Security across energy, natural resources, and chemicals (ENRC) companies worldwide is being reshaped by an array of factors, including the expanding role of the Chief Information Security Officer (CISO), the influx of smart/IoT devices, and the imperative to build a resilient culture and network environment, to name just several. In this complex and interconnected environment, many CISOs within this broad sector are facing unprecedented challenges and opportunities as they seek to spur their workforce to an ever-greater level of digital awareness. To do so, they must assume the role of cyber evangelist, motivating and inspiring the organization, at every level, to move from acknowledgement to action.

The CISO’s role in the ENRC sector is no longer confined to the traditional scope of IT security. Indeed, according to KPMG research, 70 percent of ENRC CEOs agree that cybercrime and cyber insecurity will impact organizational prosperity over the next three years.1 With IT and operational technology (OT) converging, CISOs are now tasked with safeguarding the entire technology ecosystem, from the boardroom to the production floor.

This expanded responsibility demands a new set of skills. CISOs must effectively communicate the business impact of cybersecurity to senior leadership, secure adequate budgets, and drive a culture of resilience throughout the organization. There are signs of positive change in how cybersecurity is becoming more embedded across organizations. In fact, KPMG research has found that, in 59 percent of ENRC organizations, cybersecurity is typically involved from the earliest planning stages of the decision-making process for technology investment and has a high influence. 2

Sector-specific challenges add to the complexity of the CISO agenda. The ENRC sector is subject to several intricate regulatory requirements around technology, cyber security and the environment, such as NIS2, NERC CIP and the AI Act Clearly, CISOs must deliver on compliance while also dealing with the specter of geopolitical challenges and growing cyber-attacks, which can have devastating consequences for the organization, its stakeholders, and the broader society.

In fact, in April 2024, the North American Electric Reliability Corporation (NERC) said the number of vulnerable US power grid points was increasing at a rate of about 60 per day.3 In Europe, Denmark’s critical infrastructure experienced the largest cyber attack in its history in May 2023, as 22 companies were breached in a matter of days. Some were forced to enter island mode operation by completely disconnecting from the internet.4

To thrive in this environment, CISOs must embrace a proactive and strategic mindset. They need to push vulnerability management back to the business side and lead by emphasizing a risk-based approach characterized by strategic guidance on risks, based on their potential organizational impact. Beyond strategic leadership, a CISO also plays an important role in breaking down the traditional siloes between IT and OT and ensure these teams work together closely to build enduring resilience.

This report explores cybersecurity considerations for the ENRC sector with insights and actionable recommendations. Although not exhaustive, it covers a range of topics that we believe CISOs in the ENRC sector should prioritize in the current environment.

Key cybersecurity considerations for CISOs

The ever-evolving role of the CISO

Given the heightened regulatory scrutiny and the strategic importance of cybersecurity, CISOs face increased accountability and, in some cases, personal liability risks. There is more pressure than ever to deliver on strong cybersecurity outcomes in organizations. At the same time, traditional CISO functions have become increasingly dispersed. Various aspects of security and privacy now fall under the purview of other business leaders, such as the Chief Security Officer (CSO) for physical security and fraud, IT infrastructure for perimeter security and identity and access management (IAM), and the Chief Data Officer (CDO) for privacy.

With this, the role of the CISO is poised for a profound shift. CISOs must adapt to this new reality by establishing their scope, partnering with other business leaders, and championing a culture of shared accountability. Growing support from organizational leadership for ongoing cybersecurity investment is helpful in this regard. To that end, KPMG research has found that 72 percent of CEOs at ENRC firms said they have increased their investment in cyber security to protect operations and intellectual property.5

Ultimately, CISOs need to transition from being the sole guardian of cyber security to becoming the architect of a resilient and agile security framework.

Key challenges

Balancing the new cybersecurity order

CISOs in the ENRC sector are facing the consequences of new and uniquely challenging realities such as the climate crisis and the subsequent pressure on increasing sustainability and ESG values, while working with rapidly evolving technology. Moreover, geopolitical tensions, such as the ongoing conflicts in the Middle East and Ukraine, continue to impact supply chains and increase the regulatory burden. Indeed, according to KPMG research, supply chain risk is the joint top threat among CEOs.6 What’s more, KPMG research suggests “tectonic shifts in power, economic centers and trade, along with multiple threats to supply chains, assets and infrastructure” are highly impacting ENRC organizations.7

Highly experienced security individuals with a broader range of skills beyond the merely technical, are required to manage this dynamic risk landscape.

Framing cyberthreats as business risks

CISOs must bridge the gap between the C-suite and technical teams by framing cyber risks as business risks. Strategic thinking, negotiation skills, and strong leadership are key enablers here. With sector-specific challenges such as balancing operational continuity with data and information protection, securing the trust of the board is crucial. Operational continuity typically benefits when cyber measures, such as regular patching and appropriate controls, are well-planned and efficiently implemented. Striking a balance between security investments and valuable outcomes helps the board see how this dynamic leads to better security and business risk mitigation.

Regulatory challenges

CISOs face intense scrutiny from regulators to ensure their cybersecurity programs are effective and resilient. Although individual legal liability varies, there is increasing top-down pressure as regulations—notably the U.S. SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, which went into effect in late 2023—increasingly hold boards liable for cyber incidents.8

Role distribution in converging environments

The convergence of IT and OT blurs traditional role boundaries, requiring CISOs to have both technical and strategic expertise. Clear distinctions between operations and security are crucial to avoid gaps and ensure secure digitalization strategies.

Key opportunities

Bringing cybersecurity to the board – CISOs can position themselves as strategic partners with crucial board access and influence on business goals. Since CISOs are usually not board members, clear and direct reporting lines to C-Suite executives can enable regular communication with the board.

Breaking team siloes Encouraging collaboration between security and operational teams allows the CISO to take a leading role. Integrating domains like physical security, compliance, privacy, and operations creates a holistic approach to risk management. This alignment supports business objectives and enhances resilience by bridging technical and operational gaps.

CISOs in the energy sector must balance the urgent need for sustainability transitions with the need to safeguard critical infrastructure. This is particularly crucial as many continue to explore solutions such as AI-powered predictive maintenance, advanced energy storage solutions, and smart grids. Slowly integrating these technologies alongside legacy systems can help ensure both short- and long-term operational continuity.

As these cognitive-based applications proliferate, CISOs must carefully weigh the advantages of innovation against potential security risks, relying on data-driven assessments to quantify threats and justify investments. CISOs need to align the adoption of emerging technologies with business objectives and use data-driven insights to quantify risks and justify investments. This approach can help secure stakeholder buy-in and ensure the sustainability of the cybersecurity program.

Smart security for smart ecosystems

The rapid proliferation of smart devices and the Internet of Things (IoT) has transformed the modern power grid into a vast, interconnected network of sensors and software that requires a fundamental shift in how CISOs at ENRC companies approach the security of digital devices. For example, smart sensors, meters, and grids—which often have limited security features—can be accessible entry points to legacy operational technology systems, greatly expanding the potential attack surface.

The security approach required for these devices is vastly different from the methods used just a decade ago. CISOs must now consider the entire lifecycle of these smart products, from design and development to deployment and maintenance. Security strategies need to consider the broader supply chain and ecosystem in which these devices operate.

With the introduction of regulatory standards such as NIS2, the Cyber Resilience Act (CRA), the AI Act, and ISA/IEC 62443, CISOs across the ENRC sector need to comply with new requirements while contending with potential impacts. Additionally, geopolitical trends, such as those mentioned above and the rise of alliances between nations and hacktivist groups, continue to impact the security of digital products and expand the attack surface for critical infrastructure. CISOs need to be prepared for these dynamics and adapt their strategies accordingly.

Key challenges

Data management and privacy

Smart devices in the ENRC sector generate vast datasets for critical functions like predictive maintenance and energy optimization. These devices typically are lacking in security standards and often have poor authentication and encryption capabilities, which increases the potential for breaches, unauthorized access, and data manipulation, along with privacy risks and compliance challenges.

Interoperability and integration between legacy systems and smart products

Many ENRC organizations use legacy systems not designed for internet connectivity or integration with modern smart technologies. This creates security gaps when these systems are retrofitted with IoT devices and smart products. The integration of renewable energy technologies adds complexity and increases cybersecurity vulnerabilities.

Secure lifecycle and third parties

Ensuring the security and resilience of connected devices like smart meters and grid sensors throughout their lifecycle is crucial. The energy sector's dependence on a vast supply chain adds risks since vulnerabilities in third-party products can compromise entire systems.

Key opportunities

Data gathering and efficiency Widespread adoption of smart products can enhance efficiency, service, and reliability. Greater quantities of data can be gathered, analyzed, and utilized to benefit operations and customers. 

Prediction, maintenance and demand forecasting IoT sensors can be used to analyze real-time operational data and monitor equipment to detect issues early. This can reduce downtime and maintenance costs while extending asset life. For demand forecasting, smart technologies analyze patterns and trends to optimize resource allocation, grid management, and renewable energy integration for reliable supply-demand balance.

Regulatory opportunities Regulations like the NIS2 and CRA are enhancing cybersecurity for smart devices by mandating stricter security standards, risk assessments, and compliance. They’ll drive secure-by-design principles and supply chain integrity. Devices in critical operations, such as smart grids and industrial IoT, must meet rigorous standards for secure communication, patching, and incident response.

ENRC organizations are proactively embracing smart technologies to drive improvements in efficiency, sustainability, and operational reliability. These include blockchain and Web3 technologies to enable decentralized energy systems and facilitate peer-to-peer energy trading. Grid operators are making strategic investments in smart grid technologies, deploying advanced sensors, real-time data analytics, and demand response systems to optimize energy distribution and seamlessly integrate renewable sources.

Moreover, energy-efficient buildings are making use of smart sensors, IoT devices, and advanced insulation to minimize energy consumption, reduce reliance on fossil fuels, and curb carbon emissions. These cutting-edge technologies empower utilities and consumers with enhanced control over energy use, resulting in improved power grid operations and reduced costs.

Resilience by design: Cybersecurity for businesses and society

The increasing reliance on IoT and OT systems, coupled with the growing sophistication of cyber threats targeting industrial control systems, means that CISOs responsible for critical infrastructure and resources at ENRC companies face multiple challenges. The potential for large-scale disruption, putting both human lives and data at risk, is a sobering reality. Moreover, heightened regulatory scrutiny on the security and resilience of critical infrastructure has added another layer of complexity to an already daunting task.

With threats to ENRC infrastructure, such as breaches to SCADA systems, grid attacks, and pipeline disruptions, the operational continuity of the sector is heavily challenged. To maintain resilience, CISOs must implement cyber security strategies that focus on preventing disruptions and ensuring rapid recovery in the event of an incident. This includes real-time monitoring, attack surface management, incident response planning, and championing a resilience-first culture across teams.

The evolving regulatory landscape, particularly NIS2 and NERC CIP, reinforces the need for strong cybersecurity practices to safeguard both physical and digital assets. By prioritizing resilience, ENRC organizations can reduce vulnerabilities and remain operationally sound in the face of sophisticated cyber threats.

Through this posture, CISOs can position themselves as strategic business enablers whose work makes organizations not only more resilient but also competitive.

Key challenges

Digital transformation risks

The drive towards digital transformation by connecting old OT systems to online networks is exposing often insecure legacy systems to internet-based threats. Additionally, the deployment of IoT devices in energy systems, from smart meters to remote sensors in offshore wind farms and power grids, is expanding the attack surface significantly. These devices often lack strong security measures and are vulnerable to exploitation by attackers. The interconnectivity also risks cascading failures, making containment of incidents more challenging. 

Renewable energy infrastructure vulnerabilities

Many parts of renewable energy infrastructure are vulnerable as most of them have a digital interface and allow for remote monitoring. Incorporating Wi-Fi-enabled IoT devices adds to the vulnerability.

Complex and evolving resilience regulations

The lack of harmonized regional and international cybersecurity standards makes compliance challenging for ENRC organizations, especially as critical infrastructure providers. For multinational companies, navigating conflicting or overlapping regulations across jurisdictions adds to the complexity. Noncompliance risks hefty fines, reputational damage, and increased scrutiny.

Key opportunities

Real-time monitoring – Using advanced threat detection tools, such as Security Information and Event Management (SIEM) systems and intrusion detection/prevention systems will be critical. The use of ML/AI to recognize and predict malicious behavior can enable quicker identification and response to cyber threats in both IT and OT environments. 

Regulatory developments – Regulations like the NIS2 Directive require sector cooperation and third-party risk management. They require organizations to be in control of supply chain risks, making it imperative to monitor the cybersecurity posture of key suppliers. Sharing threat intelligence and collaborating with other companies and governmental agencies can help energy companies stay ahead of emerging cyber threats. Establishing partnerships with trusted cybersecurity vendors helps with rapid response and incident support. 

Cybersecurity awareness and crisis simulations - Modern cyber resilience training options include virtual reality (VR) for immersive crisis simulations, AI-driven adaptive scenarios for personalized learning, and gamified platforms to engage and train employees and operators in interactive incident response exercises. This can improve response and resilience capabilities.

ENRC organizations, as critical infrastructure, should adopt new technologies carefully. 

Explore the value of cyber risk insurance – As the threat landscape expands, organizations should take the time to understand the risks and exposures cyber insurance may cover. Companies can seek to capture losses related to third-party outages and remediate the impact through rate reductions, insurance or litigation.

Real-world cybersecurity in ENRC

Proactively identifying risks and developing the capability to recover rapidly from significant cyber incidents remains an area of focus for CISOs in the sector.

Challenge

A KPMG firm was tasked with enhancing a client's capability to recover from a worst-case cyber scenario and developing a tool to help them re-evaluate their most business-critical applications. The primary objective was to provide the client, an energy distributor, with an extensive playbook featuring detailed processes, procedures, and step-by-step instructions to follow in the event of a complete loss of IT capability. Additionally, the client needed a method for identifying their most critical business processes.

Response

Collaborating with key global business stakeholders, the KPMG team worked to gain a deep understanding of the client's existing internal recovery processes. Leveraging KPMG's industry knowledge and experience, the team meticulously populated the playbook with actionable steps for the client to recover their IT systems from zero.

Furthermore, KPMG designed and developed a tool that enabled the client to reclassify their business-critical applications. Over time, the criteria for identifying these applications had become outdated, leading to the misclassification of several non-critical applications as business critical. The tool assessed various types of data collected in business impact analyses (BIAs) and allowed the client to re-order the criticality of their applications.

Benefit

Through this engagement the client was able to implement processes aimed at reducing downtime and business loss in the event of a total IT capability loss. Additionally, the client gained a clearer understanding of the criticality of their business applications and processes, ensuring better preparedness and resilience against cyber threats.

Given the extensive supply chains and interconnected IT and OT systems, security needs to remain top of mind. Rapid adoption without the right guardrails can increase vulnerabilities, making organizations targets for cyberattacks. However, ENRC organizations clearly are becoming better prepared. They are using AI and machine learning for predictive maintenance and threat detection, blockchain for secure transactions, high-performance computing and IoT for real-time monitoring, and secure-by-design principles for increased security. Additionally, cloud security solutions and centralized cybersecurity governance can help manage and secure data effectively.

Top priorities for ENRC professionals

Clarifying and strengthening cybersecurity governance when it comes to roles and responsibilities, mandates, and domains.

Breaking down the siloes of IT, security (physical and cyber) and OT teams to understand the complete threat landscape, organizational environments and supply chain, as well as coordinate emergency/incident response capabilities.

Establishing a broad risk management framework for IT and OT with cybersecurity as business risk.

Implementing business continuity and disaster recovery (BCDR) strategies that account for both cybersecurity and physical risks. Testing and exercising these strategies thoroughly with realistic scenarios.

Review insurance policies in relation to third-party outages to determine whether financial impact can be reduced through coverage in business interruption insurance.

How KPMG professionals can help

Our team of experienced professionals is well-equipped to assist CISOs in the ENRC sector as they navigate the complex challenges of the evolving threat landscape. Our deep industry knowledge, combined with our expertise in cybersecurity, enables us to provide tailored approaches that align with your organization's unique business priorities and risk profile. We work closely with CISOs to develop wide-ranging strategies that address the full spectrum of cybersecurity needs, from IT/OT convergence and regulatory compliance to vulnerability management and incident response.

Our advanced methodologies and cutting-edge tools enable us to assess your current cybersecurity posture, identify gaps and vulnerabilities, and develop custom solutions that enhance your resilience and adaptability. At KPMG, we are committed to being your trusted adviser in cybersecurity. We aim to empower you with a strategic approach that drives business value and secures a competitive advantage.

1 KPMG 2024 CEO Outlook.

2 KPMG global tech report 2024.

3 Industrial Cyber, Critical infrastructure faces 30 percent surge in cyber attacks, KnowBe4 report highlights, August 28, 2024.

4 SektorCERT, The attack against Danish critical infrastructure, November 2023. 

5 KPMG 2024 CEO Outlook survey.

6 KPMG 2024 CEO Outlook survey.

7 KPMG, Top Geopolitical Risks 2025, March 31, 2025.

8 U.S. Securities and Exchange Commission, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure: A Small Entity Compliance Guide, July 26, 2023.

Our insights

Cybersecurity considerations 2025: Technology, Media & Telecommunications

Technology, media and telecommunications sector CISOs are embracing AI and new strategies to foster trust and drive innovation.
Read more

Cyber Security Services

Cyber security is more than a technology issue – it’s a golden thread that runs throughout your business, enabling it to operate effectively, efficiently, and securely. Our Cyber experts can help you to protect your future.
See how we can help

Cybersecurity considerations 2025

In an AI-dominated business environment, the foundational principles of cybersecurity are even more critical.
Read more

Our people

Ronald Heil
Ronald Heil

Global Cyber Security Leader for Energy and Natural Resources and Partner

KPMG International

Connect with us

KPMG combines our multi-disciplinary approach with deep, practical industry knowledge to help clients meet challenges and respond to opportunities. Connect with our team to start the conversation.

Contact us
Two colleagues having a chat