Until recently, discussions about “energy security” were dominated by topics like domestic fuel production and electricity generation, or risks associated with import dependence.
Today, a new energy-related security concern is dominating boardroom discussions. Due to increasingly connected infrastructures and industrial control systems ─ intelligent pipelines, smart grids, digital plants and smart oilfields, it is the risk of increased cyber threats.
While cyber-attacks are nothing new, the scale of their impact has significantly multiplied given the proliferation of connected devices and systems that share data, as well as malware specifically designed to target physical assets through these industrial control systems. For example, think about the consequences of cyber-hackers taking control of a portion of a city’s electric grid, as we saw happen in Ukraine in December. Or hacking into an interstate pipeline distributing oil or gas across a long-haul network, traversing thousands of miles and even borders.
The benefits of digital transformation of industries are undisputed. In fact, new research from Accenture Strategy, launched ahead of the World Economic Forum in Davos last month, found that by optimizing the use of digital skills and technologies we could generate $2 trillion of additional global economic output by 2020.
Digital solutions like the Intelligent Pipeline Solution from GE and Accenture enable pipeline operators to remotely monitor vast networks of assets in real-time and make better and more-informed decisions about pipeline safety and integrity.
Digitally enabled grids are critical to improving our energy efficiency, the reliability of our energy supply and the operations of our grids, which need to cope with the integration of a rising volume of intermittent renewables and distributed power sources into their networks.
A significant majority of oil and gas executives surveyed by Accenture and Microsoft last year said that investing in digital technologies, even in a low oil price environment, will boost value. But they also said that some of the biggest barriers to realizing that value were concerns over physical and cybersecurity.
Additionally, more than half of utilities executives surveyed as part of the Accenture Technology Vision 2016, reported that compared to two years ago, their organization has suffered from twice as many privacy or security breaches. Nearly four out of five agreed that they are exposed to more risks than they are equipped to handle as a digital business.
Against this backdrop, the critical point is to ensure that the benefits of digitally enabled operations are not outweighed by the increased cyber physical risks.
Connected technologies offer an abundance of opportunities for more efficient processes and innovation, as well as operational flexibility. The counterpart is that all businesses have to invest in robust security solutions to support their digital transformation strategies. The same abundance of technology allows hackers to have an increased landscape of technology devices that can be compromised and used to negatively impact an organization.
If we identify the types of attacks that create risks to an organization, there are two. First, there’s the continued risk to the IT systems that support the enterprise functions of a company. Second, we have the risk to the operational technology (OT) assets and industrial control systems. Of course, the increasing convergence of IT and OT also means that these threats are becoming one and the same.
So, how can companies capitalize on the vast opportunity of digital in a safe and secure way?
The models used by organizations with the most effective cyber defense share a number of common attributes. They:
- Start with a big-picture strategy of how security efforts support business performance, balancing cost of security with the actual impact it may have to the business;
- Establish effective communication channels and relationships with IT, the business (OT) and outside service providers;
- Clearly define roles and responsibilities for the teams that manage the cyber defense and incident response, including how they need to work together in the face of a breach;
- Conduct robust security operations monitoring threat intelligence, technical intelligence and vulnerability management as an integrated continuous process, and;
- Enhance and train your incident response and recovery teams.
Proactive organizations also include security analytics and advanced defense measures. Finally, they address governance and decision-making issues, staffing and skills requirements - in particular hybrid skills that are a combination of IT and OT, and ways to measure success on a comprehensive basis.
We are now seeing leading energy companies engage in the convergence of IT and OT cyber planning. In fact, leveraging our recent acquisition of Cimation, an Industrial Internet of Things (IIoT) consulting company focused on process automation, IT and industrial control system cyber security, we are working with one global energy company to design, test and implement security measures across its industrial control systems and IT infrastructure, to enable a more enterprise-wide understanding of cyber threats and how to combat them. This entails implementation of both technical and procedural controls, as well as changing people mindset and awareness in the OT domain in relation to cyber threats and their impact on operations.
A solid cyber defense posture requires every employee to be responsible for security. This means forming stronger partnerships among the organization’s business stakeholders, its risk managers and the security team.
Digital technologies should be at the center of any energy-related cyber security discussion. They provide the visibility and control to make industrial systems more resilient in the face of these increasing risks.
And just as technology continues to evolve, so does the sophistication of the hackers, and organizations need to constantly test and improve their defenses. When it comes to energy cyber security, you are never done.
Jean-Marc Ollagnier is Group Chief Executive of Accenture’s Resources industry group.
