With greater digitalisation comes expanded opportunities but also the need for superior cyber security protection – never has that imperative been more apparent than in the energy sector today.

And we are seeing an acceleration in the convergence of IT, IoT and OT too, with traditional energy technologies increasingly now connecting to intelligent digital technologies, applications and networks. Indeed, IDC estimates there will be 55.7 Billion connected IoT devices by 2025, generating almost 80B Zettabytes of data - a growth rate higher than for traditional IT equipment. But whilst this acceleration and convergence brings advances in areas such as efficiency, experience, reliability, sustainability and ultimately service innovation, these may be constrained by the acceleration in data and technology risk, especially with expanded threat surfaces resulting in more endpoints susceptible to attack.

As described by the European Commission, this necessitates the preservation of ‘high privacy, security, safety and ethical standards, particularly for cyber security matters’. Let’s now explore the key vectors of change and accelerated risk in this area – alongside the support available to help negate it, enriched by discussions with Jose Razo, Senior Tech Specialist at Microsoft, which can be listened to in full in our podcast special, available now here.

Threats in Context

We are living in the first truly global energy crisis with vectors of change and poly-risk (WEF 2023) both heightening and converging. Alongside the cost challenges, energy and utilities companies are navigating the increasingly distributed nature of energy resources alongside supply chain fragility, especially with the impact of the war in Ukraine. Indeed global macroeconomic and political instability is accelerating the risk potential for geopolitical or ecological-based terrorism. Rising consumer consciousness around energy security and sustainability is also affecting expectations and behaviours, for example meaning utilities are needing to evolve both business models and revenue models, this could range from support for Electric Vehicles (EV) right through to provision of EV charging stations themselves - and of course managing the shift in gears required to embrace renewable energy sources.

Additionally, we see regulatory demands that can be difficult to keep pace with across geographical boundaries, particularly in a sector subject to high scrutiny and standards that extend beyond the generation and transmission of power, right through to the data and communications underpinning daily operations. But whilst I believe we can all agree that energy should be affordable, secure and sustainable, the capacity to actualise these ‘3 Pillars of Energy Security’ is under strong pressure on all fronts. 

@WEF

The Energy, Power and Digital Transformation Triangle

When it comes to energy, power and digital transformation there remains an intention-to-actualization gap (Eaton 2022) with many organisations still in a nascent adoption or reflection phase, yet to harness the full benefit opportunities. But the trajectory is clear with technology maturity, security and energy efficiency a leading theme at the just concluded MWC23 event in Barcelona. This is one of the most influential cross-industry technology events in the world, showcasing the most significant innovations across 5G Acceleration, OpenNet, Reality+, FinTech and Digital Everything and equally critically, bringing people together and advancing dialogue and action on the SDGs. More personal reflections on this here with Microsoft and others, alongside a useful MOU whitepaper by Vodafone and alliance partners available here – I believe this ecosystem knowledge sharing is absolutely vital.

Supporting these developments and moving to the centre stage, comes the integration of operational optimization across IT, IoT and Operational Technology (OT) alongside the energy transition to inform and enable digital transformation as a catalyst for shared value – and benefits that scale. A recent Microsoft sponsored Ponemon Institute study shows that 68% of senior management believe that IT and OT are critical to supporting strategic goals. These can range from enabling efficiency and cost savings for businesses, to contributing to ever more critical Environmental, Social and Governance (ESG) goals - outcomes that are increasingly also a differentiator for business success, driven by the rise of conscious consumerism.  

Energy Security Threats – From IT/OT Convergence to ‘Killware’

Exploring IT/OT convergence in more detail, this evolution represents the growing shift from closed proprietary to open IP-based IT systems with connection to cloud services, enabling new opportunities as just discussed - but also increasing exposure to expanded risk surface areas and vectors of change too. According to NIST SP.800-82, poorly managed OT/IT integration can lead to a range of significant security compromises with Microsoft research highlighting exactly this - identifying unpatched, high-severity vulnerabilities in a staggering 75% of the most common industrial controllers in customer OT networks. So with cyber risks to critical infrastructure on the rise and CISOs increasingly tasked with securing their OT and their IT environments, it is important to highlight the distinct differences between them.

Unlike IT systems, updates to OT systems are typically far less regular, as they cause downtime in an entire production – and with equipment and means of production typically expected to last several decades, rapid change is often complex and difficult. Exploring the history highlights this – indeed until 2010 OT system security was not top of mind for most. That is until the arrival of Stuxnet! Known as the world’s ‘first digital weapon’ this remained undetected until it achieved its purpose and in so doing destroyed 1000 nuclear centrifuges in Iran, reducing enrichment efficiency by some 30%. This was a cyber weapon built by design and serves to foreground how a major vulnerability of IT/OT is that they can frequently be made to malfunction - and without immediate detection. 

Today leading challenges centre on training, skills and alignment, process convergence, IoT secure implementation, system integration and visibility, tool sprawl, and complexity – especially integration with external environments. Perhaps then it is no surprise that the energy sector now accounts for 16% of all detected cyberattacks today - a trajectory that is only poised to accelerate post pandemic. Collectively, the energy sector is now the third most targeted industry by cybercriminals. Putting this into context with an example, Microsoft helped reveal how hackers targeted energy organisations by exploiting a vulnerable component in a Boa web server that had been discontinued since 2005 but was still being used by a range a of IoT devices, from cameras through to routers. 

Another area of rising significance is ‘killware’ where the cyber threat goes beyond causing disruption and loss that is financial or reputational as with its malware cousin - to actual real-world physical harm or even worse. And this extends to critical infrastructure operations with direct physical damage, for example manipulating vital operational equipment such as the pumps, valves and turbines, and potentially risk to utilities staff too. So with the ever rising possibility for situations where bad actor risk and digital transformation acceleration outpaces cybersecurity strategies and investment now worryingly all too common – how can we better negate this escalation in the scope, scale and sophistication of threats? 

Addressing Energy Security Needs

A recent cyber resilience in the energy and utilities sector study by Trellix found that just 29% of organisations surveyed had a modern zero-trust architecture, with only 37% having fully deployed multi-factor authentication. This is even more critical when we consider that some 98% of cybersecurity threats, irrespective of sector, can be largely negated through the application of basic cyber hygiene standards. And again this capacity to be able to do more with less and have the agency to make a difference - ‘by getting your cyber foundations right’ - came across in my conversation with Jose Razo, Senior Tech Specialist at Microsoft, available here. I also especially appreciate how Jose draws attention to other areas of cyber optimism too. Taking the malware insights from Microsoft’s latest Digital Defense report as one example, 90% of the bulk of attacks being experienced originate from two types, therefore making it easier to tailor a highly effective mitigation strategy:

‘That gives me a little hope…. if we have that type of data, for me, it's easier to say, hey, let's understand what these two pieces of malware do. Let's figure out how we can mitigate that. And we can really focus our attention on a smaller piece instead of trying to prevent a variety of malware that's going to consistently be changing over time’

Jose Razo, Senior Tech Specialist at Microsoft

And with 60% of security leaders reporting that IoT/OT devices are the least secure aspects of their environments, comprehensive security and monitoring of all industrial devices is a modern day imperative with recent attacks varying from network devices and surveillance systems, right through to an oil pipeline and water / wastewater treatment facilities. The industry as a whole is also dealing with a concerning rise in purpose-built OT attacks specifically designed to target SCADA and ICS. Technology solutions across endpoint detection and response, extended detection and response, multifactor authentication and zero trust architecture technologies can make a huge difference here, but again additional research suggests an actualisation gap, with some 94% of government agencies and critical infrastructure providers around the world reporting challenges in implementation.

Supporting this, the criticality of trusted partnership to navigate the complexity comes centre stage. For guidance specifically tailored to the energy sector in EMEA and across the 4 pillars of digital transformation, innovative coalitions, skills development, sustainability and social impact, Microsoft Energy Core is a recommended resource. This especially focuses on the integrative application of IoT, AI, ML and Cloud technologies, as exemplified by this recent case study example with BP.

In addition, Microsoft Digital Defender for IoT affords comprehensive IoT and ICS/OT security with powerful capabilities to help safeguard critical assets and infrastructure, including context-aware visibility, risk-based security posture management, threat detection with behavioural analytics and unified security with SIEM/SOAR and XDR. And as recognised by Gartner, Mitre, SC Awards, CYBERX and more, this award winning solution provides specific benefits for Power and Utilities – all the latest information can be freely explored here with a superb education and SOC demo session highly recommended too – sharing education like this is a critical conduit to negate the bad actors that increasingly come together to share too!

Final Thoughts

The energy crisis we are living through today is the world’s first truly global one – however I also believe it represents a once-in-a-lifetime opportunity to rethink and indeed reimagine energy security and sustainability in a way that ensures an equitable transition is at its epi-centre. Technology can play a huge role in making energy systems more intelligent, reliable, connected, efficient and sustainable, but innovation such as the accelerating integration of IoT, IT and OT does come with significant risks too, namely the potential for life, property, financial and environment-compromising cyber-attacks against critical infrastructure. The pervasiveness, vulnerability and cloud connectivity of IT, IoT and Operational Technology devices reflects a rapidly expanding but too often unchecked risk surface affecting not just the energy sector, but also a wider array of industries and organisation types.

Trusted partnership can greatly help, coupled with technological solutions that reduce complexity and threat ‘noise’ whilst increasing visibility, cohesion and ultimately the conversion of data volume to data value, with active threat intelligence made available to the right person or machine agent - at the right time. Putting this into context, I wholeheartedly believe it is time to change the narrative about the cost of security. With a recent ESG study estimating that avoiding a ransomware attack alone can save a company with $1.3 Billion in revenue over $35 Million in three years, surely today we should be talking about the cost of inaction, the cost of insecurity – and especially in such a pivotal sector as energy.

All feedback and follow-on questions are most welcome.

Many thanks Sally. 

About the Author

Prof. Sally Eaves is a highly experienced chief technology officer, professor in advanced technologies, and a Global Strategic Advisor on digital transformation specializing in the application of emergent technologies, notably AI, 5G, Cloud, Cyber Security, and IoT disciplines, for business and IT transformation, alongside social impact at scale, especially from sustainability and DEI perspectives.

An international keynote speaker and author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the "torchbearer for ethical tech", founding Aspirational Futures to enhance inclusion, diversity, equity and belonging in the technology space and beyond. Sally is also the chair for the Global Cyber Trust at GFCYBER.

Disclaimer: This article is sponsored by Microsoft. From time to time, Microsoft invites industry thought leaders to share their opinions and insights on current technology trends. The opinions in this post are the author's own and do not necessarily reflect the views of Microsoft & BBN Times.