As an industry, energy is a confluence of sub-sectors — power and utilities, oil and gas, natural resources, and chemicals — that are experiencing significant transformations in the way they work and interact with customers and suppliers. Adding to this complexity are the parallel transformations of companies across the industrial spectrum, such as manufacturing, technology and automotive, all of which are dependent on energy.
Energy as a theme has become integrated into the fabric of everything we do as a society today. The sector is adapting to the changing world and reconfiguring its value chain. It’s no longer just about pumping gas at fuel stations or turning the lights on.
Today, the focus is on renewables and clean energy, particularly their integration as energy sources and digitalization to accelerate the transition.
This energy transformation is not a singular phenomenon. Virtually every industry across the global economy is affected, with much changing behind the scenes from both information technology and operational technology perspectives.
Control networks and systems connected to everything from valves on oil rigs to metering devices in power plants are in ‘always on’ mode, which exposes a perpetual security risk and redefines the attack surface across the industry.
This article explores cybersecurity considerations and key actions crucial for the energy and natural resources sector. It provides an overview of the evolving threat landscape and offers key insights for security and business leaders to function effectively in the year ahead.
Consideration 1: Navigate blurring global boundaries
Energy and natural resources companies will likely continue to require a global audience and global footprint to scale their operations, regardless of jurisdiction and where they're based. The big question for security professionals across the sector involves striking the right balance between business enablement and business value while ensuring they stay on the right side of the regulators. It’s a fine line and a clear challenge.
Complexity of jurisdictions – In many cases, countries, territories and jurisdictions have different regulatory frameworks for cybersecurity. While some regulations aim for a more unified approach, such as what the Network and Information Security Directive (NIS2) attempts to do in the European Union (EU), some other areas are more locally focused, leading to diverse interpretations of regulations. This added regulatory complexity challenges organizations in this sector to comply with global or regional standards while also dealing with local requirements.
Grid stability and increased attack surface – As the energy sector becomes more interconnected globally, the attack surface for cyber threats expands. Integrating various systems and networks across borders provides more entry points for cybercriminals, challenging grid stability in an interconnected cross-border energy network.
Cyber extends over boundaries – Cyber threats do not adhere to geopolitical boundaries. A cyberattack originating in one country can easily impact critical infrastructure in another. Coordinating responses and attributing attacks in this environment is complicated.
Legal restrictions in information sharing – While collaboration and information sharing are crucial for effective cybersecurity, regulatory, legal, political and competitive concerns around sharing sensitive information across borders can hinder effective threat intelligence sharing.
Ongoing politicization of business – The energy and natural resources sector is prone to the entanglement of business/economic activities with political interests, agendas and influences. Geopolitical tensions often result in increased cyber threats, especially targeting critical infrastructures. As a critical infrastructure sector, energy is a prime target for rogue and state-sponsored cyberattacks, with potential consequences for both the supply chain and end consumers.
Collaboration– The global nature of the energy sector provides opportunities for joint cybersecurity efforts. Sharing threat intelligence, industry best practices, and lessons learned internationally can enhance companies’ overall security posture.
Standardization – Globalization can drive efforts to establish international standards and best practices for cybersecurity in the energy sector. Normalization of rules and regulations can simplify the implementation of security measures across supply chains and borders.
Innovation – Cross-border cooperation can foster the development of advanced cybersecurity solutions that can potentially benefit the entire industry.
Agility – With global communication networks, incident response teams can work together in real time, enabling faster and more effective responses to cyber threats. This can minimize the impact of attacks on critical infrastructure.
Multinational energy and natural resources companies operate cross-border and must simultaneously manage the challenges of a rapidly globalizing business environment, highly complex regulatory regimes, and an ever-evolving attack surface. Many smaller organizations are less prepared to effectively navigate these challenges, but can learn from their larger, more mature sector counterparts to prevent them from having to reinvent the wheel.
Consideration 2: Modernize supply chain security
From new technologies and processes to the possibility that a vendor doesn’t explicitly follow your security protocols, the third-party environment is an ever-fluid threat vector. Depending on the maturity of the vendor, organizations need to do more (institute monthly reviews) or perhaps less (allow more autonomy with quarterly reviews) to help ensure these relationships operate efficiently and adhere to all compliance requirements. Despite the challenges and competing priorities,striving to ensure the supply chain ecosystem is secure should not be a bottleneck; it should be a business enabler.
Supply chain complexity and dependency – The global nature of the energy and natural resources sector involves complex supply chains on which the sector is heavily dependent. This ecosystem of multiple levels of stakeholders, vendors and technology providers makes it nearly impossible to maintain visibility into and control of all parties, substantially increasing the cyber risks.
New versus old technology – Energy companies often rely on a mix of both old and new information (IT) and operational technology (OT). Adopting networked technologies adds complexity and introduces new interdependencies and potential vulnerabilities. OT systems generally have a longer lifespan and lifecycle than IT systems, and older technologies often do not have adequate security capabilities relative to newer technologies. The bottom line, integrating diverse technological landscapes (i.e., old and new) and the corresponding security measures is challenging — and is further complicated by ongoing digitalization.
The weakest link – The potential for cascading impacts across the supply chain when there are different levels of cybersecurity maturity among operators and suppliers throughout the chain can create weak links. There is a dependency on the due diligence of third parties — an inadequately secure supply chain partner also impacts your security posture. It can be challenging to keep track of the cybersecurity posture and measures of all the vendors and partners an organization is linked to in the ecosystem.
Digitalization – In an evolving energy market, the transition toward green energy and changing customer demands on suppliers requires organizations to digitalize and innovate. At the same time, adopting new technologies also raises concerns for the security implications of adopting these new technologies.
Transparency and collaboration – Managing cybersecurity risks associated with third-party vendors, including assessing their security practices, can be challenging, but the interdependency will likely force organizations to seek transparency and collaboration. Transparency of security posture and measures, data breaches and vulnerabilities creates a culture where weaknesses are identified and can be addressed proactively and collectively, making it possible to eliminate weak supply chain links.
Information sharing – Collaborative efforts across the energy sector can also take the form of shared threat intelligence and best practices among stakeholders, which can lead to collective improvements in cyber threat defense.
Visibility and innovation – Integrating new technologies into the supply chain can enhance operational efficiencies but will also enable companies to improve their visibility and monitoring capabilities. This can lead to better incident detection and resilience while mitigating cybersecurity risks, thereby strengthening supply chain security.
Currently, many organizations in the sector are in the early phases of managing cyber risks up until the second level of the supply chain, but in many cases, this process does not continue down to the third and fourth levels. Evolving regulations, such as the EU’s NIS2 Directive, will likely mandate that organizations, as well as third-party suppliers and vendors, take appropriate measures to manage cybersecurity risks to help prevent or minimize the impact of incidents
Consideration 3: Align cybersecurity with organizational resilience
Energy and natural resources organizations need to continually improve and adapt. Resilience means being better equipped to address an incident quickly, comprehensively, and with minimal or at least controlled business impact. As organizations navigate today’s evolving and volatile cybersecurity landscape, resilience should not be viewed as a series of one-off or intermittent projects. Rather, it should be an adaptive strategy that complements the organization’s cybersecurity agenda, protects customer interests, aligns with business objectives, and focuses on delivering long-term value.
Operational resilience – Organizations in the sector are very familiar with ensuring high levels of operational execution and resilience as they deliver critical services and any disruptions can have a significant impact. Companies must realize that not only is their IT the target of cyberattacks, but also their industrial environments and the enterprise as a whole. Cyber resiliency will require organizations to shift their thinking to activate new capabilities and security measures.
Complexity of industrial environments – Industrial environments such as energy/power, storage and renewables are among the most complex infrastructure types and play an important role as the backbone of societal and economic activity. Lacking full understanding of the functions, interconnectedness and dependencies of all systems can hinder resiliency efforts.
Supply chain resilience – The deep dependence on third-, fourth- and even fifth-party supply chain partners among energy and natural resources companies make incident recovery and overall resilience particularly difficult.
Threat landscape – The ever-expanding threat landscape requires these organizations to continuously evaluate and update their defense and response plans to ensure they remain effective against changing and advancing threats.
Trust and reputation – Maintaining customer trust is critical for security professionals in the energy sector. Cyber incidents not only disrupt operations but also erode customer confidence. Managing the impact on customer trust and reputation requires a proactive and transparent approach to cybersecurity.
Perspective – Resilience involves a more comprehensive understanding and management of risks, including not only cybersecurity threats but also other factors that could disrupt operations. This holistic approach helps organizations adopt a different way of thinking and identify a broader range of risks.
Adaptability – Being adaptable and responsive to changes in the threat landscape, advances in technology and developments in the business environment are the hallmarks of resilience. It positions energy companies to stay ahead of emerging challenges and quickly adjust and adopt new cybersecurity and operational strategies and capabilities, such as improved detection and monitoring.
Collaboration – Resilience initiatives often involve collaboration with partners in other industries. Establishing strong partnerships and sharing information across sectors enhances collective preparedness and response capabilities.
Compliance – A resilience-focused approach not only helps organizations meet cybersecurity regulations but also positions them to address broader compliance requirements related to business continuity, disaster recovery and overall risk management.
With ongoing global instability, critical infrastructure will remain a popular target. The energy sector has historical experience in operational resilience, but leadership must shift thinking toward holistic resilience, including cybersecurity.
Real-world cybersecurity in energy
The energy sector, in general, has been a frequent target of cyberattacks because of its criticality and connections to other industries.
For example, a recent attack on a pipeline caused significant disruption across multiple industries, resulting in shortages, price increases and supply chain disruptions. The attack also led to operational shutdowns and service interruptions in other industries that rely on the affected infrastructure, such as the airline sector because a significant portion of jet fuel was supplied by the pipeline.
The incident highlighted the vulnerability of critical infrastructure and raised concerns about the overall resilience of the energy sector. As a result, many companies were pressured to increase their cybersecurity investments and ramp up vulnerability assessments and penetration tests to identify weaknesses and patch any security gaps.
Many critical infrastructure companies have also established or strengthened Security Operations Centers (SOCs) and Cybersecurity Incident Response Teams (CIRTs) to monitor and respond to potential security incidents, minimize damage and restore operations promptly.
Energy and natural resources companies are encouraged to take a multi-layered approach to managing cybersecurity, combining technology, training, response capabilities, information sharing and resiliency plans.
While writing these cyber considerations, it became clear that AI is emerging earlier and more heavily than anticipated. This technology presents both opportunities and threats for the energy and natural resources sector, which will be explored in greater detail in a separate article.
Top priorities for security professionals
- Ensuring strong cyber governance and risk management.
- Asset inventory and management, including both IT and OT, to monitor, control and secure critical assets.
- Building cyber resilience: document, train, prepare, evaluate, continuously improve.
- Implementing a supply chain/third-party risk management program.
- Welcome innovation and test and adopt new technologies where appropriate.
- Use regulatory requirements as an opportunity to improve cybersecurity.
- Think differently; be open to new ideas, strategies, and operational tactics.
How this connects to what KPMG professionals do
In addition to assessing your cybersecurity program and ensuring it aligns with your business priorities, KPMG professionals can help energy and natural resources companies develop advanced digital solutions, advise on the implementation and monitoring of ongoing risks and help design the appropriate response to cyber incidents.
KPMG professionals are adept at applying cutting-edge thinking to this sector’s most pressing cybersecurity needs and developing custom strategies that are fit for purpose. With secure and trusted technology, KPMG professionals offer a broad array of solutions, including cyber cloud assessments, privacy automation, third-party security optimization, AI security, and managed detection and response.
Get in touch
Connect with us
- Find office locations kpmg.findOfficeLocations
- kpmg.emailUs
- Social media @ KPMG kpmg.socialMedia