Is the energy sector prepared for cyber breaches?

• The number of weekly cyberattacks on energy companies has doubled since 2020.A lack of skilled cybersecurity professionals is adding to vulnerabilities in the energy sector.The Forum’s latest Global Security Cybersecurity Outlook offers potential solutions to help close the skills gap.

An instant and endless supply of electricity is taken for granted in many parts of the world. The flick of a switch powers the work and family lives of billions of people. But the energy systems that underpin entire economies are facing “an unprecedented threat” from cyberattacks, according to the International Energy Agency (IEA). The true scale of cyberattacks on critical energy infrastructure is unknown, as some incidents go undetected or are not reported. However, data from the IEA shows a dramatic rise in the targeting of utilities including power, gas and water supplies. The number of weekly cyberattacks rose from 499 in 2022 to 1101 in 2022.

The consequences of a cyberattack on a power grid can be far-reaching. Beyond the loss of the energy supply, attacks can compromise customer data including their names, addresses, banking details and phone numbers.

Industry research shows that utility companies are spending an average of 8% of their total IT budget on cybersecurity – but the number of attacks is outpacing spending. Perhaps the most critical weakness in the digital defences of power companies is a lack of skilled professionals to fill cybersecurity roles. Across global industry as a whole, there are 3.4 million unfilled cybersecurity jobs, according to an analysis by cybersecurity experts Fortinet. This yawning skills gap is undermining efforts to counter cyberattacks.

The IEA suggests power companies lack long-term strategies for hiring cybersecurity specialists and developing digital defence skills in-house. Instead, these companies operate reactively when perceived threat levels increase.

As the chart above shows, job postings for cybersecurity specialists in North America tend to rise sharply following major cyberattack incidents. Despite these recruitment surges, data shows the proportion of cybersecurity security job postings by energy companies is falling behind other industries such as banking and finance. The IEA also reports a salary gap between industries, stating, “available data for the United States, Canada and the United Kingdom suggests salaries offered by power utilities in cybersecurity job postings are among the lowest for the occupation”.

Closing the cybersecurity skills gap

The World Economic Forum’s Global Cybersecurity Outlook 2023 suggests pathways for increasing the talent pool of cybersecurity specialists. One solution is to democratize access to the industry. The report says industry must “expand and promote inclusion and diversity efforts within cyber recruitment. Underrepresented groups in cybersecurity such as women, people of colour and those with informal educations have been continually discouraged from technical careers through societal expectations and perceptions of cybersecurity work culture”. The Forum has launched an initiative to raise c-suite awareness of the cybersecurity talent crisis and its implications, and to define strategies to strengthen the talent pipeline.

Secure power for a more secure world

The war in Ukraine has highlighted the extent to which the global economy is reliant on interconnected energy systems. With digital threats to these networks growing, the IEA is urging companies to adopt digital defence strategies as a core pillar of their operations. “It is essential”, says the IEA, “that every power utility, big or small, includes cybersecurity as a core element of their business strategy and ensures access to in-house cybersecurity professionals and their skills,