The energy sector’s increasing security needs

Energy sector

The deteriorating security environment has changed the energy sector’s risk profile, and security needs are increasing. The Russian attack on Ukraine and the EU’s sanctions have turned energy from a self-evident commodity to a limited resource. Europe is potentially facing a cold winter and a recession. In the US, the oil price is a transformational force. Also, the US has a lower influence on, e.g., Saudi Arabia than before, and the domestic shale oil industry is slow to respond to a surge of demand they consider temporary. The energy crises of the ’70s showed us how fundamental an impact this sector has on our lives.

For half a century, the developed world has assumed energy is a somewhat accessible and stable commodity. It’s a regulated industry but hasn’t received the IT security scrutiny that finance and healthcare have. Adverse actors will find the energy sector a compelling hybrid war target. Moreover, energy companies are also benefiting from the price increases. There’s a strong self-interest in investing in security, and free cash flow makes it possible. 

The difference between compliance and security

Security and compliance are often the shared responsibility of one team. More compliance may mean less security. The energy sector is likely to see authorities stepping up their oversight. Parallel industries that have been through this balancing act can provide valuable learnings and insights.

Compliance means following the minimum standards, often set by a regulatory body. Compliant doesn’t necessarily mean good, outstanding, or even adequate for real-world purposes. Secondly, compliance is granular. One company can comply with a standard, and another can be compliant and certified by a trusted third party. All of these mean benchmarking against a set of minimum standards.

Security comes in shades of grey. No organization or system is entirely secure, which makes security a frustrating topic to deal with. You can invest every last dollar on security and still be breached. Security investment is like having a military.  No matter how much you invest, an attack is possible. Knowing the threats and benchmarks helps in making intelligent decisions. Unlike in compliance, there’s no set standard in cybersecurity.

Sometimes compliance and security clash. Compliance requirements evolve slowly and may be slow to respond to real-world threats. An hour spent on compliance is an hour away from security. Finally, a barely compliant system is predictable from an attacker’s perspective.

The drivers behind compliance and security vary by industry

The healthcare industry holds vast amounts of PHI (personal healthcare information). The industry is highly regulated, as the general public and politicians alike can relate to the leaks. For some reason, very few people are concerned about compromised privacy when it comes to, e.g., mobile phones. It feels more personal if your bloodwork results are leaked than your real-time location data.

The general public is less concerned about breaches of financial institutions. The government guarantees savings, so why should I care? The finance industry has experienced tightening PII (personally identifiable information) regulations through the crises. The most progressive financial institutions go well beyond compliance out of self-interest. Being exposed to cyberattacks is a terrible business.

The energy sector frequents the ‘top targeted attack candidate’ lists. Some of the most elaborate cyber breaches, such as Stuxnet, show the sector is in the interest of even the nation-state actors. The general public pays much less attention to energy sector risks than health care or banking. The change is coming and fast. 

Tapping into parallel industries to solve the security needs of the energy industry

Cybersecurity Ventures reports that there are 3.5 million unfilled cybersecurity jobs worldwide. Entering this field of scarceness as a relative newcomer won’t make it easier for many energy sector players. Naturally, many skilled and capable security professionals work in the energy sector. Responding to increased security threats, management requirements, and political pressure may seem daunting. How can you change the game after years of stable operations and possibly underinvestment? 

Our recommendation to tackle the increasing security needs of the energy sector is to look into parallel industries for best practices. Building a secure front-end with a great user experience is a transferable skill. Moving the back-end from on-prem to private cloud to public cloud to poly cloud is a well-trodden path. For energy sector insiders, the complexity and number of players in the ecosystem may feel unique. Integration requirements and data exchange are happening in other industries with a comparable level of complexity.

The shared security model

We all know that the internet wasn’t built to be secure. If we could roll back time, life would be easier. We also know that security can’t be an add-on but has to be designed for any system from the beginning. But how does one approach this monumental challenge amidst all the change?

The public cloud providers, such as AWS, GCS, Azure, and Salesforce, follow a shared responsibility model. The cloud provider is responsible for the platform’s security, which is a massive load off your shoulders. You are free to focus on building secure applications on that platform.

In the real world, you don’t usually run complex operations on a single platform. You may follow a poly cloud approach, leveraging the strengths of various cloud providers. If you don’t, your supply chain and the rest of the ecosystem will take you to the multi-cloud complexity in any case. So besides building secure applications, you want to secure the perimeter around those applications and the lifecycle of building / transferring business logic to them.

The layered security approach

Cybersecurity products, solutions, and services are no substitute for building secure applications. Similarly, building secure applications doesn’t negate the need for cybersecurity solutions. Both are elements in a layered security model.

Think about a medieval castle, like the one in King Arthur’s days or Game of Thrones. They had watchmen to warn about approaching danger. The officers would send cavalry to keep the battle on neutral ground and help the rest of the castle prepare. The drawbridge and moat kept the enemy at bay, while the walls and turrets provided an elevated upper basis. The infantry, with their swords, were the last line of defense.

The layered security model is still going strong, even though the crossbow has given way to the MITRE ATTACK framework. The NIST framework classifies the layers of cybersecurity as Identify, Protect, Detect, Respond and Recover. Both the models tell the same story: even the most robust solutions have security gaps, and even the best organizations must work hard to stay secure. Building secure applications is your puzzle to solve, but you don’t have to solve it alone.

How can A-CX help with the security needs of the energy sector?

You don’t have to be a specialist if you have the right partner. A-CX focuses on building secure applications that provide a great user experience. We’re helping some of the most demanding customers to operate in highly regulated industries. Avalon CX specializes in building secure back-end and applications, so we’re well positioned to help with the security needs of the energy sector. Our team is highly competent in technology and design. Feel free to reach out to us. We’d be happy to help you secure your future.

  • Business executive with over 25 years of leadership experience in small to huge global companies. Risto has decades of experience leading tech teams of up to 2,000 people. He's an entrepreneur who has successfully founded, scaled, and exited tech companies. At present, he serves as a board member in 8 companies. He lives in Rovaniemi, Arctic Circle.

  • Mikko, co-founder and COO of A-CX has a background in driving innovation and building award-winning products and services. With extensive experience at Nokia, Microsoft, and F-Secure, Mikko has leveraged technology to create impactful solutions. Mikko’s career exemplifies a deep understanding of business dynamics and a passion for driving growth.

    COO