Energy: Where centralizing and managing cyber risks is critical

Marked by increasing digitalization, the energy & utilities sector is undoubtedly more and more exposed to cybersecurity threats and cyberattacks with vague and varying motivations. Sabotage, economic and industrial espionage, or various dysfunctions are part of strategies of attack, deterrence or reprisals, some of which are orchestrated by States and which we must be ready to face…

Energy & Utilities, a sector in profound transformation.

Energy fuels the world and countries economic growth. This Energy & Utilities industry is key in the climate change mitigation fight, 75% of CO2 emissions resulting from energy use, in the energy sector (with energy production), as well as in industries, building, transportation and agriculture. Related sector transformation encompasses:

  • Fast and massive roll-out of clean technologies (Renewables, Hydrogen, Nuclear, EV charging, grids modernization, Energy Efficiency and flexibility solutions, Carbon Capture Utilization and storage…)

  • Massive electrification (Transportation, Heating-Cooling, Industry), from 20% electric energy demand coverage to 50% by 2050, almost quadrupling electricity use

  • New electric paradigm shift, moving from centralized production model to distribution (production and consumption)

  • Sovereignty (rare earth and materials, equipment, China domination on almost all technologies) and security of supply

It’s a faster than ever transformation with energy transition big investments and the imperative of affordable energy for consumers.

With digitization progressing and wide eco-systems on any industry value chain piece, cyber threat is a reality, reinforced or even triggered by geopolitical instability.

Depending on the value chain (electricity, oil & gas, or water and waste management), with digitization progress (journey started more than 15 years ago), from millions to billions of assets are connected with IoT, are sometimes smart and edge computing enabled. A data tsunami happens every day. Connected objects, and digitized assets of any type, drive digital exchanges with large ecosystems (Energy & Utilities industry operators, equipment and services suppliers, consumers), with a growing cyber threats consequence.

Energy and Water are key components of international conflicts (unjustified Ukraine invasion by Russia, Middle East Hamas terrorism in Israel last October) and blocs tensions (China – USA, Russia – USA, Taiwan, Iran nuclear developments).

Many cyber-attacks already recorded

In this geopolitical unstable environment, many attacks have already been recorded, physical (Nord Stream gas pipeline 2 explosion, Ukraine Kakhovka dam destruction) and cyber…. Highlighting here just few cyber events:

CIOs / Digital Officers constantly report that hundreds of cyber-attacks attempt happen every month in each of the large player divisions systems. Interviewed by DNV in 2023[1], energy & utilities managers states that attacks are coming from hacktivists (69%), foreign powers state sponsored actors (62%), representing even a greater cyber threat than criminals, terrorists, or vandals.

Government have established cyber protection obligations for the vital Energy & Utilities players, with important gaps to bridge as soon as possible.

France, then Europe have listed Essential Services Operators during the last decade, all Energy & Utilities companies being in. IS securitization obligation being established, notably through the NIS directive (Network and Information Security), operators must submit for approval their protection measures, and test all procedures to activate in case of cyber threat or incident.

As a matter of fact, the EU Member States have until October 2024 to transpose the European NIS2 Directive into national laws. A look at the consecration of risk management especially in a strategic and vital sector as Energy.

With Article 21, the NIS2 Directive requires “appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of networks and information systems used by [critical and important] entities in the course of their business or in the provision of their services, and to eliminate or reduce the impact of incidents on the recipients of their services and on other services”.

This can only be done through agile and effective risk management which allow to focus on assessment, reporting and investment arbitrage to achieve cybersecurity results.

As a reminder, in case of non-compliance, critical entities are subject to a fine of €10 million, or 2% of total worldwide turnover.

Centralizing and managing cyber risks and preventing threats to occur is, though, an absolute must do, and a complex task to achieve and keep updated anytime.

Protecting an operator means also securing the ecosystems, harmonize cyber risks processes and tools between the operator and its key supplier network and partners’ ecosystems to establish common methods, consistent risk assessment, and traceability for coordinated compliance. Clients and energy consumers, digitally connected now to their energy suppliers and equipment, are part of the cyber risk galaxy and its related mitigation.

Which brings the need to industry common requirements, rules, and processes. Each company must consider increasing the cyber security effort, having the appropriate skills, and involving all the company’s executives, from the highest level, to reconcile systems and businesses protection.

The EGERIE platform allows you to implement and manage a cybersecurity strategy, through the continuous analysis of cyber risks. it is a collaborative platform: you work as a team on the risk analyses and can solicit the business team of each department through security questionnaires to audit your security controls internally. This approach contributes to raising awareness of cyber risks in each of the company’s departments.

The EGERIE platform helps you with your NIS2 compliance with cyber risk centralization, reporting to your management for approval of your cybersecurity strategy and residual risks, for a general cybersecurity awareness.

Ready to try EGERIE?

Ready to try EGERIE?

Ready to try EGERIE?