security plans enhance their business operations and help them to explore and embrace new opportunities.
- Business Blockers are resilient and well prepared for attacks, but because their security and business strategies aren’t aligned, security needs can impede business progress.
- Cyber Risk Takers take a business-first view, and although progressive, tend to lead themselves vulnerable to risks that may otherwise be preventable.
- The Vulnerable, as the name suggests, are open to attack to the extent that they cannot meet their business or strategic goals. In this quadrant, drastic change is needed.
<<< Start >>>
<<< End >>>
Plan of action
Every organization will find themselves facing different challenges as the energy transition unfolds, but there are 3 broad actions that can help move into the top right quadrant and become a Cyber Champion.
Firstly, it’s important to give the Chief Information Security Officer (CISO) the airtime and influence they need to help fuse together the business and operational security strategy. Viewing security as a separate function with little strategic value is dangerous: the C-suite needs to be integrated and informed to understanding evolving risks.
Next, it’s important to be threat-centric, and business aligned. Understanding the possible vulnerabilities that come with new models and offerings means that security can be built into every step so that attacks cannot risk total disruption.
And finally, it’s important to get the most out of secure cloud offerings. With so many devices and targets across the value chain, moving to secure, cloud-based platforms is an essential step in driving progress, securely.
With the number of cyber attacks growing amid a new world of hybrid and remote work, and the demands for remote solutions increasing, it’s never been more important to make security the starting point of business strategy.