"Cybersecurity in the Energy Industry: Why Working Together Across the Value Chain Is Vital for Resilience"
The energy and utility industries have been subjected to more organized cyberattacks, the consequences of which have been widely publicized. Supply chain attacks are becoming more visible in terms of number and impact. The SolarWinds attack alone impacted thousands of top companies and government agencies worldwide in 2021. The Colonial Pipeline attack disrupted millions of citizens' energy supply for a few days, cost millions to contain and recover from, and resulted in long-term brand damage. In 66 percent of the incidents, attackers focused on the suppliers' code to further compromise targeted customers. The exploitation of a single organization's weakness or vulnerability can bring an entire value chain down. Therefore, it is critical to investigate how to trust suppliers when what could lurk in their environments is unknown. It is also critical to address the question of how to build trust with customers who are unaware of your digital landscape. Trust itself can also become a vulnerability if it is not thoughtful, reciprocal, and verifiable through evidence. Every government agency, non-profit organization, global conglomerate, and small and medium-sized business relies on a supplier or partner to function digitally. Each has no choice but to overcome information asymmetry. When one operates an "enabling function" that is critical to a nation's growth and production, one must ensure trust through actions all along the value chain. Companies in the energy sector must operate in multiple locations, source goods from five continents, outsource services, and manage thousands of unique suppliers. Furthermore, the energy sector heavily relies on data to help build a reliable and flexible energy infrastructure. Third-party technologies are typically used as support, adding to the complexity and risk of their landscape. It is more complicated because 65 percent of organizations have not identified the third-parties whose failure could jeopardize their most critical functions. Companies should develop "third-party security principles" to govern how they engage suppliers on a common cybersecurity posture, so that security and privacy are considered in the procurement process and supplier life cycle. This article continues to discuss bolstering cybersecurity in the energy sector.