Cybersecurity in the energy industry: Why working together across the value chain is vital for resilience

Nov 1, 2022

Every link in the chain is important when it comes to cybersecurity. Image: Unsplash/Matthew Henry

Rosa Kariger

Global Security Governance & Intelligence, Iberdrola

Christophe Blassiau

Senior Vice-President, Cybersecurity and Global CISO, Schneider-Electric

Our Impact

What's the World Economic Forum doing to accelerate action on Energy Transition?

The Big Picture

Explore and monitor how Energy Transition is affecting economies, industries and global issues

A hand holding a looking glass by a lake

Crowdsource Innovation

Get involved with our crowdsourced digital platform to deliver impact at scale

Stay up to date:

Energy Transition

This article is part of:

Listen to the article

The energy sector has been facing increasing cyber attacks with significant impacts, including a halting of supplies.
Hitting the industry's value chain with a cyber attack can disrupt supplies, cripple an economy and even destabilize national security.
Companies need to work with others across the value chain to improve cybersecurity and mitigate risk across the industry.

The energy and utility industry has faced more organized cyber attacks with widely reported ramifications. Supply chain attacks are now more visible in number and impact.

In 2021 alone, SolarWinds, as a single attack, impacted thousands of top companies and government agencies worldwide. Meanwhile, the Colonial Pipeline attack crippled the energy supply to millions of citizens for a few days, cost millions to contain and recover, and caused long-term brand damage.

With the knowledge that during 66% of the incidents, attackers focused on the suppliers’ code to further compromise targeted customers and that an entire value chain can be brought to its knees due to a single organization’s weakness or vulnerability, the questions you need to ask are:

How can you trust your suppliers when you don’t know what could lurk in their environments?
How can you build trust with your customers who are blind to your digital landscape?

No organisation can go alone in our interconnected world, and trust is necessary. It is also a dilemma as trust itself can become a vulnerability if it is not thoughtful, reciprocal and verifiable on evidence.

Practically, every government agency, non-profit organization, global conglomerate and small and medium-sized business relies digitally on a supplier or partner to operate. Each has no choice but to overcome the asymmetry of information.

Still, when ones operate an “enabling function” that is integral to growth and production across a nation, it has to guarantee trust through action all along the value chain.

Build trustworthy discussions with suppliers

Operating in multiple locations, sourcing goods from five continents, outsourcing services and managing thousands of unique suppliers is a reality for companies from the energy sector.

On top of that, the energy sector relies heavily on data that help create a reliable and flexible energy infrastructure. The supporting technologies usually come from third parties. This increases the complexity and the risk over their landscape.

Have you read?

It is even more complicated when we know that 65% of organizations have not identified the third parties whose compromise could impact their most critical functions.

To take a risk-informed approach, companies should build “third-party security principles” that govern how they engage suppliers on a common cybersecurity posture so that security and privacy are embedded in the procurement process and supplier life cycle. These could include:

Cybersecurity as a criterion of the supplier’s selection process, performed via shared-assessment platforms, classical questionnaires, scoring platforms assessments and so on.
Once the collaboration with the third party has begun, during the contract period and on a contract renewal, the company should create opportunities to perform continuous assessments of the supplier cybersecurity position – for example, through scoring platforms – and, if necessary, update the contractual requirements.
A risk-based approach in assessing third parties to ensure an accurate appreciation of risk and require an appropriate set of controls based upon this level of risk.
A source code policy and secure-by-design development approach that emphasises security, quality and trust in products and systems.

Guiding principles must govern third-party security to mitigate the risk stemming from suppliers but also create transparent conversations on security.

Demonstrate that cybersecurity is a top priority

In a complex value chain, energy companies are the supplier of a customer or a user. Hence, each must certify that security is an upmost priority and reality for the company.

Markers of trust should thus be the backbone of a cyber strategy which guide the design and delivery process security, as outlined below.

Key elements of a successful cybersecurity strategy Image: Rosa Kariger and Christophe Blassiau

From the most basic up to the most tangible evidence, each marker raises the level of confidence and allows trustworthy discussions when engaging with clients and authorities.

Earn customers trust through all interactions

Each interaction with a customer counts, and this is critical that cybersecurity is part of the discussion from sales up to the chief information security officer (CISO) level.

Customers must have the assurance that the highest security standards are met when visiting their site, submitting cyber questionnaires and being informed of vulnerabilities. Here's how you can do that:

First of all, customer-facing populations such as sales, project managers, commissioners and field services representatives must be able to meet customer demands and expectations, while evolving in diverse and sensitive information technology and operational technology environments. A robust mix of soft, like training and awareness, and hard, technical, controls should ensure that they and their devices will not become the vector of a cybersecurity incident or attack and that all cybersecurity incidents are detected and reported in accordance with strict standards, policies and procedures. This initiative should be formalized in official recognition and public commitment, such as a “cyber badge”.
Secondly, customers have their own expectations of cybersecurity and must be informed on how this is managed in the organization they are dealing with. Therefore, these queries must get addressed in a timely, unified and professional manner across the regions and businesses of a single company.
Finally, companies must monitor their products’ vulnerabilities throughout their entire lifecycle and align with the latest standards and regulations to guarantee the right level of security. To do so, building a vulnerability-handling process based on compliance, business and safety risks to prioritize and remediate the vulnerabilities in a timely manner is critical. To go even further, they can communicate with researchers and customers through a support portal to be reached directly to ensure both collaboration and transparency.

Secure value chain vital for energy sector resilience

The energy sector is the cornerstone of our economies: all our daily operations depend on the development and transport of energy. Hitting its value chain with a cyber attack is a concrete way to cripple an economy and destabilize national security.

Discover

How is the Forum tackling global cybersecurity challenges?

The World Economic Forum's Centre for Cybersecurity at the forefront of addressing global cybersecurity challenges and making the digital world safer for everyone.

Our goal is to enable secure and resilient digital and technological advancements for both individuals and organizations. As an independent and impartial platform, the Centre brings together a diverse range of experts from public and private sectors. We focus on elevating cybersecurity as a key strategic priority and drive collaborative initiatives worldwide to respond effectively to the most pressing security threats in the digital realm.

Learn more about our impact:

Cybersecurity training: In collaboration with Salesforce, Fortinet and the Global Cyber Alliance, we are providing free training to the next generation of cybersecurity experts. To date, we have trained more than 122,000 people worldwide.
Cyber resilience: Working with more than 170 partners, our centre is playing a pivotal role in enhancing cyber resilience across multiple industries: oil and gas, electricity, manufacturing and aviation.

Want to know more about our centre’s impact or get involved? Contact us.

In an uncertain environment and dynamic cyber threat landscape where energy sector is a target for adversaries, building trust within the value chain is a must.

We will collectively mitigate systemic risks and achieve greater resilience if global leaders collaborate and engage personal based on shared understanding.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.