Vice President and Global Head, Industrial Cyber and Digital Security, Siemens Energy
Lead, Centre for Cybersecurity, World Economic Forum
This article is part of: World Economic Forum Annual Meeting
Geopolitics, economic forces and market dynamics link energy security and the climate crisis through a digital energy transition.
Digitalization represents the challenges from cyber threats, and solutions from digital technology, in delivering energy needs and security.
Energy industry leaders must embrace cyber resilience as a pillar of the digital energy ecosystem.
Looking back at the 2022 World Economic Forum Annual Meeting in Davos, Switzerland, few global policymakers and business leaders could have predicted the forthcoming year. Yet, the cascading effects of a global pandemic, the invasion of Ukraine and critical supply chain distributions have destabilized the entire global energy ecosystem.
These crises fundamentally shifted geopolitics and jeopardized energy and economic security. But they also crystallized how to leverage digital technology to address these issues and the existential threat of climate change through effective energy transition.
Digitalization – a threat and opportunity
The solution to energy security and the energy transition is an ecosystem driven by electrification, decentralization and diversification of energy technologies – all underpinned by digitalization.
This future is possible because the energy industry has adopted the industrial internet of things (IIoT). That allows operational technology (OT) to digitally manage physical energy assets and link them to information technology (IT) software applications that leverage artificial intelligence (AI), machine learning and cloud storage.
But industrial IoT and hyper-connectivity also make tomorrow’s energy ecosystem vulnerable to cyberattacks.
Energy companies are rapidly adopting industrial IoT to run their entire business model and this shift represents an unprecedented security challenge for chief information security officers (CISOs).
CISOs are increasingly responsible for securing the billions of physical-digital connections to make a low or zero-carbon emissions reality possible. For example, they may have to leverage analytics and sensors to balance variability in the electric grid or predict demand for electric vehicle charging. They may also have to enable smart metres on home solar installations to interact with a utility.
Never before has so much of our physical infrastructure – the mix of machinery and OT control systems – been so blended into digital networks and exposed to cyberattacks.
Whether attackers want money or seek to paralyze a rival nation, the energy sector makes an attractive target. Industry surveys show that the volume and sophistication of cyberattacks against energy organizations continue to escalate. Meanwhile, countless reports suggest that energy companies – from executives at the board level to CISOs down to middle management and early career employees – are underprepared to secure the coming wave of digitally connected critical infrastructure from cyberattacks.
If energy companies are to adopt a digital-first business model, they will need to invest, prioritize and train for cybersecurity equally. The combined forces of digitalization and decarbonization have brought a blistering pace of change to energy companies. Many CISOs, however, lack the tools and capabilities to secure it. Fundamentally, the role of the CISO must evolve from a position previously focused on technology to a broader remit to reflect the essential role of digital technology in the new energy ecosystem.
CISOs need to command a new kind of Security Operations Centre (SOC) with equal IT and OT visibility and context capabilities to secure this new hyperconnected landscape. They must also manage this era of constant threats with a new framework of cyber resilience principles cascaded across their respective organizations.
Adapting to a digital future
Securing the energy transition begins with adapted governance models, novel technology solutions and prioritized investment in personnel and solutions. Here are four ways the energy industry can adapt to advance and secure its digital future.
1. Educate and update leadership
CISOs must have access and open relationships with a company’s board members and senior executives and strong working relationships with government officials and regulators outside of their organization. These relationships are essential to communicate and coordinate during incidents quickly and close vulnerability gaps before new threats occur.
With open communications channels to executives, CISOs can advocate for international standards and procurement policies, like ensuring the National Institute of Standards and Technology’s cybersecurity frameworks are incorporated into new projects.
Externally, CISOs will have the edge over government officials in providing vulnerability updates and participating in resilience efforts. To see its importance, look no further than the US Department of Homeland Security’s Shield’s Up campaign, led by its Cybersecurity and Infrastructure Security Agency, to proactively protect energy companies from Russian cyberattacks following the invasion of Ukraine.
2. Scale monitoring and detection processes
Technologically, better automation is changing the business of industrial cybersecurity monitoring and detection. AI tools enable automation that integrates a huge number of variables and tracks their relationships – i.e. attacks against OT can be discovered based on the physical consequences they cause.
This information can help meet incident reporting requirements or be rapidly shared with industry partners so other vulnerable companies remain alert. These new technologies that are purpose-built for industrial environments are helping CISOs monitor, detect and remediate threats faster and more accurately than ever before. However, real cyber resilience lies in prioritizing security across the institutions and systems that comprise the energy industry’s ecosystem.
3. Adopt a shared responsibility model across the organization
While CISOs represent the core of an organization’s digital and security transformation, no single person can be responsible for cyber resilience. Energy companies must adopt an ethos that cybersecurity is every employee’s responsibility. Personal and organizational success within an organization must be tied to meeting, maintaining and exceeding cyber hygiene metrics and standards.
Shared accountability includes ensuring compliance with basic IT measures such as turning on two-factor authentication, regularly changing passwords and adhering to zero-trust principles. In addition, prioritizing recruiting, training and growing cybersecurity talent with specialized knowledge of industrial cybersecurity are critical to long-term success.
4. Embed cyber resilience in your organization
Ultimately, without dedicated investment to embed cybersecurity into every aspect of an energy company’s business model, resiliency will fail.
Industry leaders, investors and shareholders must change their view of cybersecurity as an afterthought or an optional additional cost. Instead, cybersecurity must be considered an asset – even a competitive advantage. It is essential to a business’s commitment to safety, reliability and long-term reputation.
Energy sector executives will have to deploy more capital for new projects to ensure they are secure by design and retrofit existing projects with cutting-edge solutions to identify and prevent threats. But investing in cybersecurity is not a one-time cost.
To withstand long-term challenges, organizations must continually invest in cybersecurity for new technologies, operational budgets and personnel.
License and Republishing
The views expressed in this article are those of the author alone and not the World Economic Forum.