The energy sector’s increasing security needs

The deteriorating security environment has changed the energy sector’s risk profile, and security needs are increasing. The Russian attack on Ukraine and the EU’s sanctions have turned energy from a self-evident commodity to a limited resource. Europe is potentially facing a cold winter and a recession. In the US, the oil price is a transformational force. Also, the US has a lower influence on, e.g., Saudi Arabia than before, and the domestic shale oil industry is slow to respond to a surge of demand they consider temporary. The energy crises of the ’70s showed us how fundamental an impact this sector has on our lives.

For half a century, the developed world has assumed energy is a somewhat accessible and stable commodity. It’s a regulated industry but hasn’t received the IT security scrutiny that finance and healthcare have. Adverse actors will find the energy sector a compelling hybrid war target. Moreover, energy companies are also benefiting from the price increases. There’s a strong self-interest in investing in security, and free cash flow makes it possible.

The difference between compliance and security

Security and compliance are often the shared responsibility of one team. More compliance may mean less security. The energy sector is likely to see authorities stepping up their oversight. Parallel industries that have been through this balancing act can provide valuable learnings and insights.

Compliance means following the minimum standards, often set by a regulatory body. Compliant doesn’t necessarily mean good, outstanding, or even adequate for real-world purposes. Secondly, compliance is granular. One company can comply with a standard, and another can be compliant and certified by a trusted third party. All of these mean benchmarking against a set of minimum standards.

Security comes in shades of grey. No organization or system is entirely secure, which makes security a frustrating topic to deal with. You can invest every last dollar on security and still be breached. Security investment is like having a military. No matter how much you invest, an attack is possible. Knowing the threats and benchmarks helps in making intelligent decisions. Unlike in compliance, there’s no set standard in cybersecurity.

Sometimes compliance and security clash. Compliance requirements evolve slowly and may be slow to respond to real-world threats. An hour spent on compliance is an hour away from security. Finally, a barely compliant system is predictable from an attacker’s perspective.

The drivers behind compliance and security vary by industry

The healthcare industry holds vast amounts of PHI (personal healthcare information). The industry is highly regulated, as the general public and politicians alike can relate to the leaks. For some reason, very few people are concerned about compromised privacy when it comes to, e.g., mobile phones. It feels more personal if your bloodwork results are leaked than your real-time location data.

The general public is less concerned about breaches of financial institutions. The government guarantees savings, so why should I care? The finance industry has experienced tightening PII (personally identifiable information) regulations through the crises. The most progressive financial institutions go well beyond compliance out of self-interest. Being exposed to cyberattacks is a terrible business.

The energy sector frequents the ‘top targeted attack candidate’ lists. Some of the most elaborate cyber breaches, such as Stuxnet, show the sector is in the interest of even the nation-state actors. The general public pays much less attention to energy sector risks than health care or banking. The change is coming and fast.

Tapping into parallel industries to solve the security needs of the energy industry

Cybersecurity Ventures reports that there are 3.5 million unfilled cybersecurity jobs worldwide. Entering this field of scarceness as a relative newcomer won’t make it easier for many energy sector players. Naturally, many skilled and capable security professionals work in the energy sector. Responding to increased security threats, management requirements, and political pressure may seem daunting. How can you change the game after years of stable operations and possibly underinvestment?

Our recommendation to tackle the increasing security needs of the energy sector is to look into parallel industries for best practices. Building a secure front-end with a great user experience is a transferable skill. Moving the back-end from on-prem to private cloud to public cloud to poly cloud is a well-trodden path. For energy sector insiders, the complexity and number of players in the ecosystem may feel unique. Integration requirements and data exchange are happening in other industries with a comparable level of complexity.

The shared security model

We all know that the internet wasn’t built to be secure. If we could roll back time, life would be easier. We also know that security can’t be an add-on but has to be designed for any system from the beginning. But how does one approach this monumental challenge amidst all the change?

The public cloud providers, such as AWS, GCS, Azure, and Salesforce, follow a shared responsibility model. The cloud provider is responsible for the platform’s security, which is a massive load off your shoulders. You are free to focus on building secure applications on that platform.

In the real world, you don’t usually run complex operations on a single platform. You may follow a poly cloud approach, leveraging the strengths of various cloud providers. If you don’t, your supply chain and the rest of the ecosystem will take you to the multi-cloud complexity in any case. So besides building secure applications, you want to secure the perimeter around those applications and the lifecycle of building / transferring business logic to them.

The layered security approach

Cybersecurity products, solutions, and services are no substitute for building secure applications. Similarly, building secure applications doesn’t negate the need for cybersecurity solutions. Both are elements in a layered security model.

Think about a medieval castle, like the one in King Arthur’s days or Game of Thrones. They had watchmen to warn about approaching danger. The officers would send cavalry to keep the battle on neutral ground and help the rest of the castle prepare. The drawbridge and moat kept the enemy at bay, while the walls and turrets provided an elevated upper basis. The infantry, with their swords, were the last line of defense.

The layered security model is still going strong, even though the crossbow has given way to the MITRE ATTACK framework. The NIST framework classifies the layers of cybersecurity as Identify, Protect, Detect, Respond and Recover. Both the models tell the same story: even the most robust solutions have security gaps, and even the best organizations must work hard to stay secure. Building secure applications is your puzzle to solve, but you don’t have to solve it alone.

How can A-CX help with the security needs of the energy sector?

You don’t have to be a specialist if you have the right partner. A-CX focuses on building secure applications that provide a great user experience. We’re helping some of the most demanding customers to operate in highly regulated industries. Avalon CX specializes in building secure back-end and applications, so we’re well positioned to help with the security needs of the energy sector. Our team is highly competent in technology and design. Feel free to reach out to us. We’d be happy to help you secure your future.

Authors

Risto Niva

Business executive with over 25 years of leadership experience in small to huge global companies. Risto has decades of experience leading tech teams of up to 2,000 people. He's an entrepreneur who has successfully founded, scaled, and exited tech companies. At present, he serves as a board member in 8 companies. He lives in Rovaniemi, Arctic Circle.
Mikko Peltola

Mikko, co-founder and COO of A-CX, has a background in driving innovation and building award-winning products and services. With extensive experience at Nokia, Microsoft, and F-Secure, Mikko has leveraged technology to create impactful solutions. Mikko’s career exemplifies a deep understanding of business dynamics and a passion for driving growth.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.
hubspotutk	1 year 24 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-163360610-1	1 minute	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_3BVJ20WL0T	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
VISITOR_INFO1_LIVE	5 months 27 days	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
ppwp_wp_session	30 minutes	No description
raygun4js-userid	never	Description unavailable.
VISITOR_PRIVACY_METADATA	5 months 27 days	Description is currently not available.
_cfuvid	session	Description is currently not available.
_uuid	never	No description available.

The energy sector’s increasing security needs

The difference between compliance and security

The drivers behind compliance and security vary by industry

Tapping into parallel industries to solve the security needs of the energy industry

The shared security model

The layered security approach

How can A-CX help with the security needs of the energy sector?

Authors

Risto Niva

Mikko Peltola

Stay in
the loop

Drop by
and say hi

The difference between compliance and security

The drivers behind compliance and security vary by industry

Tapping into parallel industries to solve the security needs of the energy industry

The shared security model

The layered security approach

How can A-CX help with the security needs of the energy sector?

Authors

Risto Niva

Mikko Peltola

Stay in the loop

Drop by and say hi

Stay in
the loop

Drop by
and say hi