How to remove the cybersecurity gridlock from the nation’s energy lifelines
In a world where every digital connection has the potential to be a vulnerability, the stakes for cybersecurity have never been higher.
The recent statement from National Security Advisor Jake Sullivan on supply chain security brings into sharp focus the escalating threats faced by critical infrastructure operators, particularly the energy sector. For the United States, securing this sector is not just a matter of national interest; it’s a strategic necessity that reverberates across global markets.
As the energy sector becomes increasingly intertwined with complex networks of software and IT vendors, the risk of a cyber incident grows exponentially. The integration of industrial control systems (ICS) and energy automation offers operational benefits but also opens doors to significant vulnerabilities. Each new vendor added to the supply chain is a potential weak link, underscoring the urgent need for a unified strategy.
In response, the Department of Energy is planning to convene energy sector leaders to advance the Supply Chain Cybersecurity Principles aimed at enhancing resilience throughout global supply chains. Already, numerous major energy companies such as GE Vernova, Honeywell, and Siemens have agreed to these principles, signaling a step in the right direction by committing to improve their supply chains. Additionally, the Federal Energy Regulatory Commission is making changes to its bulk power reliability standards to address supply chain risks in the energy sector through recent rulemaking efforts.
While the U.S. government is spearheading efforts with industry leaders and international partners to fortify cybersecurity defenses, there is an urgent need for a unified approach from both the public and private sectors. This strategy must address vulnerabilities across the entire energy sector supply chain, including those introduced by the shift to cleaner energy and increasing reliance on third-party vendors.
Rising cybersecurity stakes in the energy sector
The U.S. energy sector is a primary target for cyberattacks, as highlighted in a new report from KPMG and SecurityScorecard that reveals third-party risk drives 45% of breaches in the sector. This is significantly higher than the global rate of 29%. This focus on major economies and energy producers underscores the immense potential for disruption, given the sector’s critical role in not just the national and global economy, but also the safety implications for the general public.
Concerns about cyber disruptions have traditionally centered on industrial control systems (ICS) and operational technology (OT), which are crucial for the extraction, transportation, and processing of energy supplies. While these concerns are well-founded, actual attacks on ICS/OT have been relatively rare. These scenarios might be described as “higher-impact, lower-probability” cases. In contrast, more frequent and disruptive incidents involve ransomware attacks and IT data breaches. For example, the Colonial Pipeline attack did not compromise ICS/OT but disrupted the pipeline’s IT billing system, leading to significant operational impacts and interruptions in the energy supply chain.
Adding to the sector’s vulnerabilities is its heavy reliance on third-party vendors. The report also found that 45% of breaches involved third parties, many of which were outside the energy sector, such as IT and software providers. This dependency introduces significant risks, as attackers often target these external partners to gain access to critical systems.
Another critical consideration is the shift to cleaner energy, which introduces new vulnerabilities as the energy grid becomes greener and more interconnected. The increased reliance on software-driven systems not only amplifies these risks but also intersects with the Chinese government’s role in the industry. As both a competitor and a contributor to the supply chain, China could exploit its latter access for cyberattacks to further its competitive goals. This concern is heightened by the fact that renewable energy companies have the lowest cybersecurity scores compared to other sectors within the energy industry, underscoring the urgency of addressing these vulnerabilities.
Strengthening the supply chain: a unified approach
Given these vulnerabilities, it’s crucial for the energy sector to adopt a unified approach to cybersecurity. As the old saying goes, “you are only as strong as your weakest link,” and this could not be more relevant to the U.S. energy industry. The growing number of external vendors involved in critical operations means that the sector must confront the reality that these relationships often introduce significant risks.
To address these challenges, companies and regulators need a globally trusted method for measuring cybersecurity risk. This includes implementing a consistent framework for evaluating cybersecurity effectiveness across industries and sectors. Anne Neuberger, the deputy national security advisor for cyber and emerging technology, highlighted this need at the 2023 Billington Cybersecurity Summit. The White House is already exploring the adoption of cybersecurity letter-grade ratings, which would provide a standardized measure of cybersecurity resilience for key infrastructure sectors like pipelines, railways, and water.
Cyber resilience requires a comprehensive understanding of risk factors in a company’s vendors, competitors, and third- and fourth-party suppliers. By regularly measuring progress and improving transparency, organizations can build confidence among stakeholders and foster a culture of robust cybersecurity practices.
The path forward for energy cybersecurity resilience
The U.S. energy sector stands at a critical juncture where cybersecurity must evolve to match the complexities of a more interconnected and software-driven landscape. Regulators are taking notice, with the North American Electric Reliability Corporation acknowledging that U.S. power grids are increasingly vulnerable to cyberattacks, reporting an alarming increase of about 60 susceptible points in electrical networks each day.
While utilities are embracing this new reality, they struggle to muster the resources and subject matter expertise to battle back against this new “enemy avenue of approach” into critical systems. While federal resources and information threat streams are helpful, it’s altogether overwhelming. The significant number of cyber incidents and the sector’s increasing reliance on third-party vendors underscores the urgency of adopting a comprehensive and unified approach to cyber defense.
While the U.S. government’s initiatives and industry commitments represent important steps forward, a collective effort is essential to bolster resilience and secure the energy supply chain against emerging threats. As we navigate the transition to cleaner energy, it is imperative that both public and private sectors work together to address vulnerabilities and strengthen every link in the cybersecurity chain. By doing so, we not only protect vital infrastructure but also safeguard global stability and economic continuity in an era of unprecedented digital interconnectivity.
Sachin Bansal is the president of SecurityScorecard. Brian Harrell is the former assistant secretary for infrastructure protection at the Department of Homeland Security.
