How the Energy Sector Should Prepare for Cyber-Attacks

Quality living in the 21st century is dependent on stable energy. From powering vehicles to homes, schools, and even industries, energy is a vital resource, which at this point, we cannot live without. Therefore, it is imperative to ensure that the integrity of this sector is maintained. 

Over the years, with technological advancements and the introduction of even more sophisticated software, specific sectors, including the energy sector, have been at risk of cyber-attacks. The energy sector is particularly complex in its organization, with much detail about generation, transmission, distribution and the network, such that a loophole in the value chain could give room for cyber-threats and attacks and crumble the entire system, causing huge losses. 

From experience, it has been observed that the energy sector faces more risk of cyber threats and attacks these days. This is because there is an increased number of threats from various groups targeting utilities and an extensive and complex network giving more room for attacks. The close relationship and relative interdependence between the energy and IT sectors are also of note. This, therefore, calls for more attention to cyber-security to be given to the energy sector. 

A recent survey of about 1000 energy professionals across different countries revealed that cyber-attacks are an expected threat to the energy sector. However, few preventive measures have been implemented to mitigate them. About 84% of energy professionals anticipate physical property damage, and about 57% expect the loss of life from cyber-attacks on the energy sector in the next two years. Surprisingly, just 28% have companies making cyber-security a high investment priority and only 31% know precise steps to mitigate cyber-security threats. In essence, many companies in the energy sector are leaving their fate to chance rather than putting tangible precautions in place to prevent security breaches. 

In recent years, there have been serious security breaches, such as the 2021 attack on the United States Colonial Pipeline and the 2010 attack on Ukraine’s Power Grid. Russian-backed cyber operations against Ukraine have also been reported since the current military invasion began. Experts warn that even more extreme cyber-attacks may be launched soon. Therefore, solid precautions must be put in place because such attacks could cripple several power grids and cause major energy disruptions.  

Some of these tangible precautions are: 

Identifying Blind Spots in the Supply Chain

The power sector network is highly complex and has many intricacies. This could give room for vulnerability. Companies may not do so badly from their end and comply with best cyber-safety practices but may fail to effectively monitor their supply chain, including equipment vendors and suppliers. This could create loopholes and blind spots that cyber-attacks could capitalize on. Hence, the need to ensure compliance with security best practices from the earliest stages of equipment procurement. 

Related article: Will Disruptions Make Supply Chains More Vulnerable to Attack? 

Training and Re-training the Workforce 

Based on research, only 31% of energy professionals know precisely how to respond and prevent cyber threats or cyber-attacks. The first line of defense of any company against cyber-attacks is its workforce. Therefore, companies must train their employees to identify and promptly respond to such attacks. The need to have cyber security expertise in place cannot be overemphasized. 

Industry-Wide Collaboration: An Integrated Approach

With technological advancements, the energy sector operations are primarily dependent on Information Technology. For example, a single breach created by ransomware could crumble entire power grids. The link between physical and virtual infrastructure cannot be overemphasized. Therefore, industry partnerships need to engage in continuous dialogue on securing the ties between physical and virtual infrastructure and eliminating both physical and virtual threats. All the major energy sector stakeholders and related industries need to be involved. 

Physical Security

Often, cyber-attacks require proximity to control systems. Cyber-attacks become significantly more difficult to penetrate with adequate physical security at power grids and their connected networks, data centers, and transmission and distribution sites. With future expansion in mind, particularly to explore new technology and green energy sources, this becomes all the more important.  

Addressing Communication and Awareness Gaps

This would create a security culture, as a security network would be created, where vulnerabilities and incidents can be reported and threats made known. It would also be possible to detect coordinated attacks and reconnaissance campaigns easily. By so doing, the best minds across the energy sector can begin working up solutions.   

Precautions and Countermeasures

From recent cyber-attacks over the years, a usual pattern has been observed. Now, countermeasures against specific attacks can be established. For example, for ransomware, reasonable backup procedures should be in place to prevent data loss in case of such attacks; endpoints and web-facing systems should be hardened, and the company’s network segmented to prevent such attacks. For phishing, email verification, email filters scanning attachments and links should be in place to prevent cyber-attacks from emails with malicious intent. 

It is of note that the energy sector is very important for quality living. With statistics like these, it has also been established that the energy sector is particularly vulnerable to cyber threats and attacks and that energy professionals are well aware of this. All hands need to be on deck to prevent major damage to the energy sector and power grids, and accurate, tangible precautionary measures and solutions need to be in place. Companies need to strengthen security from their end. Their partners and supply companies need to do the same. Investment in cyber security should be a significant priority. Government agencies must also support private companies and ensure strict surveillance of government-owned power grids. All in all, there needs to be cooperation among all stakeholders in the power sector to curb this menace.  

Learn more about I.S. Partners’ suite of compliance and risk management services for the Energy & Utilities sector.    

About The Author

Anthony Jones

Anthony has over 20 years of experience and has worked with a variety of industries, including Health Care Insurance, Banking and Financial Services, Information and Analytics, Telecom, and Utilities. Anthony has extensive knowledge in IT Security consulting; he is also a Certified Information Systems Auditor (CISA), and Project Management Professional (PMP) designation holder with expert ability to accurately determine needs, understand risk tolerances, offer alternatives to current situations, develop action plans and cultivate longstanding client relationships. Anthony’s area of expertise consists of MAR, HIPAA and Sarbanes Oxley Compliance, IT Security and Privacy Management, Enterprise Risk Management (ERM), Health Care Insurance Banking and Financial Services, Manufacturing and Utilities. Prior to joining IS Partners, LLC Anthony spent 12 years with PWC as a Senior Manager in Business Risk Solution (BRS) Practice advising Fortune 100 financial services, manufacturing, Insurance and utility companies. Anthony graduated Saint Joseph’s University. Anthony received his MBA from SJU Haub School of Business.
Anthony Jones frequently blogs for I.S. Partners, LLC.