As the energy industry evolves, cybersecurity efforts must keep pace

The energy industry finds itself increasingly the focus of national attention in the U.S. on issues ranging from supply chain concerns to the transition away from fossil fuels toward electricity.

This increased prominence and growth is leading to tremendous opportunities. But David Carter, an industrials senior analyst at RSM US LLP, says it’s created commensurate cybersecurity challenges as well.

 “All of a sudden, energy companies across the board are having to really scale up their capabilities there, especially in the utility space,” he says.

The expanded use of artificial intelligence and the proliferation of data centers are also major aspects of the sector now. “We have new power plants coming online—solar, natural gas and other technologies—and we're upgrading new smart grids,” says Carter. “All of this ties back into new innovation coming on the grid and playing a bigger role than it has before in the energy landscape. As we build in that connectivity, we have to build in security along the way.”

Establishing data governance is critical as businesses in the sector incorporate AI and its myriad uses into their ongoing expansion. But a shortage of cybersecurity talent and the cost to keep up with growing threats are growing concerns for middle market businesses.

“We can't have one or two cyber folks who are expected to have the necessary level of depth across all the different areas of cybersecurity,” Carter says. “There's value in having an outsourced team, where you're paying for a fraction of multiple people with different capabilities.”

Protecting operational technology from cyberthreats is also crucial due to the technology’s role as a revenue generator, Carter adds. In addition, the increased adoption of cloud-based systems comes with inherent benefits and risks.

U.S. national security concerns

The energy industry is in a precarious position from a cybersecurity perspective since it is an essential part of critical U.S. infrastructure—and the proliferation of AI is leading to an escalating arms race between attackers and security professionals.

“The pace of that challenge is going to increase because generative AI is going to enable threats to emerge faster,” Carter says.

As energy companies assess their cybersecurity needs, they should look ahead to address the risks they’re facing rather than compare themselves to their peers.

“The industry as a whole is behind for where they need to be on cybersecurity, considering the risk that threats pose to the U.S.,” Carter notes. “Energy companies are some of the most prized targets that can be really impactful if the U.S. were to get into a cyber war with one of our foreign adversaries, because that could really cripple parts of the country.”

The wide distribution of an energy company’s infrastructure poses a higher cybersecurity risk compared to a business with a more centralized framework. “If we're talking about oil fields, pipelines, power lines and substations, these are spread out across hundreds or thousands of miles,” Carter says. “That dispersion gets to be a big challenge for them from a security perspective.”