Cybersecurity considerations 2024: Energy and natural resources sector

As an industry, energy is a confluence of sub-sectors — power and utilities, oil and gas, natural resources, and chemicals — that are experiencing significant transformations in the way they work and interact with customers and suppliers. Adding to this complexity are the parallel transformations of companies across the industrial spectrum, such as manufacturing, technology and automotive, all of which are dependent on energy.

Energy as a theme has become integrated into the fabric of everything we do as a society today. The sector is adapting to the changing world and reconfiguring its value chain. It’s no longer just about pumping gas at fuel stations or turning the lights on.

Today, the focus is on renewables and clean energy, particularly their integration as energy sources and digitalization to accelerate the transition.

This energy transformation is not a singular phenomenon. Virtually every industry across the global economy is affected, with much changing behind the scenes from both information technology and operational technology perspectives.

Control networks and systems connected to everything from valves on oil rigs to metering devices in power plants are in ‘always on’ mode, which exposes a perpetual security risk and redefines the attack surface across the industry.

This article explores cybersecurity considerations and key actions crucial for the energy and natural resources sector. It provides an overview of the evolving threat landscape and offers key insights for security and business leaders to function effectively in the year ahead. 

Energy and natural resources companies will likely continue to require a global audience and global footprint to scale their operations, regardless of jurisdiction and where they're based. The big question for security professionals across the sector involves striking the right balance between business enablement and business value while ensuring they stay on the right side of the regulators. It’s a fine line and a clear challenge.

Multinational energy and natural resources companies operate cross-border and must simultaneously manage the challenges of a rapidly globalizing business environment, highly complex regulatory regimes, and an ever-evolving attack surface. Many smaller organizations are less prepared to effectively navigate these challenges, but can learn from their larger, more mature sector counterparts to prevent them from having to reinvent the wheel.

From new technologies and processes to the possibility that a vendor doesn’t explicitly follow your security protocols, the third-party environment is an ever-fluid threat vector. Depending on the maturity of the vendor, organizations need to do more (institute monthly reviews) or perhaps less (allow more autonomy with quarterly reviews) to help ensure these relationships operate efficiently and adhere to all compliance requirements. Despite the challenges and competing priorities,striving to ensure the supply chain ecosystem is secure should not be a bottleneck; it should be a business enabler.

Currently, many organizations in the sector are in the early phases of managing cyber risks up until the second level of the supply chain, but in many cases, this process does not continue down to the third and fourth levels. Evolving regulations, such as the EU’s NIS2 Directive, will likely mandate that organizations, as well as third-party suppliers and vendors, take appropriate measures to manage cybersecurity risks to help prevent or minimize the impact of incidents

Energy and natural resources organizations need to continually improve and adapt. Resilience means being better equipped to address an incident quickly, comprehensively, and with minimal or at least controlled business impact. As organizations navigate today’s evolving and volatile cybersecurity landscape, resilience should not be viewed as a series of one-off or intermittent projects. Rather, it should be an adaptive strategy that complements the organization’s cybersecurity agenda, protects customer interests, aligns with business objectives, and focuses on delivering long-term value.

With ongoing global instability, critical infrastructure will remain a popular target. The energy sector has historical experience in operational resilience, but leadership must shift thinking toward holistic resilience, including cybersecurity.

While writing these cyber considerations, it became clear that AI is emerging earlier and more heavily than anticipated. This technology presents both opportunities and threats for the energy and natural resources sector, which will be explored in greater detail in a separate article.

• Ensuring strong cyber governance and risk management.
• Asset inventory and management, including both IT and OT, to monitor, control and secure critical assets.
• Building cyber resilience: document, train, prepare, evaluate, continuously improve.
• Implementing a supply chain/third-party risk management program.
• Welcome innovation and test and adopt new technologies where appropriate.
• Use regulatory requirements as an opportunity to improve cybersecurity.
• Think differently; be open to new ideas, strategies, and operational tactics.

In addition to assessing your cybersecurity program and ensuring it aligns with your business priorities, KPMG professionals can help energy and natural resources companies develop advanced digital solutions, advise on the implementation and monitoring of ongoing risks and help design the appropriate response to cyber incidents.

KPMG professionals are adept at applying cutting-edge thinking to this sector’s most pressing cybersecurity needs and developing custom strategies that are fit for purpose. With secure and trusted technology, KPMG professionals offer a broad array of solutions, including cyber cloud assessments, privacy automation, third-party security optimization, AI security, and managed detection and response.