Cybersecurity Builds Trust in Critical Infrastructure

In 2021, a ransomware attack shut down Colonial Pipeline operations for six days. Gas shortages in the eastern US, economic turmoil, and eye-catching headlines resulted. Interest in cybersecurity for critical infrastructure intensified — and many leaders seemed to learn the wrong lesson.

Energy sector leaders often take cyber vulnerabilities seriously only after a significant breach. Experiencing a loss (or watching someone else's) makes companies tighten cybersecurity to avoid similar losses. This pattern emphasizes the loss-avoidance aspects of cybersecurity. Yet thinking of cybersecurity solely as loss avoidance misses a key value generator cybersecurity provides: trust.

Companies that get cybersecurity right earn trust. That trust matters in two ways: It supports brand or company reputation, and it allows for forward innovation.

Where reliability matters, as it does in energy, resilience against cyberattacks enhances a company's reputation. Disruptions damage that reputation. It doesn't matter how green your power generation is if customers are left in the dark. In a Ponemon study, companies saw an average 5% drop in stock value the day after disclosing a breach, and 31% of consumers affected by a breach discontinued their relationships with the breached organization. A majority of executives expect a significant cyber event in the next two years and are planning strategic shifts to mitigate that risk.

A reputation for security and reliability also makes a compelling basis for differentiation. Competitive companies need to show their bid is superior — whether they are building infrastructure, delivering fuel, or keeping electrons flowing. Strong cybersecurity gives potential partners a reason to choose you over a less well protected competitor: Secure systems have more uptime and perform more reliably.

Good cybersecurity also gives companies space to innovate. New technologies bring new opportunities — and new unknowns. Will customers balk at a smart meter? Cloud services? Will investors lend funds to scale up unproven technology? A track record of successfully navigating cyber-risks helps partners and customers accept each marginal expansion of risk — and helps the company know how to proceed without expanding cyber-risks.

Trust Creates Value

Today's energy sector should think about cyberattacks the way car manufacturers think about collisions. System design can make such incidents less likely — and mitigate the consequences when disaster strikes. Companies should see cybersecurity as a core feature that adds value. While regulations should ensure a minimum safety standard, regulations should be a floor, not a ceiling.

Modern energy systems cannot function without digital components. As the Colonial Pipeline attack illustrated, the consequences of a cyberattack can cascade into the real world, from one company to many companies up and down the supply chain.

Cybersecurity is integral to delivering a safe, reliable product in today's energy markets. No part of the energy sector is entirely free from cyber-risks. New technologies, like wind and solar, require digital management to cope with variable inputs. Digital retrofits to older technologies, like conventional turbines and pipelines, minimize emissions and maximize efficiency. Digital tools are powerful, profitable, and here to stay. Protecting these assets and their uptime provides a loss-avoidance motive for strengthening cybersecurity.

Digital technologies already enable new ways for the sector to do business. Some enable cost-avoidance, like remote diagnostics on wind turbines that reduce the need for helicopter trips. Others enable new business models, like distributed solar power, roadside electric vehicle chargers, or storing energy from overnight wind power as hydrogen through electrolysis.

No matter which use cases or technologies arise next, trusted companies will be positioned to capture the resulting markets. Whether connecting new widgets to existing systems or leveraging existing assets with new management methods, partners and customers must be convinced that these innovations will work as advertised. Innovators will seek out companies with strong reputations for effective, efficient cybersecurity and secure, resilient supply chains.

Getting to Trust

Leaders looking to build cybersecurity and trust today should start by ditching the idea that cybersecurity is an IT issue. Cybersecurity cuts across energy-sector organizations. Cyber hygiene should, too. Corporate governance should reflect the cross-cutting need for cybersecurity accountability. Likewise, leaders should build visibility — the ability to rapidly inventory connected assets and understand their current operating status — into IT and physical infrastructure. Defenders need to understand both the digital and real-world consequences of a given action.

Stronger cybersecurity for energy infrastructure will require meeting facility-level challenges. Most work sites include equipment made by many manufacturers, using different machine languages, integrated without regard for security as a design constraint. Until recently, monitoring the resulting immense, heterogeneous data flows for cyber threats was cost-prohibitive. Yet even for leaders with a cost-avoidance mindset, cost-benefit ratios are beginning to shift. Against a backdrop of more severe, more frequent attacks, monitoring capability is rising and costs are falling. AI and machine learning provide fast, accurate, flexible processing for large datasets. Monitoring production for anomalies has an additional benefit as well: Sometimes it reveals new efficiencies and preventive maintenance needs.

Competition for low-emissions energy systems will reward companies that leverage AI-enabled monitoring for security and other useful insights. Resilient, hardened infrastructure will see fewer outages and more precise recovery when breaches occur. Reputations — and future fortunes — will be built and broken by cybersecurity or its absence.

Cyber threats aren't going away. In the new normal of a heightened threat environment, companies need cybersecurity not just to withstand attacks, but to build the trust they need to thrive.