Strengthening cybersecurity in the energy sector


Cybersecurity incidents lead to elevated focus


Energy cybersecurity risks and mitigation strategies are rising in importance as the sector has faced more disruptive cyber incidents, including a halting of supplies. As such, while the key elements to a successful cyber incident response haven’t changed much over the years, a new regulatory development creates an enforcement imperative to improve response capabilities for energy companies and others considered critical to U.S. infrastructure. Indeed, without thorough preparation, a company may not be in a position to even report an incident to the federal government within the time frames prescribed within the Consolidations Appropriations Act of 2022, enacted last March.


The law promotes cyber resilience by requiring that covered entities in critical infrastructure sectors that reasonably believe that they have experienced a “covered cyber incident” file a report with the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of such an incident. Disclosure to the federal government of a ransomware payment is required within 24 hours of the payment. Supplemental reports to CISA are also required, in the event that the covered entity becomes aware of substantially new or different information.


None of these disclosures are possible without a carefully constructed plan for responding to a cyber incident and repeated tabletop exercises, whereby an organization learns how to implement that plan, according to participants in a data breach panel at Grant Thornton’s recent Energy Symposium.


Although final regulations have yet to be written, it’s expected that the vast majority of energy companies will be considered part of the critical infrastructure sector. Johnny Lee, Forensic Technology National Practice Leader at Grant Thornton, said reporting in this short time frame will be impossible for organizations that don’t have a comprehensive cyber incident response program that has been practiced repeatedly.


Mike Pankey headshots

“Over the last several years there has been an increase in board oversight and transparency requirements, and this is definitely continuing into 2023.”

Mike Pankey

Grant Thornton Senior Manager, Risk Advisory Services

Without adequate preventative strategies, the energy industry is vulnerable to increasing cyber incidents with significant impact. “It’s just impossible,” Lee said. “If you don’t practice for the bad day before it happens, you will always fall short of these legal requirements.”


Lee said effective cyber incident resilience consists of three elements:

  • Organizational readiness. When cyber incidents are treated as a component of enterprise risk rather than IT phenomena, multidisciplinary teams are brought to bear to practice critical incident response protocols. Expertise from legal, finance, IT, communications and other disciplines need to participate on integrated teams to ensure that these protocols cohere into action in the event of a cyber incident.
  • Cyber insurance coverage. A qualified broker can help an organization choose the right insurance and get the right assistance from the insurance carrier during a cyber incident. Brokers and carriers are among the experts who should be included in planning exercises, Lee said. “Having the broker involved and part of that plan development is a critical component,” said Mike Pankey, Senior Manager, Risk Advisory Services for Grant Thornton.
  • Using niche specialists. To handle a cyber incident, it’s likely that an organization will need niche expertise from specialists such as outside counsel and forensic experts. These specialists will have more experience with incidents than internal personnel, and they need to be incorporated into planning and practice exercises to ensure that knowledge of systems and company practices over time are shared.



Cybersecurity maturing in energy


Companies in the energy sector have improved their cybersecurity substantially over the last few years, according to members of the Grant Thornton panel.


Utilities and transmission and distribution companies tend to be the most secure, as they are highly regulated. But pipeline and extraction and production companies also have significantly advanced their cyber readiness. Mark Thibodeaux, senior legal counsel for natural gas distribution company Enbridge, acknowledges a turning point that came with the ransomware attack on the Colonial Pipeline, creating fuel-supply shortages throughout the southeastern U.S. in May 2021.


“That brought home to a lot of people that a cyber incident can have real-world effects...not just on the company that is specifically attacked, but on everybody that they supply downstream as well,” Thibodeaux said.


Meanwhile, Mark Knepshield, a broker and executive vice president of McGriff Insurance Services, said the frequency and severity of ransomware incidents has decreased since Russia’s invasion of Ukraine. Lee said that’s no surprise, as cybersecurity professionals have long suspected that certain nation and state actors are, at a minimum, insulating cyber criminals from prosecution, if not sanctioning specific criminal activities outright.


This development also contributes to the perception that cybercrime has a twofold purpose of enriching the criminals while destabilizing economies and political environments.


“That sets a whole different tone than some criminal wanting to steal two or three bitcoins from you,” Thibodeaux said.


It also creates a more urgent need for effective cybersecurity, vis-à-vis energy companies and others in critical infrastructure sectors that may be high-value targets for cyber incidents.


Boards recognize these increased risks and are stepping to the plate to improve cyber defenses. Boards are also being pushed into action by regulation. Indeed, the SEC has issued proposals to require that issuers disclose whether any board member has expertise in cybersecurity. “Over the last several years there has been an increase in board oversight and transparency requirements, and this is definitely continuing into 2023,” Pankey said.


New requirements by cybersecurity insurance providers likewise are sparking companies to act. Knepshield said that it is almost impossible for a company that does not have multi-factor authentication to procure cyber insurance. The list of mandatory minimum requirements for underwriters of cyber insurers has grown in recent years. These requirements may include implementing controls such as endpoint detection and response, secure backups and privileged-access management.


Companies are improving their security with these tools, and they are working feverishly to make patches when necessary, according to Knepshield. “There’s been a real advancement in the entire energy industry, I would say, to get there,” Knepshield said, elaborating with “Certain sectors are not where they need to be, but their maturity is getting better. The risks that they’re identifying are a big aspect of that.”

Vet your vendors


As companies shore up their own cyber defenses, third-party vendor security is a risk that should be top of mind for energy companies. A company may have strong controls in place, only to see them bypassed because they gave systems access to a vendor with weak controls and/or poor processes.


Lee said the first step in working with vendors from a cyber defense perspective is to stratify them based on the level of the threat that they represent to your own organization. In other words, your landscaping company presents an eminently lower cyber risk to your enterprise than the vendor that provides your data infrastructure.


Johnny Lee headshots

“It’s about where to place bets. It’s no different from any other sort of business calculus.”

Johnny Lee

Grant Thornton Forensic Technology National Practice Leader

Vendors that are connected to your IT infrastructure, sensitive data, and/or network should be vetted carefully with respect to cybersecurity. A close examination of contracts is required, keeping in mind that:

  • A standard software licensing contract that limits the liability of your provider to fees paid in the last 12 months will likely do little to offset the cost of a highly damaging cyber incident.
  • If your contract with the vendor requires that they carry cybersecurity insurance, it’s likely that this coverage will be capped by a limitation of liability clause that again could leave your company short of any meaningful relief in the event of an incident.
  • An indemnification clause, even if it’s bulletproof in its drafting, won’t help you much if your organization incurs $10 million in costs responding to a cyber incident caused by a vendor whose yearly revenue is $3 million.

“There has to be a really intelligent review of your vendors,” Lee said. “Given the kind of risk that a certain vendor engenders (vis-à-vis broader cybersecurity considerations), they might not be the right fit for your business.”


One helpful strategy for dealing with vendors is requiring them to undergo an outside certification process for their cybersecurity controls. For instance, a SOC 2 or ISO 27001 certification can provide additional assurance that a vendor’s controls meet acceptable standards.


“We have seen clients offer to cover the costs of their vendors in obtaining a third-party review,” Lee said. “If the vendor is that critical to your operations and/or operates in such a niche area, it’s possible that this risk can be addressed in no other way.”

Quick takes


Other advice from the panelists included:

  • Be careful before deciding to pay a ransom. If you pay a person or entity that has been sanctioned by the U.S. government, your organization could be subject to criminal liability. Plus, there’s no guarantee that your system will be restored or your data will be returned after you pay. “Just remember that you’re striking a bargain with a criminal, so don’t be surprised when they don’t deliver on their commitments, which is the case far more often that many organizations believe,” Lee said.
  • Consider your own risks. “It’s about where to place bets,” Lee said. “It’s no different from any other sort of business calculus. If you’re a company in the exploration space, your risks are different — perhaps materially so — as compared to an organization in the transmission space. Your regulatory requirements are different. Your investments are different. Your staff looks different. Your systems look different.” Tailor your approach, investments, plans, and incident response practices accordingly.
  • Inform your insurance broker and carrier quickly if you experience a cyber incident. Failing to follow the terms of the insurance agreement can compromise coverage. “If you don’t follow the terms of the contract, and carrier(s) don’t pre-approve the decisions and/or expenses you’re incurring, it will be challenging to seek carrier support in the process. Then it becomes a tractor pull to get everybody on the same page,” Knepshield said.



Our energy featured industry insights