In PwC’s 2021 Global Digital Trust Insights, half of the business and security/tech executives in the energy and utilities industry told us they believe that one of the pandemic’s most important legacies will be greater communication between CISOs and CEOs and/or boards. This welcome change is strengthened by a cyber strategy reset: nearly half (45%) plan on baking cybersecurity and privacy implications into business decisions and a new process for cyber budgeting.
These improvements come at a great time for the industry, which is at the front end of a momentous energy transition. Nearly 25% of the industry executives said they are redefining their core business models and organisations. They’re decarbonizing the generation mix, embedding grid intelligence, redefining customer value propositions and elevating tech’s role in enabling energy supply, delivery and consumption.
And CEOs and boards are turning to their CISOs to secure these changes. Security teams are being asked to be enablers of change and not just protectors.
Energy and utilities executives expect that attacks in coming years are very likely via IoT-connected devices and components (32%) and through cloud service providers (30%). They are also concerned — more than all other sectors — about the significant negative impact these threats pose to their business. Nation-state threat actors and disruptionware attacks on critical business services are also a source of alarm.
In May 2021, the world saw how easy it was for hackers to threaten essential services like gas, when a ransomware attack led to fuel shortage and panic buying. Cybersecurity thrust itself into consumer consciousness and ransomware became a household term.
Fortunately, security technology is maturing. Emerging tools are offering more comprehensive capabilities, and as a result, security teams are being challenged to bring increased skills and capabilities to put these tools to use and integrate them into the business as a whole. System replacement is increasingly important to upgrade earlier generation security tools that can’t keep pace with current-day threats and attack techniques.
So what will this all mean for the future of cybersecurity in our sector? Take a look at three priorities for power sector security as we move further towards 2022.
1. Migrate securely to the cloud (if you haven’t already)
According to the Global Digital Trust Insights survey, nearly a third (32%) of industry respondents strongly agree that moving more services and infrastructures to the cloud will be foundational for the next generation of business solutions in their organization. And 36% strongly agree that new solutions exist to secure cloud infrastructures better than they have ever been in the past.
We’re seeing this reflected in the power sector. Many power companies are quickly moving more of their environment to the cloud. They’re doing away with static legacy systems in favour of more dynamic, nimble integrated cloud and network systems.
While most cloud systems claim security by design, CISOs understand that implementing secure transitions to the cloud is a complex process. Privacy, data residency and access management are just three requirements that need to be considered. Significant changes to enterprise architecture are also needed. We encourage CISOs to raise these requirements early and position their office as an enabler, as it’s important that management doesn’t view the security team as an impediment to technical advancement.
2. Pivot from data protection to Data Trust
We have noticed a merging of data security-related activities in recent years. Our data protection team has been intersecting with our data governance and privacy teams within the same clients. Why? These topics have significant interdependencies, and to manage data effectively and securely, collaboration needs to happen among them. Regardless of where you start, all these stakeholders and processes converge.
Power companies should develop an overarching Data Trust strategy to address these interconnected areas. Utilities, in particular, should consider this approach, given the importance of customer data to their reputation. Our formula is: Data Trust = Data Management and Governance + Data Protection + Privacy + Legal. This consolidated strategy reduces redundancy and effort, gives CISOs a full view of data locations and flows across the enterprise and reduces data silos or gaps within the organization.
3. Take advantage of access management success factors
Identity and Access Management (IAM) and Privileged Access Management (PAM) are a significant focus for the power sector right now. Our estimates place the percentage of local distribution companies (LDCs) considering a major program implementation between 30% and 40% in the next 24 months.
One of the biggest challenges in these implementations is having the necessary skills and knowledge within the company to engage with IAM and PAM implementation service providers. These are complex processes with equally complex decisions and approvals to be made. We encourage CISOs to include additional budgets to support IAM/PAM training and more rounds of review and approval than may be initially apparent.
Bringing it all together
We’re at a critical juncture for cybersecurity and the power sector. Amid the sweeping and fast-paced digitization we’re seeing, an important first step for business and security leaders will be to develop a business-driven cyber strategy that includes these three priorities, among others.
This reset will not only more clearly define the expanding role of the CISO, but it will also affect the way power companies set cyber budgets, invest in security solutions and resource their security organization.
This will position CISOs and their teams to become stewards of digital trust, able to lead their organizations securely through technical transformations with strategies to protect business value—and to create it.
Leader, Cybersecurity and Privacy, Energy, Utilities and Resoruces, PwC Australia
Tel: +61 8 9238 3418