Energy cybersecurity in 2024: Building accountability and responsibility

The race between cyber threats and security is fast accelerating. Globally, cyber attacks increased by 38% in 2022, with a 48% increase for utilities. Anjos Nijk, managing director of the European Network for Cyber Security (ENCS), explains what the energy sector should do to tackle this challenge.

With cyber attacks on the rise, organisations need to be doing everything they can to meet the growing challenges these more common cyber threats present. The seemingly obvious fix would of course be to recruit those with the necessary cybersecurity skills to protect against these threats.

However, many companies are also contending with the wider cybersecurity skills gap, making this potential solution to growing cyber risks a dead-end road, particularly for those without the budgets and investment needed to beat other competition to hiring the best talent.

Take the UK for example. In the government’s latest report, 50% of all UK businesses have a basic cybersecurity skills gap, with cybersecurity leads unable to deliver basic tasks such as setting up firewalls or detecting malware. Meanwhile, 33% of UK businesses are also experiencing an advanced cyber skills gap, in areas such as forensic analysis of breaches or implementation of security architecture. To make things worse, these figures are similar to 2022 and 2021, with over 160,000 cybersecurity job postings in the last year.

Have you read?
EU and Ukraine to exchange best cyber practices for energy security
Hacked data from Germany’s dena has been published on the darknet

So, if recruiting new talent to meet these evolving threats is not a viable option, what is? To start, it’s recognising how the roles and responsibilities for cybersecurity best practice have changed.

Looking beyond the cyber skills gap hurdle

In the past, cybersecurity was a specific job function. Now, it has developed into a problem, that can only be dealt with by integrating cybersecurity responsibility into line functions and staff functions across an organisation.

If we apply that thinking to the power sector specifically, it paints a concerning picture. Ten years ago, C-suite level personnel from grid operators would predominantly be engineers, with a thorough understanding of grid technology and operations, and a level of knowledge of potential cyber risks and threats. However, it should also be noted that this was primarily on the operational technology (OT) side, rather than information technology (IT), so the understanding of how the two interacted from a security perspective was still in a relatively immature phase.

Today though, C-suite level employees of grid operators predominantly have consultancy or financial backgrounds, due to the change management and financial challenges for grid operators, imposed by the energy transition.

Whilst this can perhaps be understood from a business perspective in terms of financial prudence, it poses cybersecurity challenges. A widely chosen solution for this problem has until now been to create the chief information security officer (CISO) role and to delegate the cybersecurity responsibility to the CISO. However, this is increasingly becoming insufficient as a standalone solution.

CISOs are usually not board members, meaning they lack the board level budget and decision-making power, which can therefore create barriers to implement the changes needed across the business to boost their cybersecurity defences.

As such, it is now incumbent upon all employees across the company to do their bit on the front line in the war against cyber. With the cyber threat landscape having evolved so much, including the exponential growth of touchpoints that cyber hackers can exploit in the everyday tech we use in our working lives, this is now more important than ever.

Building out accountability and empowering CISOs

To bring cybersecurity strategies up to date, in the face of an ongoing skills gap and regulatory restraints in the energy market where justifying the return on investment in skills can be challenging, two aspects are now critical.

First, cybersecurity responsibility and accountability must be appointed across organisations with external third-party support where needed. Second, security specialists must be empowered to independently develop and provide input to decision-makers, or even block decisions affecting cybersecurity when necessary, to maximise scrutiny of their cybersecurity decisions to ensure best practice.

Whilst still limited in its impact in Ukraine, cyber skills have developed into weaponry for war, and power grid operators are already being caught in the crossfire. The investments in knowledge and skills development by nation states can clearly not be matched by grid operators, but nonetheless will still be exposed to their attacks.

To create the knowledge and skills required to deal with the complexity and scale of these attacks, new collaborative ways of working are needed to build and maintain this knowledge and skills level. Operational teams are responsible for performing risk analysis within their scope of responsibility.

More specifically, responsibilities and decision-making authorities need to be clearly assigned. For each job function, dedicated security knowledge and skills requirements should be identified and addressed in clear and pragmatic training and development programmes.

At the European Cyber Security Network (ENCS), we have identified the need for operational functions, staff functions and management functions, as well as developing a dedicated training portfolio for grid operators, to reflect the holistic approach to meet modern cyber threats. We have also seen demand for this training from other critical infrastructure sectors including gas, water and transport too.

OT cybersecurity specialists, who are key to the knowledge and skills building process, should not necessarily have responsibility for security, but need to be sufficiently empowered.

If cybersecurity specialists in a staff position are assigned responsibility for certain security functions, they still do not have the decision making power or budgets that sit with C-suite level colleagues; they cannot make things happen, incentivise desired behaviour and ultimately create the scale of change required.

As a result, unless they are empowered, we may see many colleagues with all the right intentions getting frustrated and looking for other opportunities, having a knock-on effect on retention of cybersecurity experts in the power sector especially. Instead, we need career paths and incentives, including financial, for OT experts similar to IT security experts.

Maximising expertise, empowering retained talent

There are always ways in which we can be nimble to adapt to growing threats, despite competition for employers to recruit top cybersecurity talent, especially for many European grid operators.

However, beyond the four walls of the grid operators themselves, we must also see regulatory changes and utilities must continue to pressure for change, both individually and through membership groups like ENCS.

At the same, this doesn't diminish the importance and urgency of doing everything they can in the meantime to improve existing security through a more collective, collaborative approach and empowering existing talent.

About the Author

Anjos Nijk is managing director of the European Network for Cyber security (ENCS).

Nijk is also a member of the steering committee of the smart grids task force of the European Commission’s Directorate-General for Energy (DG ENER) and a member of the network and information security platform of the Directorate General for Communications Networks, Content & Technology (DG CNCT).