Energy and utilities 2022 cyber outlook: It’s everyone’s priority
The cyber landscape for energy and utility companies is growing increasingly complex, and it’s not just due to daily new threats and escalating geopolitical uncertainty. Because the industry sits at the forefront of efforts to build a cleaner, more reliable and affordable energy future, it also faces complex challenges around exploring new technologies and business ventures, accommodating more complex connections to the grid and energy infrastructure, and navigating an ever-evolving regulatory and policy landscape.
Chief information security officers (CISOs) must navigate these complexities while protecting their organizations from ongoing and incoming cyber threats. They’re focused on growing leadership’s confidence in their abilities—in fact, it’s the top goal of CISOs for the next three years, according to the energy and utility cyber leaders who responded to PwC’s 2022 Global Digital Trust Insights Survey.
Still, the pressure to reduce vulnerability to cyber intrusions shouldn’t rest solely on the shoulders of CISOs. Cybersecurity should be an enterprise-wide effort, with buy-in from leaders across every corner of the organization. Let’s take a look at a handful of the top challenges facing energy and utilities in 2022, and the opportunities to make tangible progress this year by treating cyber risks as business risks that are everyone’s priority.
How energy and utilities can tackle these top cyber challenges
Where are compliance and cyber policies heading?
Energy and utility CISOs and risk leaders are seeing a shift in compliance standards, from voluntary to mandatory, and in monitoring, both reactive and proactive. For some, this may require figuring out how to adapt to the changes. For others, it may mean quickly implementing compliance or reporting capabilities for the first time.
For example, prompt, consistent and mandatory reporting on cyber breaches took a step forward with the signing of the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The law, which requires the reporting of significant cyber incidents and extends protections to those who do, represents a move away from ad hoc, industry-specific guidance for voluntary disclosures. Meanwhile, industry-specific requirements continue to evolve in reaction to new threats, making it increasingly important for industry players to work together with regulators and government entities to ensure that new guidance reflects their input.
The directives issued by the Transportation Security Administration (TSA) in the wake of the May 2021 ransomware attack on a major petroleum product pipeline’s IT network resulted in more prescriptive security measures. Those actions include alerting the Department of Homeland Security (DHS) to any cyber incidents and developing an incident response plan. The directives left gas and pipeline companies needing to decide how best to respond, and to set a timeline for complying with the orders. The TSA subsequently issued security directives for the airline and rail industries, suggesting that other sectors may follow, including segments of the broader energy industry.
Meanwhile, requirements for organizations subject to North American Electric Reliability Corporation Critical Infrastructure Protection standards (NERC CIP) are shifting to a more proactive approach. CIP standards historically focused on preventive controls over detection, but the Federal Energy Regulatory Commission (FERC), responding to perceived gaps in internal network security monitoring (INSM), has now proposed new requirements for high- and medium-impact bulk electric facilities to “increase the probability of early detection of malicious activities and…allow for quicker mitigation and recovery from an attack.” So these protective measures have now become mandatory, given new teeth through stronger enforcement—no longer voluntary and subject to self-enforced actions and timetables. Additionally, the Biden Administration continues to encourage the sharing of telemetry data from these security monitoring tools to provide collective defense capabilities. This was reinforced in February with the NSA and CISA forming a public-private partnership with the Neighborhood Keeper intelligence sharing network, allowing its participants to communicate and share intelligence with the government anonymously.
So what should your company be focusing on in the year ahead as you navigate these ever-evolving regulatory requirements?
CISO |
C-suite |
Actions |
✔ |
Translate cyber risks and the risks associated with changing requirements into the language of your business, clearly drawing a line between compliance and impact—financial, operational, reputational and otherwise. |
|
✔ |
Anticipate and inform evolving regulations, including proactively commenting on and contributing to regulation, rather than remaining reactive to it. CISOs typically haven’t been major change agents in this area. |
|
✔ |
✔ |
Reevaluate and understand CISO and C-suite roles as de facto national security leaders. The strategies that your company deploys to thwart cyber attacks can prevent shutdowns that have the potential to affect millions of customers and others. |
✔ |
Advocate for better engineering and better governance. Enhance your company’s ability to become more resilient and more secure by applying a security-first mindset to any major business initiatives. |
|
✔ |
Rethink regulations as integral to business risk initiatives, not just compliance. Develop a new way of engaging with regulators. |
What are the blind spots in third-party risk management?
Supply chain issues once centered primarily on whether and how to get materials to the plant or field in a timely manner. Those concerns now extend to understanding the risks involved with using a transformer or solar panel, for example, along with the technology associated with those devices and equipment. Third-party and “nth-party” risks—those posed by suppliers’ suppliers and the like—create even more complications, sometimes resulting in blind spots that cyber attackers are eager to exploit.
Consequently, it may come as no surprise that three-quarters of energy and utilities professionals responding to PwC’s 2022 Global Digital Trust Insights Survey point to supply chain complexity as posing significant cyber and privacy risks to their organization. Third-party vendor management is a growing concern, with respondents engaging in a variety of strategies to minimize the risks or blind spots in their third-party or supplier relationships. The actions ranking the highest include auditing or verifying their suppliers’ compliance (46%), refining criteria for onboarding and ongoing assessments of third parties (41%), and sharing information with third parties or otherwise helping them improve their cyber stance (40%).
While these are all key components of a cyber risk management plan, there may be one less obvious action lurking under the surface. Many energy and utility companies have yet to fully evaluate and agree to the ownership of third-party risk or supply chain oversight as well as the appropriate governance structure. With many groups having responsibility for cyber protection—from supply chain and procurement to risk and cybersecurity—the various stakeholders need to agree on how third-party risk will be coordinated and governed. It’s also important to recognize the interconnections and avoid working in silos by taking an enterprise-wide view of the situation.
Confusion over management of cyber risks is clearly a blind spot. The good news: It’s an issue that your company can begin to tackle immediately if leaders across the organization get involved and recognize that it’s everyone’s problem. To enhance protection around third-party cyber risk, there are a number of steps your company should be taking right now:
CISO |
C-suite |
Actions |
✔ |
Work to improve communication with the executive management team and board, identifying the business risks associated with supply chain and third-party risk management. |
|
✔ |
✔ |
Treat third-party risk management as what it is—an enterprise-wide transformation initiative. Take a step back and rethink your entire process. Redesign the infrastructure and rebuild the entire house, rather than simply renovating. |
✔ |
✔ |
When implementing the new approach, deploy a holistic, enterprise-wide approach, rather than simply improving capabilities here and there in silos. |
✔ |
✔ |
Identify the owners responsible for executing strategies. |
✔ |
✔ |
Create a third-party risk office to serve as a starting point and clearing house for the integration that will be required. It’s not just about buying and leveraging new products. |
✔ |
✔ |
Consider leveraging a tracker that brings all aspects of third-party risk into one place. |
Are we giving data the same protection as our other assets?
Energy and utility companies now collect—and must protect—more customer data than ever. That volume will only increase as the industry continues to grow its offerings in newer or expanded areas like electric vehicle charging, home battery storage, digital marketing at the gas pump and more. This proliferation of customer programs and new technologies means data sits in systems and platforms across every corner of the business. It’s no longer just about protecting data in one location, it’s about protecting data in motion through a variety of channels.
Oil and gas companies that operate in countries facing geopolitical challenges navigate some of the same risks, and their data is vulnerable to unauthorized access by way of joint ventures and other partnerships. Upstream, midstream, downstream and oilfield services are vulnerable to cyber threats around operational technology (OT). These include (but are not limited to) control systems, the industrial internet of things (IIoT) and the emerging interest of cloud-based OT systems. Cyber criminals also actively seek to disrupt operations using third-party original equipment manufacturers (OEMs) as threat vectors into critical infrastructure, as well as to steal competitive data in the reservoir modeling space and operational data about production volumes. Additionally, commodity trading desks at oil and gas companies face the same types of cyber threats as Wall Street trading shops.
Collecting, retaining, safeguarding and making best use of that data has become a complex challenge. In fact, data infrastructure and data governance rank as the two most needlessly complex aspects of business operations in PwC’s survey. Just 38% of energy and utility respondents say that they have fully implemented a process for understanding the data inventory—where data comes from, how it moves through business processes and systems, and how it has been transformed or protected.
In this physical-asset-intensive industry, information is now emerging as a priority asset. In the year ahead, CISOs can help their peers in leadership begin to think about their data protection strategy much more broadly by linking it to data governance, data ownership and regulatory concerns.
CISO |
C-suite |
Actions |
✔ |
Tie the cyber risks to overall enterprise risks and, ultimately, to effects on the business. |
|
✔ |
Build a strong data trust foundation, including an enterprise-wide approach to data governance, discovery, protection and minimization. |
|
✔ |
Create a roadmap from cyber risk quantification to real-time cyber risk reporting. |
|
✔ |
Adopt a privacy-first business strategy by taking taking stock of your current state and resetting your privacy strategy to align with your broad data and business strategies. |
|
✔ |
Work with the CISO in taking a risk-based approach to cyber budgeting, technology implementations and other business objectives. |
Driving cyber initiatives home: Do CISOs have the power to lead and succeed?
Cyber certainly has the attention of CEOs. In PwC’s 25th Annual Global CEO Survey, 44% of energy, utilities and resources CEOs ranked cyber threats as a “top three” concern, only slightly edged out by health risks (45%) and climate change (49%). But given this importance, the CISO often doesn’t have a direct line to the CEO. The CISO’s most frequent interactions are with the Chief Information Officer (CIO), the Chief Technology Officer (CTO) and the Chief Risk Officer (CRO), according to PwC’s 2022 Global Digital Trust Insights Survey.
Reporting isn’t the only area in which the CISO’s positioning may be mismatched. Salaries can fall below those of C-suite peers, potentially creating a situation where the significance and responsibilities of the role don’t match the compensation. However, there are signs that this inequity is changing as companies face growing risks combined with a shortage of cyber professionals.1
Meanwhile, challenges loom on the funding front as cybersecurity budgets are a complicated mix of capital (assets acquired and implemented) and O&M (the expense to maintain assets and manage the cyber program). While just more than half of surveyed industry executives report an increase in cyber budgets for 2022, the scope of the CISO in protecting OT and ICS assets is expanding. There’s also growing pressure to quantify the spend and ensure that budgets are aligned to the most significant risks. This dynamic can be even more challenging for regulated entities, given that they are required to justify increases in rate base and cost of service through a public rate case, all while protecting confidential details of their cyber program.
The economics of cybersecurity can’t be solved overnight, but CISOs and their C-suite peers can make some headway by shifting the focus from the cost side (compliance, updating capabilities and so on) to cyber strategy. This means considering cybersecurity in every business decision by connecting cyber budgets to overall enterprise or business unit budgets in a strategic, risk-aligned and data-driven way. Putting a dollar amount on the value of a cyber project, in terms of risk reduction or less costly compliance, allows you to compare the costs and value of your cyber investments. CISOs have the opportunity to lead this effort, helping energy and utility companies measure the value of the overall portfolio of cyber investments against business objectives.
1 Cybersecurity Chiefs Are in High Demand as Companies Face Rising Hacking Threats; Companies are paying higher salaries, and in some cases giving more autonomy, to attract executives who manage data security, Catherine Stupp, WSJ Pro Cybersecurity, July 29, 2021
Follow us
