The energy sector faces formidable cybersecurity challenges as it grapples with the growing threat of external security breaches, the protection of consumer data, and the management of physical infrastructure.

To mitigate these risks, organizations like the International Energy Association (IEA), an intergovernmental policy advising group, emphasize the importance of cyber resiliency, including continuous monitoring, evaluation, and risk management strategies tailored to evolving threats.

The protection of consumer data should also be a top priority, requiring proactive measures based on those prescribed by data protection regulations. 

Additionally, the energy sector should explore how adaptive security approaches such as “defense-in-depth” and collaboration between cybersecurity experts and grid operators can help address the vulnerabilities inherent in physical infrastructure.

Defending Against External Security Breaches

Like any organization that manages a massive quantity of data, companies in the energy industry must deal with the threat of external cyberattacks, including ransomware, Advanced Persistent Threats (ATPs), and Distributed Denial of Service (DDoS) attacks.

In fact, according to S&P Global, 2022 saw a sharp uptick in the number of cyber attacks on “energy and commodities infrastructure.” That trend doesn’t seem to be slowing anytime soon, according to Chole Pippin, an associate at Foley Hoag’s Boston office.

“The energy sector is particularly vulnerable due to these types of attacks due to the outdated and unsecured networks oftentimes used in the industry, as well as the increased use of distributed energy resources (‘DER’), which creates more openings to attack and requires more resources to monitor and manage,” Pippin writes.

There are a few steps that energy industry firms can take to better protect themselves, according to a report from the International Energy Association (IEA). 

The IEA emphasizes “cyber resiliency” in the face of inevitable cyberattacks. Building cyber resilience starts with education and the development of risk management strategies based on a thorough assessment of the greatest risks a firm currently faces.

Those risk management strategies should also be revisited frequently to keep up with the evolving nature of cybersecurity threats. 

“Because cyberthreats are constantly evolving, all organisations need to continuously monitor and evaluate their vulnerabilities and risk profiles and take appropriate action,” the IEA writes.

“For example, some organisations may need to exercise effective threat hunting and cyberthreat intelligence activities to prepare for high-end threats from highly capable and motivated attackers.”

Navigating Threats To Consumer Data

In addition to protecting firms’ own data, energy industry players such as public utilities are charged with protecting a significant amount of consumer data.

Like in-house data, consumer data security benefits from proactive cyber resilience as recommended by the IEA. 

Unlike in-house data, however, breaches that allow access to consumer data can come with an extra threat against the company’s reputation and can trigger financial and regulatory repercussions — even if the data breach doesn’t impact service.

In a 2021 article for Forbes, Liquid Avatar Technologies CEO David Lucatch points to the European Union’s General Data Protection Regulation and the California Consumer Privacy Act as excellent models for how companies should protect consumer data. 

Lucatch also suggests that hiring a data protection officer (DIO), a specialized, high-level position focused on protecting company and consumer data through the practices outlined by the legislation above, may help give the company’s data protection needs the attention they deserve.

DIOs might “Look to develop stronger protocols and procedures that support new and better ways for customers to log in — biometrics, digital identity, verifiable credentials, etc.,” according to Lucatch. 

“As consumers take responsibility for their data and privacy, they are likely going to demand these new ways forward.”

Working With Physical Infrastructure

As physical energy sector infrastructure expands to accommodate consumer demand, so does the digital communication necessary to manage and maintain that infrastructure, according to a report published in the journal Sensors.

“The resulting increase in communication creates a larger attack surface for malicious actors. Indeed, cyber attacks on power grids have already succeeded in causing temporary, large-scale blackouts in the recent past,” the report’s authors write.

Taking a global view, the authors state that “Depending on the country and the specific grid operation company, current security measures range from non-existent to state-of-the-art,” but adding that “even if attackers are only able to control a small fraction of the power connected to the grid, they can still leverage mechanisms inherent to today’s large power grids to cause considerable damage.”

While there are certainly threats to, for example, power grids, that can only be addressed through physical deterrents, cybersecurity still has a role to play in protecting physical infrastructure.

The report’s authors argue for a security approach called “defense-in-depth,” which aims to provide multiple layers of security starting with a foundation of secure devices and applications before expanding to incorporate network and physical security supported by intra-firm education, policies, and procedures.

New technology also comes with its own security issues, the authors add. Exploring and understanding the benefits and drawbacks to using technology such as blockchain or distributed ledgers to address cyber and physical threats.

Finally, the authors call for “tight collaboration between cybersecurity experts and grid operators to develop and implement cybersecurity solutions that are tailored to the unique requirements of power grids.”

Jasper AI assisted a Breaking Energy writer in creating this article.