Security across energy, natural resources, and chemicals (ENRC) companies worldwide is being reshaped by an array of factors, including the expanding role of the Chief Information Security Officer (CISO), the influx of smart/IoT devices, and the imperative to build a resilient culture and network environment, to name just several.
In this complex and interconnected environment, many CISOs within this broad sector are facing unprecedented challenges and opportunities as they seek to spur their workforce to an ever-greater level of digital awareness. To do so, they must assume the role of cyber evangelist, motivating and inspiring the organisation, at every level, to move from acknowledgement to action.
Safeguarding the tech stack
The CISO’s role in the ENRC sector is no longer confined to the traditional scope of IT security. Indeed, according to KPMG research, 70 percent of ENRC CEOs agree that cybercrime and cyber insecurity will impact organisational prosperity over the next three years.1 With IT and operational technology (OT) converging, CISOs are now tasked with safeguarding the entire technology ecosystem, from the boardroom to the production floor.
This expanded responsibility demands a new set of skills. CISOs must effectively communicate the business impact of cybersecurity to senior leadership, secure adequate budgets, and drive a culture of resilience throughout the organisation. There are signs of positive change in how cybersecurity is becoming more embedded across organisations.
In fact, KPMG research has found that, in 59 percent of ENRC organisations, cybersecurity is typically involved from the earliest planning stages of the decision-making process for technology investment and has a high influence. 2
Cyber security in the energy industry
Sector-specific challenges add to the complexity of the CISO agenda. The ENRC sector is subject to several intricate regulatory requirements around technology, cyber security and the environment, such as NIS2, NERC CIP and the AI Act.
Clearly, CISOs must deliver on compliance while also dealing with the specter of geopolitical challenges and growing cyber-attacks, which can have devastating consequences for the organisation, its stakeholders, and the broader society.
In fact, in April 2024, the North American Electric Reliability Corporation (NERC) said the number of vulnerable US power grid points was increasing at a rate of about 60 per day.3
In Europe, Denmark’s critical infrastructure experienced the largest cyber attack in its history in May 2023, as 22 companies were breached in a matter of days. Some were forced to enter island mode operation by completely disconnecting from the internet.4
To thrive in this environment, CISOs must embrace a proactive and strategic mindset. They need to push vulnerability management back to the business side and lead by emphasising a risk-based approach characterised by strategic guidance on risks, based on their potential organisational impact.
Beyond strategic leadership, a CISO also plays an important role in breaking down the traditional siloes between IT and OT and ensure these teams work together closely to build enduring resilience.
This report explores cybersecurity considerations for the ENRC sector with insights and actionable recommendations. Although not exhaustive, it covers a range of topics that we believe CISOs in the ENRC sector should prioritise in the current environment.
The ever-evolving role of the CISO
Given the heightened regulatory scrutiny and the strategic importance of cybersecurity, CISOs face increased accountability and, in some cases, personal liability risks. There is more pressure than ever to deliver on strong cybersecurity outcomes in organisations.
At the same time, traditional CISO functions have become increasingly dispersed. Various aspects of security and privacy now fall under the purview of other business leaders, such as the Chief Security Officer (CSO) for physical security and fraud, IT infrastructure for perimeter security and identity and access management (IAM), and the Chief Data Officer (CDO) for privacy.
With this, the role of the CISO is poised for a profound shift. CISOs must adapt to this new reality by establishing their scope, partnering with other business leaders, and championing a culture of shared accountability. Growing support from organisational leadership for ongoing cybersecurity investment is helpful in this regard.
To that end, KPMG research has found that 72 percent of CEOs at ENRC firms said they have increased their investment in cyber security to protect operations and intellectual property.5
Ultimately, CISOs need to transition from being the sole guardian of cyber security to becoming the architect of a resilient and agile security framework.
Key challenges
CISOs in the ENRC sector are facing the consequences of new and uniquely challenging realities such as the climate crisis and the subsequent pressure on increasing sustainability and ESG values, while working with rapidly evolving technology.
Moreover, geopolitical tensions, such as the ongoing conflicts in the Middle East and Ukraine, continue to impact supply chains and increase the regulatory burden. Indeed, according to KPMG research, supply chain risk is the joint top threat among CEOs.
What’s more, KPMG research suggests “tectonic shifts in power, economic centers and trade, along with multiple threats to supply chains, assets and infrastructure” are highly impacting ENRC organisations.
Highly experienced security individuals with a broader range of skills beyond the merely technical, are required to manage this dynamic risk landscape.
CISOs must bridge the gap between the C-suite and technical teams by framing cyber risks as business risks. Strategic thinking, negotiation skills, and strong leadership are key enablers here.
With sector-specific challenges such as balancing operational continuity with data and information protection, securing the trust of the board is crucial. Operational continuity typically benefits when cyber measures, such as regular patching and appropriate controls, are well-planned and efficiently implemented.
Striking a balance between security investments and valuable outcomes helps the board see how this dynamic leads to better security and business risk mitigation.
CISOs face intense scrutiny from regulators to ensure their cybersecurity programs are effective and resilient. Although individual legal liability varies, there is increasing top-down pressure as regulations—notably the U.S. SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, which went into effect in late 2023—increasingly hold boards liable for cyber incidents.8
The convergence of IT and OT blurs traditional role boundaries, requiring CISOs to have both technical and strategic expertise. Clear distinctions between operations and security are crucial to avoid gaps and ensure secure digitalisation strategies.
Key opportunities
CISOs can position themselves as strategic partners with crucial board access and influence on business goals. Since CISOs are usually not board members, clear and direct reporting lines to C-Suite executives can enable regular communication with the board.
Encouraging collaboration between security and operational teams allows the CISO to take a leading role. Integrating domains like physical security, compliance, privacy, and operations creates a holistic approach to risk management. This alignment supports business objectives and enhances resilience by bridging technical and operational gaps.
CISOs in the energy sector must balance the urgent need for sustainability transitions with the need to safeguard critical infrastructure. This is particularly crucial as many continue to explore solutions such as AI-powered predictive maintenance, advanced energy storage solutions, and smart grids.
Slowly integrating these technologies alongside legacy systems can help ensure both short- and long-term operational continuity.
As these cognitive-based applications proliferate, CISOs must carefully weigh the advantages of innovation against potential security risks, relying on data-driven assessments to quantify threats and justify investments.
CISOs need to align the adoption of emerging technologies with business objectives and use data-driven insights to quantify risks and justify investments. This approach can help secure stakeholder buy-in and ensure the sustainability of the cybersecurity program.
Real-world cybersecurity in ENRC
Proactively identifying risks and developing the capability to recover rapidly from significant cyber incidents remains an area of focus for CISOs in the sector.
Challenge
A KPMG firm was tasked with enhancing a client's capability to recover from a worst-case cyber scenario and developing a tool to help them re-evaluate their most business-critical applications.
The primary objective was to provide the client, an energy distributor, with an extensive playbook featuring detailed processes, procedures, and step-by-step instructions to follow in the event of a complete loss of IT capability.
Additionally, the client needed a method for identifying their most critical business processes.
Response
Collaborating with key global business stakeholders, the KPMG team worked to gain a deep understanding of the client's existing internal recovery processes.
Leveraging KPMG's industry knowledge and experience, the team meticulously populated the playbook with actionable steps for the client to recover their IT systems from zero.
Furthermore, KPMG designed and developed a tool that enabled the client to reclassify their business-critical applications. Over time, the criteria for identifying these applications had become outdated, leading to the misclassification of several non-critical applications as business critical.
The tool assessed various types of data collected in business impact analyses (BIAs) and allowed the client to re-order the criticality of their applications.
Benefit
Through this engagement the client was able to implement processes aimed at reducing downtime and business loss in the event of a total IT capability loss.
Additionally, the client gained a clearer understanding of the criticality of their business applications and processes, ensuring better preparedness and resilience against cyber threats.
Lessons learned
Given the extensive supply chains and interconnected IT and OT systems, security needs to remain top of mind. Rapid adoption without the right guardrails can increase vulnerabilities, making organisations targets for cyberattacks.
However, ENRC organisations clearly are becoming better prepared. They are using AI and machine learning for predictive maintenance and threat detection, blockchain for secure transactions, high-performance computing and IoT for real-time monitoring, and secure-by-design principles for increased security.
Additionally, cloud security solutions and centralised cybersecurity governance can help manage and secure data effectively.
Top priorities for ENRC professionals
- Clarifying and strengthening cybersecurity governance when it comes to roles and responsibilities, mandates, and domains.
- Breaking down the siloes of IT, security (physical and cyber) and OT teams to understand the complete threat landscape, organisational environments and supply chain, as well as coordinate emergency/incident response capabilities.
- Establishing a broad risk management framework for IT and OT with cybersecurity as business risk.
- Implementing business continuity and disaster recovery (BCDR) strategies that account for both cybersecurity and physical risks. Testing and exercising these strategies thoroughly with realistic scenarios.
- Review insurance policies in relation to third-party outages to determine whether financial impact can be reduced through coverage in business interruption insurance.
How KPMG professionals can help
Our team of experienced professionals is well-equipped to assist CISOs in the ENRC sector as they navigate the complex challenges of the evolving threat landscape. Our deep industry knowledge, combined with our expertise in cybersecurity, enables us to provide tailored approaches that align with your organisation's unique business priorities and risk profile.
We work closely with CISOs to develop wide-ranging strategies that address the full spectrum of cybersecurity needs, from IT/OT convergence and regulatory compliance to vulnerability management and incident response.
Our advanced methodologies and cutting-edge tools enable us to assess your current cybersecurity posture, identify gaps and vulnerabilities, and develop custom solutions that enhance your resilience and adaptability.
At KPMG, we are committed to being your trusted adviser in cybersecurity. We aim to empower you with a strategic approach that drives business value and secures a competitive advantage.
