Complete Protection Guide for Cybersecurity in Energy and Utilities

In May 2023, hackers struck 22 Danish energy companies simultaneously.

The coordinated attack breached Denmark’s critical infrastructure in just days, potentially linked to Russia’s Sandworm group.

Attackers exploited firewall vulnerabilities with surgical precision, forcing energy companies to disconnect from the national grid and operate in emergency “island mode.”

This attack reveals how cyber threats have evolved from isolated breaches to sophisticated operations that can cripple entire sectors at once.

The consequences of cyberattacks against energy and utilities companies are more severe than in any other sector. Breaches can cause enormous damage not only to customers and critical infrastructure, but also all the other industries that rely on stable energy supplies.

At Heimdal, we work with numerous small, medium and large energy and utilities companies, and have first hand experience of helping the sector improve its stance against cyber threats. 

In this guide, you’ll get a complete overview of:

• Why cyber criminals are targeting critical infrastructure
• Security risks facing the industry
• Regulations pushing the sector to improve
• Recent examples of breaches
• How to improve cybersecurity in energy and utilities

Critical infrastructure is a tempting target for cyber attacks

According to the International Energy Agency (IEA), energy and utilities are one of the most targeted industries in the world – with only finance, healthcare and governments facing more attacks. 

In 2023 alone, 90% of the world’s largest energy firms are reported to have suffered cyber breaches. And analysis suggests that attacks against the sector have grown dramatically since around 2020. 

So, why are cyber criminals targeting energy and utilities businesses? There are a few key reasons.

Ransoms: Many cyber gangs are financially motivated.

Since energy and utilities companies need 24/7 access to critical systems, criminals know there’s a good chance they can extract ransoms from their victims. It’s reported that 43% of energy and utilities firms pay ransoms, making the sector the third most likely to pay up. 

And, according to the World Economic Forum, energy sector cyber victims pay almost double the average in ransoms. 

Valuable data: Energy firms hold very sensitive data on their customers – including card details, addresses and behavioural patterns.

Once stolen, this can be sold on to other criminals for the purposes of fraud. 

Geopolitical motives: Perhaps more than any other sector, energy and utilities firms are a target for state-sponsored cyber attacks – and there have been numerous high profile examples of this over the years. 

Sometimes, the purpose is espionage – stealing secrets or gathering data about industrial activity.

Other times, cyber attacks are designed to intentionally harm civilians (think, turning off power in the middle of winter).

In times of war, we’ve seen examples of hybrid attacks against critical infrastructure – missiles being launched at energy facilities while hackers try to lock staff out of OT systems, thereby harming energy security. 

Discover our ransomware encryption protection software

Cybersecurity challenges for the energy and utilities sector

Securing an energy or utilities company’s technology platforms is often very challenging.

The way these companies operate, and the kinds of technology they use, mean that following high security standards is very complex. 

Here are some of the most common cybersecurity challenges facing the utilities and energy sector.

Rapid increase in connected technology

Energy and utilities sector companies are increasingly using internet-connected technologies to operate everything from pipelines to customer accounts to industrial control systems.

In the past, these would be managed physically, while operational technology solutions were never internet-connected. 

Today, however, firms in the energy and utilities sector are connecting many more of their OT/IT systems, customer accounts and cloud-based business applications.

This digital transformation can be a boon for efficiency and customer service. But it also expands the attack surface massively. 

Remote operations

Energy and utilities sector businesses tend to have a very high number of operatives out in the field.

They might be inspecting infrastructure, installing equipment at customer homes/offices or repairing faults at substations.

These operatives regularly use mobile devices, laptops and other connected equipment. However, these are sometimes easier to hack into than desktop IT/OT computers in your head office. 

Smart meters and IoT

One of the biggest developments in the utilities and energy sector of recent years has been the rollout of smart meters to customers. These devices monitor customer energy usage and relay this sensitive data back to your billing departments second by second. 

At the same time, we’ve seen a boom in internet connected sensors monitoring everything from leaks in water pipes to fuel levels in pipelines and more. These devices are brilliant for efficiency. But, again, they hugely expand the attack surface. 

Reliance on long supply chains

Most energy and utilities sector firms rely on vast, international supply chains. If any of your suppliers falls victim to a cyber attack, it can be very damaging to your firm too.

The most obvious effects of an attack on your suppliers would be a delay in receiving critical commodities, parts or energy. This could have serious knock-on effects for your operations. 

But another, potentially more significant risk, would be supply chain cyber attacks.

If cyber criminals are able to put malicious code into a piece of software or hardware built by one of your suppliers that then connects to your systems, they could use this as a ‘backdoor’ into your environment. 

Related: The Vulnerability of Critical Energy Infrastructure

Challenges to better cybersecurity in the utilities and energy sector

Our industry has many years’ experience in protecting our critical infrastructure from environmental events and physical attacks. But cyber is a relatively new risk and now we need to review and enhance those protocols with new practices and strategies to address the new digital threat

– Rosa Kariger, global cyber security director at Iberdrola.

As the above interview quote highlights, energy and utilities sector firms need to modernise their approach to cybersecurity – in the same way they’ve learnt to adapt to other threats over time. 

However, there are several obstacles that prevent energy and utilities firms from fully addressing the cyber threat. 

Poor resourcing

According to the IEA, most energy and utilities companies rely on external consultants for security, and relatively few have deep in-house expertise.

What is more, they tend to pay cybersecurity professionals lower salaries than other sectors, and there’s evidence that most take a reactive approach to hiring security personnel.

Lack of cyber security culture

Experts at the World Economic Forum have argued that many energy and utilities firms still don’t view cyber risks as relevant to them. Often, there’s minimal buy-in from senior executives.  

Inadequate approach

A surprisingly high proportion of energy and utilities businesses have weak approaches to security.

According to a 2023 study, 27% of energy and utilities businesses had weak cybersecurity management, while only 18% had very strong cybersecurity management programmes. Shockingly, 13% still had no cybersecurity programme at all. 

Regulation is forcing energy and utilities to improve cybersecurity

In recent years, national governments and regional blocs have become increasingly aware of the risks of poor cybersecurity in energy and utilities firms.

As a result, various regulations have come into effect which require them to do more to protect critical infrastructure. Here are some key examples:

• Europe – NIS 2 Directive: The EU’s NIS 2 Directive aims to improve energy security by forcing all energy operators in the EU to enhance their risk management processes, report on any incidents, and coordinate with governments and other energy companies. 

• North America – NERC CIS: These regulations, which cover most of continental North America, set standards for all energy operators in the continent’s power system.

• India – CEA Cyber Security Regulations: These rules (when they come into effect) will require any operator in the country’s power sector to submit to cybersecurity audits, develop incident response frameworks, and employ CISOs. 

Recent cyberattacks against energy and utilities firms

Ever since the infamous Stuxnet attacks in 2010 that disrupted industrial systems, energy and utilities firms have faced continual cyberattacks. 

Here are some of the most notable attacks of the past few years:

• USA – Colonial Pipeline (2021): This ransomware attack forced Colonial Pipeline to shut down operations, causing widespread fuel shortages and panic buying across the southeastern United States.

• Colombia – Empresas Públicas de Medellín (2022): A ransomware attack against this major public utility encrypted servers and caused major disruption to customer support and payments. 

• Ukraine – Power substation attack (2022): A sabotage cyberattack on a power substation damaged energy infrastructure, caused a massive blackout and affected hundreds of thousands of civilians.

Related: The cybersecurity effects of the war in Ukraine

How can energy and utilities firms improve cyber resilience?

At Heimdal, we’ve helped major energy and utilities firms like VINCI, NRGi and Kungälv Energi to implement powerful security solutions that have made their defences harder and deeper. 

Through our work, we’ve learned there’s no one-size-fits-all approach to cybersecurity at energy and utilities firms. In more cyber mature businesses, SOC teams are often looking for a specific tool to counter a certain kind of threat.

In other organisations, a more wholesale transformation is required. 

Wherever you are on your energy firm’s cybersecurity journey, the following cybersecurity considerations can help improve your posture:

Comprehensive technology audit

It’s vital for energy companies to carry out a complete audit of their technology systems. This includes legacy systems like SCADA, all your productivity apps and business tools, cloud storage, mobile devices, IoT sensors, field equipment and beyond. You need to map out all technologies your company uses.

Risk assessment

What are the cyber risks facing your energy or utilities business? The most obvious dangers come from cyber criminals and state-backed hacking groups. But don’t underestimate risks from hacktivists, former employees or even competitors.

Gap analysis

You next need to conduct a security gap analysis. How are your technology systems protected? How often do they get updated? Who has access, and how do you control this? By asking these kinds of questions, you can identify possible weak points.

Supplier audit

We would also strongly recommend auditing any companies that supply you – directly and indirectly. This is particularly important if they provide any kind of digital technologies that will plug into your systems. What security standards do they comply with? How are their systems patched, how often, and by whom?

Harden your perimeter

Deploy modern security solutions around all your technology systems, including network security, next-gen antivirus and firewall and anti-ransomware solutions.

Extended detection and response (EDR)

EDR is a security technology that monitors all your devices (PCs, laptops, smartphones, tablets and IoT) and software systems for suspicious activity.

So, even if a hacker has bypassed your outer layers of defence, they can still be caught inside your systems.

Patch management

Publishers of all kinds of IT (and many OT) systems will periodically release patches whenever they discover vulnerabilities in their products’ code. You therefore need to install these patches as soon as they are released. 

Zero trust

This is a security model that is based on the notion that you should ‘never trust, always verify’.

Every time someone wants to log into your environments, view files they don’t usually use, or trigger a process, they should verify their identity. This can be done with multi-factor authentication, which requires them to prove who they are. 

Education, training and culture change

One of the biggest challenges for cybersecurity in energy and utilities is culture around IT risk.

Despite the number of well-publicised attacks in recent years, many employees and senior executives continue to see cyber threats as not their problem.

It’s crucial for energy and utilities firms to train staff, share best practice and advocate for better security at the highest levels. 

Energy and utilities cybersecurity risk: nothing new

For decades, energy and utilities businesses have managed risk.

Whether it’s people physically stealing fuel from pipelines, storms knocking out pylons, or health and safety hazards facing field workers, the industry has successfully grappled with many kinds of danger, theft and safety issues. 

Cybersecurity is no different. 

As cyber criminals increasingly target the energy and utilities sector, companies will need to adapt.

The good news?

Firms have already shown they can do this successfully when dealing with other kinds of threat. And, there are now highly effective solutions that can manage risks around cybersecurity in energy and utilities. 

Heimdal is a global cybersecurity solutions provider. We have developed a unique unified cybersecurity platform which allows you to connect a wide range of cybersecurity tools to our single, central hub.

So, whether you just need a patch management tool or an email fraud prevention solution – or a comprehensive suite of cybersecurity apps – we provide a single, secure, and easy to use solution for your needs.

Discover our security platform today, explore Darktrace alternatives, or contact us for a demo.

Danny Mitchell