The energy industry comprises organizations that historically have exhibited varying appetites for cutting-edge technologies. In the oil and gas industry, pursuit of new fuel sources has attracted investments in technologies that have rivaled that of the space industry. At the same time, vertically integrated utilities that are heavily regulated have taken a more conservative approach. In some ways, the way we generate, transmit and distribute electricity has not changed much in 50 years. That's about to change.
The endless pursuit of operational efficiencies, the advent of
competition in areas previously considered monopolies, and ever-
increasing regulatory oversight have set the stage for widespread
digital transformation in the energy industry.
For example, the control systems operating the energy infrastructure are more and more networked and digitized. Innovations in other industries have prompted energy companies to change the way they interact with customers—for example, by providing them with consumption data to help them make informed decisions about their energy usage. Environmental pressures combined with successes in fuel exploration (e.g., fracking) have changed the economics of energy supply, resulting in a fuel mix that is shifting from coal to natural gas and renewable resources. In an effort to cut costs, energy companies are implementing cloud technologies to help run their businesses. All these changes are altering the industry's risk profile.
Meanwhile, natural and man-made events have disrupted the supply and distribution of energy at a time when society has become extremely dependent on technologies requiring electricity. The cyber-attack on the Ukrainian electric grid in 2015 shined a spotlight on this very issue.
Collectively, these factors have grabbed regulators' attention and pushed the industry to make significant investments in protecting what is widely recognized as a basic human need.
Going forward, energy companies will need to manage these risks with greater focus, discipline and diligence. While reactionary, ad hoc approaches to risk may have been acceptable in the past, these companies now need to take a structured and proactive approach. They may not be able to predict the next cyber-attack, but they can assess their cyber-attack risk based on the criticality of their business processes and other factors and invest in controls accordingly.
As a result of operating in an age of heightened risk and limited resources, energy companies are likely to take a risk-based approach to prioritizing investments. Projects intended to reduce risk will need to be justified based on the degree to which they move the needle. Risks that are more frequently encountered will need to be weighed against those that are less frequent, but that may have a bigger impact. This kind of analysis will require organizations to adopt risk frameworks to help them standardize their risk assessment methodologies and make them more repeatable.
Additionally, energy companies will need to rely more heavily on front-line employees who see these risks firsthand and possess "class A information" about them. For example, these employees may be network technicians whose burdensome workloads prevent them from doing all the necessary checks to ensure firewalls are configured properly. Energy companies need to give these employees a voice, perhaps by enabling them to contribute to risk registers and assessments. Energy companies will also need to couple top-down and bottom-up risk assessments to develop a holistic understanding of the risks they face across their enterprises.
Finally, these organizations need to mature their risk management programs to the point where they can respond to current and evolving threats while also addressing future challenges in a sustainable manner. To that end, investment in integrated risk management systems will no longer be optional. Implementation of these systems will be a necessity for organizations seeking to manage digital risk and ensure that everyone has continuous access to safe, clean, affordable energy.
# # #
Get the RSA® Digital Risk Report 2019 to learn about perceptions and attitudes towards risk in the digital world and the top critical risk challenges facing organizations in your industry. You can also use the RSA Digital Risk Index to identify your organization's risk exposure and highlight specific focus areas where you can take immediate action. This quick online assessment can help guide your strategies as you prepare to take on new digital initiatives.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity.