In 2021, Colonial Pipeline experienced a ransomware attack that resulted in a six-day shutdown of its operations. The incident caused gas shortages in the eastern United States and economic turmoil, capturing the attention of the public and highlighting the importance of cybersecurity for critical infrastructure. However, it seems that many leaders have taken away the wrong lesson from this event.
Typically, leaders in the energy sector start taking cyber vulnerabilities seriously only after a significant breach occurs. It is often the experience of a loss or witnessing someone else’s loss that motivates companies to tighten their cybersecurity measures in order to avoid similar incidents in the future. This response highlights the aspect of loss-avoidance in cybersecurity. However, it is important to recognize that cybersecurity also plays a crucial role in generating trust.
Companies that prioritize cybersecurity and get it right are able to earn the trust of their stakeholders. This trust is valuable in two ways. Firstly, it supports the brand or reputation of the company. In industries where reliability is of utmost importance, such as the energy sector, resilience against cyberattacks enhances a company’s reputation. On the other hand, any disruptions caused by cyberattacks can significantly damage that reputation. For example, a Ponemon study revealed that companies experienced an average 5% drop in stock value the day after disclosing a breach, and a significant portion of consumers discontinued their relationship with breached organizations. As a result, many executives are now expecting significant cyber events in the next two years and are planning strategic shifts to mitigate the associated risks.
Secondly, a reputation for security and reliability can serve as a competitive advantage. In industries where companies are constantly bidding for projects or customers, strong cybersecurity measures can differentiate a company from its less protected competitors. Potential partners and customers are more likely to choose a company with secure systems that provide greater uptime and reliability.
Moreover, robust cybersecurity measures create space for companies to innovate. Embracing new technologies often brings new opportunities, but it also introduces new unknowns and risks. A track record of successfully managing cyber risks can make partners and customers more willing to accept each marginal expansion of risk. This, in turn, allows companies to explore new technologies and business models without significantly increasing their exposure to cyber risks.
In order to fully recognize the value that cybersecurity brings, leaders in the energy sector should start thinking about cyberattacks in a similar way to how car manufacturers think about collisions. System design can play a crucial role in minimizing the likelihood and consequences of cyberattacks. Cybersecurity should be seen as a core feature that adds value to energy systems. While regulations can ensure a minimum safety standard, they should not be seen as the ceiling but rather as the floor.
It is important to acknowledge that no part of the energy sector is entirely free from cyber risks. Even new technologies like wind and solar power require digital management systems to cope with variable inputs. Retrofitting older technologies with digital tools can also maximize efficiency and minimize emissions. Therefore, it is crucial to protect these assets and their uptime to strengthen cybersecurity and prevent potential losses.
Digital technologies are already transforming the energy sector and enabling new ways of doing business. From cost-avoidance measures like remote diagnostics to new business models like distributed solar power, companies that are trusted to have strong cybersecurity measures in place will be well-positioned to capture the emerging markets and opportunities.
To build cybersecurity and trust, leaders should abandon the notion that cybersecurity is solely an IT issue. Cybersecurity cuts across all sectors of the energy industry, making it necessary for companies to prioritize cyber hygiene in all aspects of their operations. Corporate governance should reflect the importance of cybersecurity accountability, and leaders should build visibility into both IT and physical infrastructure to understand the real-world consequences of cyber events.
Meeting facility-level challenges will require addressing the security vulnerabilities of equipment made by different manufacturers, using different machine languages, and integrated without adequate security considerations. The cost of monitoring these complex systems for cyber threats used to be prohibitive, but advancements in artificial intelligence and machine learning have made it more feasible. AI-enabled monitoring can not only detect anomalies and potential cyber threats but also reveal new efficiencies and preventive maintenance needs.
In a world with an increasingly heightened cyber threat environment, cybersecurity is not just about withstanding attacks but also about building the trust needed for companies to thrive. Cyber threats are not going away, and companies that recognize the value of cybersecurity and invest in it will be better positioned to protect their reputation, differentiate themselves from competitors, and seize new opportunities in the evolving energy landscape.