Is the energy sector prepared for cyber breaches?

An instant and endless supply of electricity is taken for granted in many parts of the world. The flick of a switch powers the work and family lives of billions of people.

But the energy systems that underpin entire economies are facing “an unprecedented threat” from cyberattacks, according to the International Energy Agency (IEA).

The true scale of cyberattacks on critical energy infrastructure is unknown, as some incidents go undetected or are not reported. However, data from the IEA shows a dramatic rise in the targeting of utilities including power, gas and water supplies. The number of weekly cyberattacks rose from 499 in 2022 to 1101 in 2022.

The consequences of a cyberattack on a power grid can be far-reaching. Beyond the loss of the energy supply, attacks can compromise customer data including their names, addresses, banking details and phone numbers.

Industry research shows that utility companies are spending an average of 8% of their total IT budget on cybersecurity – but the number of attacks is outpacing spending. Perhaps the most critical weakness in the digital defences of power companies is a lack of skilled professionals to fill cybersecurity roles.

Across global industry as a whole, there are 3.4 million unfilled cybersecurity jobs, according to an analysis by cybersecurity experts Fortinet. This yawning skills gap is undermining efforts to counter cyberattacks.

This global skills gap requires a global solution across the energy ecosystem. The World Economic Forum’s Centre for Cybersecurity is convening leaders from industry, academia and civil society to collaborate on solutions. The Systems of Cyber Resilience: Electricity Initiative has helped bolster the cyber resilience of the global electricity infrastructure. This multistakeholder community will now serve as a global exchange platform for cybersecurity leaders in the electricity sector.

The IEA suggests power companies lack long-term strategies for hiring cybersecurity specialists and developing digital defence skills in-house. Instead, these companies operate reactively when perceived threat levels increase.

As the chart above shows, job postings for cybersecurity specialists in North America tend to rise sharply following major cyberattack incidents. Despite these recruitment surges, data shows the proportion of cybersecurity security job postings by energy companies is falling behind other industries such as banking and finance.

The IEA also reports a salary gap between industries, stating, “available data for the United States, Canada and the United Kingdom suggests salaries offered by power utilities in cybersecurity job postings are among the lowest for the occupation”.

The World Economic Forum’s Global Cybersecurity Outlook 2023 suggests pathways for increasing the talent pool of cybersecurity specialists. One solution is to democratize access to the industry.

The report says industry must “expand and promote inclusion and diversity efforts within cyber recruitment. Underrepresented groups in cybersecurity such as women, people of colour and those with informal educations have been continually discouraged from technical careers through societal expectations and perceptions of cybersecurity work culture”. The Forum has launched an initiative to raise c-suite awareness of the cybersecurity talent crisis and its implications, and to define strategies to strengthen the talent pipeline.

The war in Ukraine has highlighted the extent to which the global economy is reliant on interconnected energy systems. With digital threats to these networks growing, the IEA is urging companies to adopt digital defence strategies as a core pillar of their operations.

“It is essential”, says the IEA, “that every power utility, big or small, includes cybersecurity as a core element of their business strategy and ensures access to in-house cybersecurity professionals and their skills, continuously updating them and ensuring talent retention”.