Can We Make a Global Agreement to Halt Attacks on Our Energy Infrastructure?

The connected world brings people together, but connectivity also brings risk. Cybercriminals can use the same tools that bring us together to spread chaos. Every organization is concerned about cybersecurity.

During the last several years, the energy industry has been subject to high-profile attacks, including an extremely disruptive ransomware strike on Colonial Pipeline that affected fuel supplies in the US for days. While this and other high-profile attacks were the work of cybercriminals looking for a huge payday, the energy sector remains susceptible to both espionage between nation-states and cybercrime. Recent developments keep pointing toward more attacks.

The cybersecurity community needs to take global, unified action to create new rules governing and protecting the energy industry worldwide. Failure to do so will only encourage more attacks on critical, lifesaving services and hamper economic growth around the world.

The Future Is Uncertain, but It Is Electric

Everything from our finances to heating and communications relies on electricity. Even cybersecurity relies on electricity. I believe that when we have access to reliable energy and electricity we can create a more just, unified world.

For example, German and French leaders met in Switzerland in the aftermath of World War II to discuss creating a cross-border electrical grid between the former enemies. The wounds of war were still fresh, yet a group of determined engineers hammered out a deal that would strengthen both countries' economic recovery through resilient electrical infrastructure.

Nearly 75 years later, the need to guarantee the steady flow of electricity continues to unify people, countries, and organizations in an increasingly unstable world.

Risks Increase as Grid Grows More Decentralized

The necessary decentralizing of energy production infrastructures dramatically increases attack surfaces in the electrical grid, creating cybersecurity gaps and vulnerabilities. Digitization of the energy infrastructure will deliver huge value in enabling a clean energy future but poses additional cybersecurity challenges if these technologies are operated in a traditional way. For instance, these developments have created decentralized energy products like solar panels on private homes and digitized assets that were previously analog, such as substations. Meanwhile, automated systems buy and sell power and communication networks span entire transmission and distribution lines. That's millions of miles of connectivity we didn't have before.

Unfortunately, utilities and energy companies are still approaching this 21st century problem with 20th century solutions built for static, centralized, monolithic grid architecture. Today's grids are dynamic, flexible, and decentralized — requiring connectivity with numerous equipment manufacturers and preventing operators from simply digitally and physically walling off the grid. Utilities need to stop breaches from occurring, of course, but traditional perimeter defense needs to be supplemented by an approach that continuously monitors assets and network communications to identify abnormal or potentially malicious behavior. On their side, manufacturers need to deliver additional cybersecurity capabilities and also ensure interoperability for cybersecurity operations.

It's critical that we create a global consensus on supporting and protecting the electricity grid as it grows in complexity and importance. Here are three ways the world can come together to better protect electricity infrastructure.

An Agreement to Share

The first step would be to share information across utilities, energy companies, equipment manufacturers, and government agencies. Similar to the International Atomic Energy Agency (IAEA), a global organization should be set up to encourage transparency throughout the industry and share data and information about potential attacks, vulnerabilities, and remediation techniques.

Data connectivity between grids would be crucial, giving regulators and cybersecurity professionals access to real-time critical intelligence that could potentially prevent an attack in advance. We could set up a "black box" exchange, similar to data recording devices on commercial airlines to prevent similar attacks from occurring again. The technology already exists to enable this transparency through remote monitoring and asset management solutions that automate grid connectivity. The key would be trust. Fortunately, we have two great examples of information sharing in the nuclear energy and airline industry.

Consensus on Cybersecurity Rules and Regulations

Today we have a highly decentralized regulation environment with different rules around the world. For example, sign-in credential standards vary among Asia, Europe, and the US – requiring manufacturers to develop slightly different product models for each region. Standardizing regulations would streamline compliance for utilities and equipment manufacturers, strengthening asset protection while freeing up money that could then be invested in more robust cybersecurity capabilities.

A Legal Framework for Protection

One day, I hope we'll amend the Geneva Conventions to protect the world's energy infrastructure from cyberattacks and, in turn, protect countless lives. However, given today's political environment, such an agreement is unlikely. Instead, we'll need to look to self-governance within the industry. Utilities, equipment manufacturers, and other stakeholders will need to come together to form a strong alliance that has the power to create and enforce global cybersecurity standards. We have the technology and the will to embed cybersecurity directly into grid infrastructure, making security implicit as grids continue to grow and decentralize. The power to enact positive change is in our court.