As critical infrastructure faces increasing and sophisticated attacks, these trends will enable the energy sector to shore up its cybersecurity defenses.
From shifts in geopolitics, the energy transition, and climate change to upending the status quo in global health, financial markets, and private sector business models, 2020 will be remembered as a year of seismic change.
For many, the year was an eye-opening education on the power of digital tools to rapidly revolutionize the way we do business. In the energy industry in particular, COVID-19 accelerated the convergence of digitalization and the energy transition — two trends that pose significant challenges and opportunities for global utilities, oil and energy producers, and industrial infrastructure and electrification companies.
The digital revolution in the energy sector comes with huge benefits and brings new challenges for cybersecurity. As energy companies digitally connect operational technologies such as gas compressors, electricity substations, and electric vehicle (EV) chargers with information technology (IT) systems to reduce costs, improve efficiency, and cut emissions, they simultaneously become more vulnerable to cyberattacks. Energy companies are expected to connect 2.5 billion industrial devices in the next two years — and each new digital node represents an opportunity for attackers to disrupt power, cause immense economic and physical damage, and threaten essential services.
2021 will shine a light on the need for industrial cybersecurity to serve as the foundation for the evolving digital energy ecosystem. Digitalization and the energy transition dramatically accelerated in the tumultuous and unpredictable 2020. Energy companies, investors, and policymakers must now look to cybersecurity as the key to unlocking the benefits of these trends in the post-COVID era as critical infrastructure faces increasing and sophisticated attacks.
Trend 1: COVID, Remote Work, and an Expanded Threat Landscape
For decades, utilities and energy companies monitored operations and security for energy assets safely from within the walls of a centralized office or industrial facility. COVID-19 changed that. In a matter of days, utilities and energy companies rapidly instituted remote operations to keep employees safe and continue to provide power to homes, businesses, and frontline workers.
In shifting to remote or irregular operations, tasks once performed in secure locations with specific procedures became exposed to a vastly expanded attack surface with each new remote connection positing as a potential entry point. Continued remote work in 2021 will mean organizations of all types and sizes need to harden, closely watch, and maintain their defenses. This includes taking new measures — from reengineering security architecture to preparing for incident response — and ensuring entire chains are protected, safeguarding not only their resources but also their customers.
Trend 2: Digitalization and the Energy Transition
Investments in electrification and renewable energy infrastructure are booming — and these technologies depend on digital management. Distributed energy resources, from solar, wind, and battery storage to EV charging infrastructure, will account for close to a third of the United States’ installed generating capacity in just five years. These technologies are key to meeting consumer demands for a low- or zero-carbon economy and are vital parts of the fight against climate change. Yet, because they depend on digital management of variable and often distributed power, each opens millions of potential entry points for cyberattacks. Critical infrastructure companies and utilities will need robust new monitoring and response tools to spot, identify, and repel cyber intrusions across this vast digital operating environment.
Trend 3: New Security for Legacy Oil and Gas Assets
Critical systems on an oil rig or pipeline could once be air-gapped within a company’s interconnected digital systems — but no longer. Oil and gas companies have taken advantage of digitalization to reduce costs, improve efficiency, and reduce emissions. This means relying on software and IT networks to monitor and control thousands of physical endpoint assets — from gas compressors and oil wells to pumpjacks and turbines. These assets are often located hundreds or even thousands of miles from a company’s security operations center, forcing companies to choose between their balance sheets and security.
In the new digital energy ecosystem, oil and gas companies have begun to recognize their operations are now exposed to significant cyber-risks. Cyber-risks will increasingly be managed as top-level risks, similar to financial, reputational, and safety hazards. Energy companies will increasingly require solutions to secure isolated assets until technicians can respond with new security protocols or, when needed, on-site physical updates.
Trend 4: Traditional Energy Companies Find Innovative Business Models
“Traditional” oil and gas firms are changing. BP’s new CEO, Bernard Looney, made headlines in 2020 heralding the company’s push from fossil fuels to clean energy. That transition will depend on harnessing cutting-edge tech and software and transforming the oil colossus into a “lighter, more agile” company with operations across the entire energy value chain. Major companies will shift toward more dynamic, interconnected ecosystems with software and digital assets at the core of their new operations. This means that large and storied companies that long defined corporate discipline will need to put cybersecurity at the heart of their business models.
Trend 6: Tools to Stop the Attack Before It Happens
Energy companies and utilities once lacked the visibility and context to identify digital threats and stop an attack in its tracks. New tools make better monitoring possible — and necessary. Where cybersecurity experts at energy companies once defended a castle surrounded by a moat, open to the world by just a drawbridge or two, it’s now pierced by hundreds of new walkways and doorways — some obvious and easy to monitor, others more inconspicuous.
Leveraging AI and machine learning, new built-for-purpose cybersecurity technologies are giving all energy companies — regardless of size and budget — the situational awareness to defend the operating environment from attacks. As industrial operating environments increasingly become targets for cyberattacks, these technologies are poised to gain traction in 2021 and become the industry’s first line of defense.