How cybersecurity can accelerate innovation in power and utilities

Modernization of energy infrastructure through increased investment in renewables, coupled with innovations in battery storage, microgrids and electric vehicles (EVs) are fueling the energy transition. Furthermore, established energy companies are facing increased competition from technology start-ups.

As traditional revenue streams are radically disrupted, many energy companies are also struggling to navigate the complexities of new environmental regulations.

In this new world that is more digitized and decentralized and amid an ever-evolving cyber-threat landscape, effective cybersecurity has become a core pillar of business growth. Conventional approaches to cybersecurity are no longer adequate.

Reliable electricity supply directly impacts the functioning of society, so no wonder why this sector is an extremely attractive target for a range of cybersecurity adversaries. In the EMEA region alone, the energy industry is one of the top sectors prone to a cyberattack, with rising numbers of daily reported incidents. Not only are attacks increasing, our recent survey suggests that detecting many of these attacks is getting harder. According to EY Global Information Security Survey (GISS) 2020 (pdf), for 34% of organizations that suffered a significant attack last year, it took over a month to detect the breach.

The rising threat to the sector calls for immediate attention. Companies must not only deal with today’s threats, but also prepare for the future. It’s crucial to understand the current cybersecurity risk landscape and the threats new technologies bring, to plan operations for long-term success. What can organizations do to manage the evolving cybersecurity risk?

Here are three steps to start with:

• Equip themselves with new cybersecurity skills
• Engage with the board
• Increase sector-wide collaboration

Equip with new cybersecurity skills

Understanding emerging technology is crucial for cybersecurity, to remain relevant within the organization. Cybersecurity leaders must have the ability to communicate in language the business understands. But, at the same time, they should ensure their teams are equipped with technical skillsets needed to embed cybersecurity in new-energy initiatives, as part of a “security by design” approach.

Greater connectivity and an expanded attack surface through large-scale deployments of digital grids, EV charging infrastructure and connected home solutions create multiple new entry points for attackers to exploit.

With smart devices and operational consoles at risk, this can have consequences for energy supply and customer data. It is vital for CISOs to study the upcoming innovations and new technologies around internet of things, artificial intelligence and smart devices, determine whether the right cybersecurity expertise is available and address any gaps in skillsets.

The pace of digital transformation in the sector is also driving the need to reduce time to go-to-market for new, often cloud-based, customer services. New cybersecurity skillsets are needed, due to the manner in which these new services are deployed, increasingly using agile-delivery methods and relying on third-party cloud providers.

The EY GISS (pdf) reports that only 6% of energy organizations would describe cybersecurity as enabling innovation; most choose terms such as “compliance-driven” and “risk-averse”. As a new generation of more tech-savvy customers expect a full digital experience and constant innovation (similar to what is offered by the tech-giants) there is a danger security is left behind.

For this to be avoided, developers and security teams must work jointly to integrate and automate security testing as part of build and test cycles. Many agile tools now come with a range of security features; however, these must be configured correctly in line with agreed security use cases and threat modelling scenarios.

This collaboration between security specialists and developers, built on cross-domain competencies is key to minimizing delays and avoiding cybersecurity being viewed as a blocker to innovation.

Engage with the board

In parallel with upskilling cybersecurity functions, there is also a need to effectively engage with the Board on cybersecurity. CISOs must embrace the right governance structure and develop reporting methods that articulate the value of cybersecurity to the business in the context of both current and future cybersecurity risks.

Cybersecurity risk quantification approaches are gaining traction across many sectors as a means of assigning a monetary value to probabilities of future losses from cybersecurity breaches, however there are limitations. According to the EY GISS (pdf), only 5% of energy organizations would describe their ability to quantify the financial impact of cybersecurity breaches in dollar amounts as mature. As with any mathematical model, quality of input drives accuracy of output and in many instances organizations must first address the cybersecurity risk management basics. 

Establishing a framework for threat modeling and critical asset identification are key prerequisites prior to deploying more advanced cybersecurity risk quantification tools.

Frequency of board engagement is another important consideration. In a recent EY roundtable with CISOs of the largest European power and utilities companies, views ranged widely, from once a month to once a year. Clearly there is no right answer here; this depends on the culture of the organization and the maturity of the cybersecurity function. What is important though, is not just to report backwards-looking data and metrics (e.g. on incidents and performance) but focus more on the future and the role of cybersecurity in supporting the business strategy. With customer trust intrinsic to the strength of the brand the link between cybersecurity and business value is now easier to articulate than ever before.

Increase sector-wide collaboration 

Another key theme that strongly came out during the recent EY power and utilities CISO roundtable was the consensus from all participants on the need to increase collaboration between sector peers.

In the race to protect the energy supply chain and upskill a cybersecurity workforce to stay ahead of cyber criminals, CISOs should re-think the value of wider sector engagement.

Organizations face similar cybersecurity challenges so there is much to gain and little to lose by sharing cybersecurity approaches. Collaboration provides CISOs with greater awareness of the threat landscape and shared strategies can tighten the protective layers around an increasingly interconnected and borderless energy value chain.

In a nutshell

The power and utilities sector is transforming faster than ever right now. Consumers expect more control over their energy usage and access to data at their fingertips. As new entrants with innovative platforms and technology DNA are disrupting the traditional market, agility and speed-to-market are replacing existing release cycles, for new-energy products and services.

With the dawn of a new-energy system, there is a great opportunity for the CISO to become the agent of transformation.

This can be achieved by upskilling the cybersecurity function in competencies that are directly aligned to the digital initiatives of the business, engaging meaningfully with the board using future-looking reporting and increasing collaboration among industry peers.