Is the Energy Sector’s Risk Management Keeping Up with the Pace of Digitalization?Global Head of Cyber Risk Consulting at Marsh Risk Consulting
Expanding digitalization is a core characteristic of the energy sector’s ongoing transformation. However, while enjoying all the benefits, the sector may not be adapting its risk management approaches quickly enough to manage the exposures and risks associated with the pace of digital change.
Speed of Response
Digitalization enables agile and responsive energy infrastructure, but the energy sector will need to likewise adopt dynamic resilience concepts to respond to evolving risks. A critical aspect of building resilience includes capacities for speed of response in the event of a cyber breach or digital breakdown.
The adoption of intelligent, sophisticated technology, including artificial intelligence for control and monitoring systems, is enabling new business models and more efficient asset management.
New synergies are being realized by linking operational, information technology, and communication systems within organizations and across the energy supply chain. For example, oil and gas companies depend on data networks to track data from thousands of kilometers of pipelines, manage facilities and interpret operating conditions.
Utilities rely on vast data networks to manage complex combinations of centralized grids and decentralized resources to analyze and efficiently meet customers’ needs on a minute-by-minute basis.
In many aspects, digitalization increases the resilience of the energy sector as it enables the use of a complex and widening array of decentralized resources, improved efficiency and enhanced abilities to detect maintenance needs. Ultimately, this increases operational accessibility, productivity, sustainability and safety.
Digitalization Is Creating New Risks
At the same time, digitalization creates new cyber risk exposures, including business interruption, due to digital complexity.
The energy sector’s digital backbone is vulnerable to a range of failures.
These can include non-malicious human errors or software failures in systems within the sector’s increasingly complex supply chain or operations, insider threats from disgruntled employees, malicious external cyberattacks, and even the impact of space weather or geomagnetic storms.
Interconnectivity and complexity create vulnerabilities to malfunction or sabotage that can cascade across the energy sector and impact the broader economy. This was highlighted by the recent widespread blackout impacting approximately 48 million people in Argentina and Uruguay. The cause is still unknown, but the complexity of the system is such that “Just milliseconds had passed from the ‘destabilization’ of the grid to the power being cut.” Trains and subways were halted, traffic lights did not function and the water company’s distribution system was compromised.
In the face of these challenges, the energy sector must build its dynamic resilience capabilities, as a new report from World Energy Council shows. An essential component of dynamic resilience is preparing for response to and recovery from events. For example, if a cyberattack occurs, an organization’s ability to isolate the problem and then mitigate and restore normal activities promptly could define future business success.
Not Prepared for Cyberattacks?
However, survey data suggests the energy sector may be lagging in preparation for cyberattacks. A recent survey of the energy and power sector identified that respondents were relatively confident in their understanding of their cyber risk exposure, as well as preventing such attacks, but had less confidence about their ability to recover from cyber incidents.
Further, the survey showed that only 46% of respondents have conducted tabletop exercises and/or management training within the past 12 to 24 months. Preparation exercises may be particularly valuable in the energy sector, where experience and expertise in working in a digital ecosystem may be lagging.
Risk scenario exercises can help leaders envision how they would handle and manage risk events, remediate damage and build dynamic resilience.
Eight in 10 organizations in the energy sector are not actively recruiting skills to support digital transformation, automation or AI. In general, the energy sector lacks sufficient skilled talent due to an aging workforce, workers who left the industry because of layoff fatigue and younger potential employees whose value propositions are more in line with those of tech firms and startups.
Stress-Testing the Resiliency of Recovery Planning
Exercises such as scenario planning and “gaming” workshops are essential to identifying specific vulnerabilities and understanding where the organization needs to improve cyber incident response plans and response capabilities as well its overall cyber risk management framework. Such exercises teach leaders how to manage through and after the attack to remediate damage.
Cyber scenario exercises often identify vulnerabilities across a number of areas, including response implementation, response governance, and intra- and inter-sector coordination.
Digital disruptions or cyberattacks can impact communication capabilities vital to the implementation of standard response protocols. For example, a cyber response plan housed only on the corporate network may be of little use in a malicious ransomware attack that limits access to company networks and laptops — and along with that, vital technical information, telephone numbers and contact points.
During the 2019 cyberattack on the aluminium maker Norsk Hydro, plants were able to continue production by relying on the knowledge of retired workers and paper manuals.
Who Is the Decision-Maker?
Gaming exercises also test the governance for decision-making during an event and whether there are clearly defined and pre-established roles, responsibilities and authorities at all levels of the organization to make necessary decisions. Responding to an event will be a shared responsibility of system operators, control engineers, information technology staff and cybersecurity professionals, as well as business leaders from an array of functions, such as government relations and customer service.
Organizations must consider which executive will be the decision-maker for critical decisions such as shutting down systems or determining when business systems can be restored. Will it be operational leaders such as the chief operating officer, the chief information officer or the chief information security officer? Who has the authority in a given unit or geography? What happens if a key executive is on vacation or medical leave?
With highly networked supply chains, cultivating the right relationships is critical to building dynamic resilience. Coalitions with industry peers, regulators, industry associations, strategic partners and law enforcement are critical elements of baseline capabilities.
These coalitions can help to establish predefined channels and mechanisms to improve situational awareness during an attack and facilitate agility and speed of response. For example, in the U.S., the Cyber Mutual Assistance program provides a pool of utility cybersecurity experts who volunteer to share their expertise with other utilities in the event of a disruption of electric or natural gas service, systems, and/or IT infrastructure due to a cyber emergency.
The 24/7 resilience of the digitized energy sector depends on the decisions and processes applied by countless individuals working throughout its supply chain. Exercises structured around risk scenarios can help leaders envision how they would handle different risk scenarios and manage through and after the event to remediate damage and build dynamic resilience.
Digital advancements across the energy sector will bring significant benefits: optimized assets, more efficient delivery and a more resilient ecosystem. Building and exercising response programs across the organizations within the ecosystem will help build the muscle memory to react at speed and at scale to remain truly resilient.