Marked by increasing digitalization, the energy & utilities sector, is undoubtedly more and more exposed to cybersecurity threats and for cyberattacks with vague and varying motivations. Sabotage, economic and industrial espionage, or various dysfunctions are part of strategies of attack, deterrence or reprisals, some of which are orchestrated by States and which we must be ready to face…

Energy & Utilities, a sector in profound transformation.

Energy fuels the world and countries economic growth. This Energy & Utilities industry is key in the climate change mitigation fight, 75% of CO2 emissions resulting from energy use, in the energy sector (with energy production), as well as in industries, building, transportation and agriculture. Related sector transformation encompasses:

It’s a faster than ever transformation with energy transition big investments and the imperative of affordable energy for consumers.

With digitization progressing and wide eco-systems on any industry value chain piece, cyber threat is a reality, reinforced or even triggered by geopolitical instability.

Depending on the value chain (electricity, oil & gas, or water and waste management), with digitization progress (journey started more than 15 years ago), from millions to billions of assets are connected with IoT, are sometimes smart and edge computing enabled. A data tsunami happens every day. Connected objects, and digitized assets of any type, drive digital exchanges with large ecosystems (Energy & Utilities industry operators, equipment and services suppliers, consumers), with a growing cyber threats consequence.

Energy and Water are key components of international conflicts (unjustified Ukraine invasion by Russia, Middle East Hamas terrorism in Israel last October) and blocs tensions (China – USA, Russia – USA, Taiwan, Iran nuclear developments). 

Many cyber-attacks already recorded.  
In this geopolitical unstable environment, many attacks have already been recorded, physical (Nord Stream gas pipeline 2 explosion, Ukraine Kakhovka dam destruction) and cyber…. Highlighting here just few cyber events:

December 2015Ukrainian electricity grid attacked by Russia. 230.000 customers have been cut up to 6 hours.
March 2018US internal security department revealed Russia penetrating US energy networks since 2017.
May 2021Colonial pipeline (Texas – New Jersey oil pipe, transporting 2.5 M oil products barrels pa) ransomed by DarkSide gang.
February 2022German KA-SAT network attacked, preventing windfarms maintenance. A Russian attack.
2023Iranian gas station network attacked.
August 2023Monespaceprime.engie.fr web site attacked; 110,000 users’ data stolen.
May 202322 energy Danish players hacked.
2017A large Saudi Arabia petrochemical plant control lost during a cyber-attack. 
2022Chinese cybercriminel TA423 attacking gas field (Kasawari) and offshore farms in the southern China sea and Taiwan strait.
January 2024Schneider Electric Sustainability Business division ransomware attack, data breach
February 2024Hacktivist Lulzsec has claimed having stolen B2B and B2G clients’ data to EDF Retail branch. 500,000 accounts. EDF has recognized about 20 unexpected clients connections, and has asked these clients to change their accounts access. More on: https://www.numerama.com/cyberguerre/1633070-apres-la-caf-au-tour-dedf-de-confirmer-les-piratages-de-quelques-comptes-clients.html

CIOs / Digital Officers constantly report that hundreds of cyber-attacks attempt happen every month in each of the large player divisions systems.

Interviewed by DNV in 2023[1], energy & utilities managers states that attacks are coming from hacktivists (69%), foreign powers state sponsored actors (62%), representing even a greater cyber threat than criminals, terrorists, or vandals.

Government have established cyber protection obligations for the vital Energy & Utilities players, with important gaps to bridge as soon as possible.

France, then Europe have listed Essential Services Operators during the last decade, all Energy & Utilities companies being in. IS securitization obligation being established, notably through the NIS directive (Network and Information Security), operators must submit for approval their protection measures, and test all procedures to activate in case of cyber threat or incident.

As a matter of fact, the EU Member States have until October 2024 to transpose the European NIS2 Directive into national laws. A look at the consecration of risk management especially in a strategic and vital sector as Energy.

With Article 21, the NIS2 Directive requires “appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of networks and information systems used by [critical and important] entities in the course of their business or in the provision of their services, and to eliminate or reduce the impact of incidents on the recipients of their services and on other services”. 

This can only be done through agile and effective risk management which allow to focus on assessment, reporting and investment arbitrage to achieve cybersecurity results. 

As a reminder, in case of non-compliance, critical entities are subject to a fine of €10 million, or 2% of total worldwide turnover.

Centralizing and managing cyber risks and preventing threats to occur is, though, an absolute must do, and a complex task to achieve and keep updated anytime.

Protecting an operator means also securing the ecosystems, harmonize cyber risks processes and tools between the operator and its key supplier network and partners’ ecosystems to establish common methods, consistent risk assessment, and traceability for coordinated compliance. Clients and energy consumers, digitally connected now to their energy suppliers and equipment, are part of the cyber risk galaxy and its related mitigation.

Which brings the need to industry common requirements, rules, and processes. Each company must consider increasing the cyber security effort, having the appropriate skills, and involving all the company’s executives, from the highest level, to reconcile systems and businesses protection.

It’s time to act now and to consider EGERIE as the key platform for cyber risks assessment and management.

EGERIE platform already used by key Energy & Utilities players, leveraging the platform customized industry framework.

The EGERIE platform allows you to implement and manage a cybersecurity strategy, through the continuous analysis of cyber risks. it is a collaborative platform: you work as a team on the risk analyses and can solicit the business team of each department through security questionnaires to audit your security controls internally. This approach contributes to raising awareness of cyber risks in each of the company’s departments. 

The EGERIE platform helps you with your NIS2 compliance with cyber risk centralization, reporting to your management for approval of your cybersecurity strategy and residual risks, for a general cybersecurity awareness.

[1] DNV Energy Cyber Priority 2023