It’s time to step up on cyber security for the energy sector.
The recent passage of the Bipartisan Infrastructure Bill and the Inflation Reduction Act will incentivize a new wave of investment in energy infrastructure. With that wave, we have an opportunity to build cybersecurity approaches that keep up with the energy transition.
Nearly all energy infrastructure from today forward will be digitally managed. Optimizing for efficiency minimizes emissions and costs simultaneously – a powerful combination that answers both business and climate needs. Retrofits, renewables, and future business models will rely on networked digital devices to manage and operate physical energy assets.
This digitization expands cyber risk. Cyberattacks against energy infrastructure have escalated in number and sophistication. Last year’s attack against the Colonial Pipeline solicited a $4.4 million-dollar ransom and paralyzed approximately half of the critical transport fuel supplies for the East Coast. It succeeded not because of a single point of failure but because the energy sector was never designed with cybersecurity in mind. The overarching policy and regulatory frameworks, business models, and technologies that shape our industrial cybersecurity posture are ill-suited to securing the digital energy ecosystem of tomorrow. As a result, criminals and geopolitical rivals can find soft and vulnerable targets central to every country’s national, economic, and environmental security.
Future infrastructure should be built to withstand an ever-changing threat environment. Scaling cybersecurity with the new wave of energy transition investments is more effective and less costly than tacking on cybersecurity measures later. In the same way we routinely build physical security measures today, like perimeter fencing, cameras, and access codes on restricted areas, we should routinely build cybersecurity to withstand criminals, rival nations, and occasional lapses of cyber hygiene. Yet today, many public and private sector energy organizations view cybersecurity as an afterthought – often a secondary responsibility that is too technically, financially, or politically complex to address.
Some of the missing steps for stronger cybersecurity were captured in a recent report from the Atlantic Council’s Task Force on Cybersecurity for the Energy Transition, to which we both contributed. Policy and regulatory frameworks often lag innovation for physical and digital technologies; many owners and operators lack the resources to deploy industrial cybersecurity solutions and hire specialized personnel; and finally, some energy companies simply fail to take ownership for securing their own systems. As the energy transition gains momentum, policymakers and private sector executives must make cybersecurity a foundational aspect of their capital and operational business model.
The energy industry is extremely capital intensive – private companies typically depend on energy assets operating for multiple decades to make the economics work. Prioritizing cybersecurity for the systems that will be in place for decades gets easier when government sets clear policies, standards, and regulatory requirements so the private sector can plan for security. For example, establishing clear product security standards aimed at reducing vulnerabilities would help companies have confidence in equipment and suppliers before they make long term investments. Clear and consistent reporting requirements, combined with easier information sharing, would help companies implement the tools and technologies to monitor and detect threats to their systems, and help the government quickly identify threats to other public and private organizations.
The private companies that will be building new infrastructure incentivized by the climate bill should level up cybersecurity protections as they build. Building monitoring and detection capabilities into new and retrofitted infrastructure immediately hardens targets by ensuring intrusions can be detected. New and innovative incentive structures can help defray the costs of scaling these technologies, especially for small and mid-size energy companies. Public-private partnerships can help energy companies – regardless of size and sector – level up cybersecurity through a range of policies, including tax incentives and grants for investments in new technologies, expanding test-bed opportunities, and exploring policy approaches build the cost of security into a company’s business model.
Ultimately, the private sector must take ownership over security. CEOs and board members must make cybersecurity a priority across their companies. Too many companies fail to implement even simple steps like two-factor authentication – akin to leaving secure areas of a worksite unlocked. With the right educational and workforce training programs, companies can upskill workers and train employees to ensure they are as skilled and diligent about securing energy assets they are about every other aspect of the work that keeps the lights on and fuel moving.
We expect tremendous progress toward a low-carbon energy future over the coming years – especially if we act now to secure it.
Leo Simonovich is the vice president and global head of industrial cyber and digital security at Siemens Energy.