Energy is a backbone of society, and there are many direct connections between energy use and quality of life. Reliable access to electricity has proven to reduce poverty — alongside other efforts around sanitation, nutrition and access to clean water — while minimizing the emission of home pollutants and increasing opportunities for workers. This makes it both a highly desired commodity and a precious resource that the world needs to proactively protect.
Unfortunately, the energy industry is becoming an increasingly tempting target for cybercriminals and nation-states that seek to disrupt basic services and the local economy. Recent ransomware attacks on Colonial Pipeline in the U.S., Vestas in Denmark and Electrobras in Brazil disrupted energy supply chains and forced a degradation of service throughout the regions. In each of these cases, malicious actors breached an end device and laid low for weeks or months while slowly and deliberately probing the network in search of a tempting target. Once the attackers got the lay of the land, they seized control over critical assets, took them offline and held them for ransom.
The problem is that utilities and the energy industry as a whole has become more interconnected than ever. Equipment manufacturers require connectivity to monitor the health and performance of their deployed assets, and utility operators need to remotely manage assets in the field to oversee load and ensure energy quality. As the energy sector becomes more decentralized and interconnected, it opens the door to opportunities for cybercriminals.
How will the energy industry’s cybersecurity teams join together?
Improving cybersecurity throughout the energy sector while protecting electrical grids around the world will require industry-wide collaboration and information sharing about the identification and remediation of cybersecurity incidents. In fact, energy security leaders can look to other industries — like the airline and nuclear power industries — for best practices on information sharing and collaboration. Leaders in those industries have put aside their competitive, regulatory and political differences to prioritize public safety. The energy sector can too.
Here are three steps for improving collaboration across the energy industry to better protect the world’s electrical grids from cyberattacks:
1. Foster a collaborative culture
Utilities need to know where they are vulnerable and where gaps exist in their security strategy. They then need to get away from the blame-first, react-second culture. Security teams need people to feel comfortable alerting their colleagues about mistakes or vulnerabilities without fear of blame or shame. Instead, organizations should reward people who step forward and celebrate the cybersecurity successes the industry achieves.
2. Build an intelligence network with sensors and people
Energy security leaders then need to build a network that automates monitoring and alerting and combine it with human intelligence. Fortunately, asset management and remote monitoring solutions for the electrical grid already exist. Organizations need to free up budget to get these capabilities into the field where they can report on vulnerabilities and security gaps.
3. Be open to the open exchange of information
It’s imperative that security teams establish a level of transparency within the energy and utilities industries and openly share information about the identification, remediation and prevention of ongoing cyberattacks. However, the protection of assets and users requires a balancing act. Users require the understanding that their data is protected by the company that has been granted access. However, it is possible to share information and intelligence across the industry while retaining data privacy on a company by company basis. Finding this balance will be key to securing the energy and utility industries and the confidence of their users.
Lessons learned from other industries
Fortunately, oil and gas organizations have the nuclear energy and airline industries as models for this type of collaborative action. Air traffic controllers are largely protected under the law as long as they are open and transparent about what went wrong prior to an accident. They feel comfortable working with investigators because they are shielded and have a vested interest in protecting public safety. Same with the nuclear power industry. Operators routinely share information about their plants to create a series of best practices that can be applied globally. Again, public safety takes precedence because there is a collaborative effort to share information freely.
Fortunately, several global regions have implemented initial efforts for information sharing within the energy industry. Very often these efforts are government-led and restricted to specific country perimeters. Could the industry go further?
Energy leaders have started laying the groundwork for collaboration in the energy industry on a more global base. A committee of industry leaders has been set up through the World Economic Forum to study information sharing for cybersecurity purposes, which meets regularly to discuss trends and remediation strategies.
Energy security leaders are working and operating in an increasingly complex energy environment. As the sector grows, so do the threats against it. Responding to these proactively and as one ecosystem will be critical to increase the sector’s resilience against these threats. However, this requires the thoughtful, methodical implementation of information-sharing programs and a far out lens that looks at the system as a whole, rather than on a case by case basis.
This industry wide collaboration is necessary to advance the world’s energy system and make it more sustainable, flexible and secure. We need to start working more closely together today.