Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

Improving an energy company's resistance to cyberattack does more than protect vital resources — it enhances trust from customers and investors.

4 Min Read
Man bicycles along Schuylkill Banks Recreation Path in Philadelphia with Veolia Thermal Energy Plant to his left
Source: Jon Lovette via Alamy Stock Photo

In 2021, a ransomware attack shut down Colonial Pipeline operations for six days. Gas shortages in the eastern US, economic turmoil, and eye-catching headlines resulted. Interest in cybersecurity for critical infrastructure intensified — and many leaders seemed to learn the wrong lesson.

Energy sector leaders often take cyber vulnerabilities seriously only after a significant breach. Experiencing a loss (or watching someone else's) makes companies tighten cybersecurity to avoid similar losses. This pattern emphasizes the loss-avoidance aspects of cybersecurity. Yet thinking of cybersecurity solely as loss avoidance misses a key value generator cybersecurity provides: trust.

Companies that get cybersecurity right earn trust. That trust matters in two ways: It supports brand or company reputation, and it allows for forward innovation.

Where reliability matters, as it does in energy, resilience against cyberattacks enhances a company's reputation. Disruptions damage that reputation. It doesn't matter how green your power generation is if customers are left in the dark. In a Ponemon study, companies saw an average 5% drop in stock value the day after disclosing a breach, and 31% of consumers affected by a breach discontinued their relationships with the breached organization. A majority of executives expect a significant cyber event in the next two years and are planning strategic shifts to mitigate that risk.

A reputation for security and reliability also makes a compelling basis for differentiation. Competitive companies need to show their bid is superior — whether they are building infrastructure, delivering fuel, or keeping electrons flowing. Strong cybersecurity gives potential partners a reason to choose you over a less well protected competitor: Secure systems have more uptime and perform more reliably.

Good cybersecurity also gives companies space to innovate. New technologies bring new opportunities — and new unknowns. Will customers balk at a smart meter? Cloud services? Will investors lend funds to scale up unproven technology? A track record of successfully navigating cyber-risks helps partners and customers accept each marginal expansion of risk — and helps the company know how to proceed without expanding cyber-risks.

Trust Creates Value

Today's energy sector should think about cyberattacks the way car manufacturers think about collisions. System design can make such incidents less likely — and mitigate the consequences when disaster strikes. Companies should see cybersecurity as a core feature that adds value. While regulations should ensure a minimum safety standard, regulations should be a floor, not a ceiling.

Modern energy systems cannot function without digital components. As the Colonial Pipeline attack illustrated, the consequences of a cyberattack can cascade into the real world, from one company to many companies up and down the supply chain.

Cybersecurity is integral to delivering a safe, reliable product in today's energy markets. No part of the energy sector is entirely free from cyber-risks. New technologies, like wind and solar, require digital management to cope with variable inputs. Digital retrofits to older technologies, like conventional turbines and pipelines, minimize emissions and maximize efficiency. Digital tools are powerful, profitable, and here to stay. Protecting these assets and their uptime provides a loss-avoidance motive for strengthening cybersecurity.

Digital technologies already enable new ways for the sector to do business. Some enable cost-avoidance, like remote diagnostics on wind turbines that reduce the need for helicopter trips. Others enable new business models, like distributed solar power, roadside electric vehicle chargers, or storing energy from overnight wind power as hydrogen through electrolysis.

No matter which use cases or technologies arise next, trusted companies will be positioned to capture the resulting markets. Whether connecting new widgets to existing systems or leveraging existing assets with new management methods, partners and customers must be convinced that these innovations will work as advertised. Innovators will seek out companies with strong reputations for effective, efficient cybersecurity and secure, resilient supply chains.

Getting to Trust

Leaders looking to build cybersecurity and trust today should start by ditching the idea that cybersecurity is an IT issue. Cybersecurity cuts across energy-sector organizations. Cyber hygiene should, too. Corporate governance should reflect the cross-cutting need for cybersecurity accountability. Likewise, leaders should build visibility — the ability to rapidly inventory connected assets and understand their current operating status — into IT and physical infrastructure. Defenders need to understand both the digital and real-world consequences of a given action.

Stronger cybersecurity for energy infrastructure will require meeting facility-level challenges. Most work sites include equipment made by many manufacturers, using different machine languages, integrated without regard for security as a design constraint. Until recently, monitoring the resulting immense, heterogeneous data flows for cyber threats was cost-prohibitive. Yet even for leaders with a cost-avoidance mindset, cost-benefit ratios are beginning to shift. Against a backdrop of more severe, more frequent attacks, monitoring capability is rising and costs are falling. AI and machine learning provide fast, accurate, flexible processing for large datasets. Monitoring production for anomalies has an additional benefit as well: Sometimes it reveals new efficiencies and preventive maintenance needs.

Competition for low-emissions energy systems will reward companies that leverage AI-enabled monitoring for security and other useful insights. Resilient, hardened infrastructure will see fewer outages and more precise recovery when breaches occur. Reputations — and future fortunes — will be built and broken by cybersecurity or its absence.

Cyber threats aren't going away. In the new normal of a heightened threat environment, companies need cybersecurity not just to withstand attacks, but to build the trust they need to thrive.

About the Author(s)

Leo Simonovich

VP & Global Head, Industrial Cyber and Digital Security, Siemens Energy

Leo Simonovich is responsible for setting the strategic direction for Siemens' industrial cybersecurity business worldwide. He identifies emerging market trends, works with customers and Siemens businesses to provide best-in-class cyber offers, and contributes to the company's thought leadership on the topic. He is particularly focused on solving the cybersecurity challenge in the oil and gas and power sectors by bringing unique solutions to customers looking to address a growing and costly operational security risk.
Previously, Leo led the cyber risk analytics practice area at the management consulting firm, Booz Allen Hamilton. He refined his expertise through his work with large government and commercial customers to improve their cyber risk posture. While at Booz Allen, Leo created an industry recognized methodology to evaluate the financial benefits of investment in cyber security.
Leo holds both a Masters in Global Finance and a MBA from the University of Denver.

Daniel Dobrygowski

Head of Governance and Trust, World Economic Forum

Daniel Dobrygowski is the Head of Governance and Trust for the World Economic Forum's Centre for Cybersecurity. An attorney and educator with two decades of experience at the intersection of technology, law, and policy, he oversees the Forum's work relating to technology risk, corporate governance, and digital trust. One of the founders of the Forum’s Centre for Cybersecurity, Daniel has led efforts to understand and shape global technology and cybersecurity norms, law, regulation, and standards. He also serves on the New York Cyber Task Force (convened by Columbia University) and on the board of Karhana Global, a technology education organization. Daniel has been recognized by the National Association of Corporate Directors in its NACD Directorship 100 as one of the most influential leaders in the corporate governance community.

Daniel holds an MPA from Harvard University’s Kennedy School of Government; a JD from the University of California, Berkeley, School of Law, where he was an editor of the Berkeley Technology Law Journal; and a BA from the Johns Hopkins University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights