Q&A with Expleo’s Global Head of Energy and Utilities

Cybersecurity has always been an issue for industries regardless of their nature, and energy and utilities is no different. Threats are becoming more assertive, intelligent and effective, meaning action must be taken to prevent cyberattacks and data breaches as much as possible.

Research by global technology services provider Expleo shows with certainty that the energy and utilities sector is already in a state of heightened alert. Its report shows 65% of energy and utilities respondents expect their organisation to be the victim of a cyberattack or data breach in the next year – higher than the average of 52% across all sectors polled in the company’s Business Transformation Index.

So what can be done to address the concerns and face growing and emerging threats?

Stephen Magennis, Global Head of Energy and Utilities at Expleo, sits down with Energy Digital and shares how the sector can develop a proactive cybersecurity strategy and what the energy and utilities industry can learn from other sectors facing similar challenges.

Q. In light of the increasing cyber threats faced by the energy and utilities sector, what specific proactive measures can companies implement to bolster their cybersecurity defences effectively?

With the UK’s Technology Minister calling on companies to step up their cybersecurity protection and Prime Minister, Rishi Sunak, discussing the need for the UK to protect itself from increasingly assertive risks — now is the time for industry to take stock.

In a highly regulated industry, with assets that are considered part of the critical national infrastructure, requirements around cybersecurity are far higher than in others. In the water sector, for example, due to the risk of incidents affecting the security of supply, there is a requirement to demonstrate compliance with the NIS regulations and the government’s national cyber security strategy when connecting remote field assets like SCADA and telemetry systems.

It's an easy one to overlook, but the first step in bolstering defences is to ensure baseline hygiene features are in place at all levels. This means minimum core security measures including multi-factor authentication (MFA), making strong passwords compulsory for all accounts as well as putting perimeter firewalls in place and running regular software scans to identify and patch any vulnerabilities. 

In addition to these baseline measures, it can help to segment networks to limit the impact of any breaches, encrypting all sensitive data and implementing intrusion detection and prevention systems (IDS/IPS).

Once the basics are in place, attention turns to tackling the main point of failure in any cybersecurity defence strategy, regardless of sector — that of human error. An organisation is only as strong as its weakest link, so it pays to strengthen defences with rigorous and regular training programmes for all employees.

Then we’ve got the emerging and growing threat of social engineering combined with AI, which allows cybercriminals to launch ever more complex and convincing attacks. Over the coming years, we’re likely to see pretexting and multichannel tactics resulting in even more realistic and dangerous cyberattacks, so giving employees up-to-date, real-life scenarios to consider alongside regular testing can drive home the importance of maintaining cyber secure practices.

Many in energy and utilities can also benefit from putting regular network monitoring in place, underpinned by Zero Trust architecture, which replaces implied trust with validation at each stage of the digital interaction to eliminate lateral movement once a user or bad actor is inside a system. By minimising time spent in a system and validating the user’s presence at regular intervals, it is possible to significantly reduce the time it takes to identify a breach — reducing it, in some cases, from months to mere seconds.

Finally, regular pen tests offer specific, tangible takeaways to help strengthen cybersecurity defences and are part of the most robust cyber secure defence strategies.

Q. Are there any notable examples or case studies from other sectors that energy and utilities can learn from in terms of cybersecurity strategies and practices? How applicable are these lessons to the unique challenges faced by energy and utilities companies?

Compared to other industries, the sector faces some unique challenges. Many operate in highly complex businesses with decentralised physical and digital operations — and it is this decentralisation that can attract an increase in attacks.

With the advancement of the Internet of Things (IoT) and the roll-out of interconnected systems, like smart meters, there are now more potential entry points for cyberattackers than ever before. A sophisticated attack on IoT devices can result in theft of customer information, billing fraud and disruption of services. Additionally, any weakness in physical security can allow access to control systems, with the potential to lead to large-scale disruptions. 

When looking to mitigate these risks there is much energy and utilities can learn from other sectors. In the highly regulated world of banking, for example, cybersecurity is a key consideration in business decisions at all levels, whether it be expansions into new markets, infrastructure investments or employee on-boarding and training. Energy and utilities can apply this same cybersecurity-first culture when developing new digital infrastructure, including training its employees to navigate within this complex landscape, acting as a first line of defence.

Another notable trend from banking is industry-wide collaboration and information sharing. Open-source style collaboration on standards and practices can help to build a more resilient digital infrastructure, serving as a warning to wannabe cyberattackers who may otherwise view the sector as vulnerable or worse still, ripe for attack.

Putting these practices in place will help the sector maximise the economic benefits of digital technology while giving consumers confidence that their data is protected.

Q. Given the anticipation of a higher likelihood of cyber-attacks or data breaches within the next year, what role do you see collaboration and information sharing playing in enhancing cybersecurity resilience across the energy and utilities sector?

This is something we’ve seen in our Business Transformation Index where 65% of respondents said they expect their organisation will be the victim of a cyberattack or breach in the next year. This is significantly higher than the average of 52% across all the sectors we surveyed.

On the positive side, the sector is well-placed to regain ground through its naturally collaborative approach, making use of well-established mechanisms for best practice sharing between companies that do not compete. To boost this further, trust mechanisms can be put in place to encourage the sharing of non-commercially sensitive threat intelligence, ensuring that cybersecurity never becomes anti-competitive while remaining beneficial to all.

Central market bodies can coordinate such information sharing, depending on the sub-sectors involved, and Ofgem and DESNZ can each play a role here as well. This should enable good information sharing about malicious actors and their methods, allowing all companies to stay ahead.

Organisations are, however, very much interconnected and play a part in a bigger system, which does therefore increase security risks. The use of standards-based approaches to connect systems and share data is one area that should have more focus in the coming year with the UK creating its own standards that match the national interest, while taking the best learnings from other countries wherever applicable. 

With the number of physical assets increasing across the energy and utilities information system, we need to address and account for these to ensure that the security of dataloggers, routers, out-stations, sensors, controllers and other field-based IoT devices are well managed, including the radio spectrum that connects them. The use of AI and digital twin technology will also increase risk — any data generated by or shared with them should be rigorously protected in the same way as a physical asset. 

And, just as financial organisations must comply with DORA and operational resilience regulations, energy and utilities must look at how it can recover from potential attacks and maintain delivery of services. 

To increase trust in information sharing measures, legal and governance frameworks should be created and implemented, and an information sharing platform should be created to ensure confidentiality. In the UK, the E&U sector already has trusted central market bodies that coordinate and regulate such information sharing, meaning it is well placed to achieve this faster than other markets. 

One of the most important benefits would be the capability for enhanced threat intelligence resulting from companies collaborating on trends and attack patterns to develop a more comprehensive understanding of the threat landscape. This is followed closely by the ability to accelerate incident response and recovery by sharing real-time information on on-going attacks and working together to mitigate the impact. This will help to improve response times while limiting damage and cutting downtime.

It is also important to think about the smaller organisation in the energy and utilities space — for them, collaboration and information sharing can lead to the creation of budget-friendly security options and access to more advanced and comprehensive solutions at a lower cost.

*******************

Make sure you check out the latest edition of Energy Digital Magazine and also sign up to our global conference series - Sustainability LIVE 2024.

*******************

Energy Digital is a BizClik brand.