The uncertain geopolitical climate and the increasing demands for a cleaner, more energy-efficient world are wreaking havoc on the state of cybersecurity for the energy and utilities sector. This industry in particular is vulnerable to cybersecurity threats due to changes in regulations, changes in technology, and most importantly, changes in the cyber landscape.
Let’s look at each of these changes in depth.
Changes in Regulations
When the Colonial Pipeline suffered a ransomware attack in May 2021, affecting consumers and the transportation industry all along the east coast, the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) jumped into action. A new Security Directive was announced, which required critical pipeline owners and operators to report cybersecurity incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA).
In July 2021, the TSA announced a second Security Directive that required TSA-designated critical pipelines to protect their assets against ransomware attacks with specific security measures. This second directive built upon the first; however, by July 2022, TSA issued a revised directive that now requires pipeline owners and operators to establish and execute a TSA-approved Cybersecurity Implementation Plan, among other security measures.
In early 2022, the Federal Energy Regulatory Commission (FERC) noticed gaps and potential vulnerabilities in internal network security monitoring of electric grid cyber systems and proposed to strengthen its Critical Infrastructure Protection (CIP) Reliability Standards, which helps utility companies to detect unauthorized access early, giving them ample time to stop the attackers before they compromise the network.
All this regulatory change signals an upheaval in the energy and utilities industry. As threats increase, this industry is particularly vulnerable, mostly due to the large-scale disruption a breach can cause via old-school legacy systems that were built years ago without security in mind.
Thankfully, The Cyber Incident Reporting for Critical Infrastructure Act of 2022 was passed last year, requiring 16 critical infrastructures (including energy and utilities) to report cyber incidents and ransomware payments to CISA. In return, CISA will deploy resources and provide aid to the affected companies.
Changes in Technology
Built years ago on old-school legacy systems, most energy and utilities companies must rely on a dwindling number of vendors still adept at this outdated technology. And with outdated technology comes risk. But upgrading entire energy or utilities systems, most of which have a footprint that spans a wide geographic area, can be costly. And despite these technological weaknesses, any widespread system upgrades must be approved by regulators and shareholders.
Add to this the driving forces behind the use of clean, renewable energy sources to reduce greenhouse gas emissions and mitigate climate change, and we open the gap to new cyberattacks. The U.S. Department of Energy (DOE) and the National Renewable Energy Laboratory (NREL) announced this month a call for applications for the second cohort of the Clean Energy Cybersecurity Accelerator (CECA) program. This program’s intent is to rapidly develop cybersecurity solutions for renewable energy resources as solar and wind power are added to the mix.
Changes in the Cyber Landscape
In PwC’s 25th Annual Global CEO Survey, 44% of CEOs from the energy and utilities sector ranked cyber threats as a top three concern. As the energy industry adopts the industrial internet of things (IIoT), which allows operational technology (OT) to link to information technology (IT), the energy ecosystem becomes more vulnerable. This digitization of the infrastructure will require energy company CISOs to prioritize and train for cybersecurity attacks since increased digitization can expand the attack surface.
And as we move toward the global priority of a low-emission future, which will require more dominance on renewable energy sources, cyber resiliency will become paramount. However, the extent to which cybersecurity is incorporated into the energy transfer process will directly enhance or impede our progress.
Get to Know ProcessBolt
ProcessBolt’s vendor risk management platform works in a variety of industries, from energy to healthcare, and most industries in between. Whether you’re a vendor receiving assessments or a business assessing vendors, the ProcessBolt platform works in tandem to simplify the vendor assessment process. In addition, our ThreatScape component automatically monitors your entire attack surface and warns you instantly of any unauthorized access.
Complete this form to receive a personalized walk-through of ProcessBolt and learn how we can enhance your organization’s third-party risk management program.