Michael John, Director of Operations, ENCS, looks at the urgent skills challenges in the energy sector.
We are familiar with capacity gaps in the energy sector. Here is a statement that I’m sure most of our industry leaders would agree with: “Society needs energy, and demand will only grow. We need more power and to be smarter about how we use it to maintain security of supply.”
Now replace the word ‘power’ with ‘cybersecurity resource’. Would as many people agree? They should, because it’s true.
This resource gap is very real, and it’s crucial we get to grips with it as our infrastructure becomes smarter and more connected. One part of this equation is the skills gap – the shortfall in cybersecurity professionals in the sector. However, aside from skills, we need to increase resources and be more intelligent about how we deploy them.
Europe’s energy companies have made real progress on cybersecurity in many ways. While a decade ago, not many board-level conversations would even touch on cybersecurity, now it’s not uncommon to hear a CEO reassuring stakeholders how seriously they are taking the topic.
But actions speak louder than words, and lip service isn’t enough. Typically, board members will be accomplished, senior leaders who made their careers in a very different world, where security related to chain-link fences. It’s understandable that they might not comprehend the scale and importance of the threat and – besides – they have a lot of other business issues vying for their attention.
So, what we need are more people with cybersecurity skills on the boards, to ensure it’s at the top of the agenda. The ‘C’ in CISO shows how important they are, and the ranks of Chief Information Security Officers (CISOs) in the European energy sector are growing, but we still need more of them with greater decision-making power. Cybersecurity needs to be a core component of any utility’s strategy.
Most utilities nowadays do have some talented security people in the organisation. Very few have enough people, though, leaving a resource-constrained team to handle a number of competing priorities.
As security regulations and standards rightly make their way into the energy space, teams will find themselves investing time and resources into compliance while, at the same time, still dealing with a host of general security tasks.
That would be fine in a well-resourced security team, but in reality, we will see other important projects fall down the pecking order. There will be cybersecurity needs in the utility that go unaddressed because of resource limitations. Investment must therefore increase.
The old OT/IT divide
The operational technology (OT)/information technology (IT) divide is something that will mean little to the man on the street, but is extremely familiar in our world. IT systems and OT systems are still very different. They are built by different people with different degrees and worldviews, using different protocols with different purposes. The engineer who designed the transformer in the substation twenty years ago never had a cybersecurity thought in his head – after all, systems weren’t interconnected like they are today. Likewise, it probably never occurred to the programmer who designed the customer billing system to think about the smart meter communications protocol as such a thing didn’t exist.
Yet now the worlds are merging. By creating more digital, connected smart networks we bring IT and OT together, and create security challenges in the OT domain that previously belonged exclusively to the IT one.
We certainly need more people in the industry who understand both domains. That will take time. However, companies often make the problem worse by poorly organising the resources they do have across an organisation.
Until now, the IT staff probably had very little interaction with the engineers looking after OT. Yet utilities need to devise ways to bring these people together and to get them talking in order to start creating the blend of knowledge and skills and maximise value from a limited resource.
Security as an afterthought
For well over ten years now, we have heard phrases like ‘end-to-end security’ and ‘security by design’. The core principle is that security has to be factored in from the start, not tacked on at the end.
But in practice, it’s just not happening enough.
Say you work at a utility and want to trial a new technology or service. Chances are you will be working to significant time pressure, lest the competition beat you to market. At this point, many rush to get a pilot scheme up and running to test feasibility, but don’t factor in cybersecurity.
After all, it may not be an idea that is taken forward, so it would be a waste of time and resource to worry about security at this early stage, right?
Understandable, but wrong. Because security can’t just be added on at the end. There may be a fundamental flaw in the approach that can’t simply be patched, there may be too many vulnerabilities to take it to market. The security team, called in as the last consideration, may be in the unenviable position of nixing the whole project, snuffing out the idea completely. All that work for nothing!
That’s not the role security professionals want to play, but too often it’s the one they have to. And it will continue to be until they are properly consulted from the earliest stages of the project. Again, it will require reorganisation of how companies utilise the limited cybersecurity resources they have.
Reasons to be cheerful?
It’s not all doom and gloom, though. There is investment into cybersecurity – far more than there ever used to be. This goes hand-in-hand with growing awareness across leadership teams and what starts as lip service gradually becomes sincere as realisation of cybersecurity’s importance dawns.
And the very energy transition that is upping the need for cybersecurity also creates opportunity.
Look at all the big utilities fundamentally changing their strategy as a business, spinning out assets and recalibrating leadership teams entirely. There’s never been a better time for radical change – such as putting security experts on the board, for example.
The good news is we are doing a lot of the right things. The bad news is, we’re not doing it anywhere quickly enough.