By Anjos Nijk, Managing Director at ENCS
Here is a statement that I’m sure most of our industry leaders would agree with: Society needs energy, and demand will only grow. We need more power and to be smarter about how we use it to maintain security of supply.
Now replace the word ‘power’ with ‘cyber security resource’. Would as many people agree? They should.
This resource gap is very real, and it’s crucial we get to grips with it as our infrastructure becomes smarter and more connected. However, aside from closing the cyber security skills gap in the sector, we need to increase resources and be more intelligent about how we deploy them.
Europe’s energy companies have made real progress on cyber security in many ways. A decade ago, few board-level conversations would even touch on cyber security, now it’s not uncommon to hear a CEO reassuring stakeholders about how seriously they’re taking the topic.
But actions speak louder than words. Typically, board-members will be accomplished, senior leaders who made their careers in a very different world, failing to comprehend the scale of the threat. Besides - they have a lot of other business issues vying for their attention.
So, what we need are more people with cyber security skills on the boards, to ensure it’s at the top of the agenda. The number of Chief Information Security Officers (CISOs) in the European energy sector is growing, but we still need more of them with greater decision-making power. Cyber security needs to be a core component of any utility’s strategy.
Most utilities nowadays do have some talented security people in the organisation. Very few have enough people though, leaving a resource-constrained team to handle a number of competing priorities.
As security regulations and standards rightly make their way into the energy space, teams will find themselves investing time and resources into compliance while, at the same time, still dealing with a host of general security tasks.
That would be fine in a well-resourced security team, but in reality, other important projects, such as cyber security, go unaddressed because of resource limitations - investment must therefore increase.
The old OT/IT divide
IT (information technology) systems and OT (operational technology) systems are built by different people using different protocols with different purposes. The engineer who designed the transformer in the substation twenty years ago never thought about cyber security - after all, systems weren’t interconnected like they are today. Likewise, it probably never occurred to the programmer who designed the customer billing system to think about the smart meter communications protocol as such a thing didn’t exist.
Yet now the worlds are merging and there are security challenges in the OT domain that were previously exclusive to the IT one.
We need more people in the industry who understand both domains, which will take time. However, companies often make the problem worse by poorly organising the resources they do have.
Until now, the IT guys probably had very little interaction with the engineers looking after OT. Yet utilities need to bring these people together to maximise value from their limited resources.
Security as an afterthought
For well over ten years now, we’ve heard security has to be factored in from the start, not tacked on at the end.
But in practice, it’s just not happening enough.
Say you work at a utility and you’re trialling a new technology, chances are you will be working to significant time pressure, lest the competition beat you to market. At this point, many rush to get a pilot scheme up and running to test feasibility, but don’t factor in cyber security. After all, it may not be an idea that is taken forwards, so it would be a waste of time and resource to worry about security at this early stage, right?
Understandable, but wrong. Because security can’t just be added on at the end. There may be a fundamental flaw in the approach that can’t simply be patched, there may be too many vulnerabilities to take it to market. The security team, called in as the last consideration, may be in the unenviable position of nixing the whole project, snuffing out the idea completely. All that work for nothing!
That’s not the role security professionals want to play, but too often it’s the one they have to. And it will continue to be until they are properly consulted from the earliest stages of the project. Again, it will require reorganisation of how companies utilise the limited cyber security resources they have.
Reasons to be cheerful?
It’s not all doom and gloom though. There is investment into cyber security – far more than there ever used to be. This goes hand-in-hand with growing awareness across leadership teams and what starts as lip service gradually becomes sincere as realisation of cyber security’s importance dawns.
And the very energy transition that is upping the need for cyber security also creates opportunity. Look at all the big utilities fundamentally changing their strategy as a business, spinning out assets and recalibrating leadership teams entirely. There’s never been a better time for radical change – such as putting security experts on the board, for example.
The good news is we are doing a lot of the right things. The bad news is, we’re not doing it anywhere quickly enough.