The more complex an industry’s supply chain, it faces a significantly higher level of business risk. Risk needs to be considered at every level, with every vendor and collaboration partner as a potential cause of operational disruption. Risk reduction isn’t just about transactions or disaster recovery; it’s a critical component of doing business. If a single player faces a cyber threat, it could cause a domino effect, significantly impacting everyone further up the chain.
The energy sector encompasses a significant chain of inputs and delivery systems with the transformation of raw energy into usable energy, ranging from commodity extraction (coal/oil/gas) or collection (solar, heat) to transportation and from hardware and software networks services to the end users of that energy. Renewable energy is similar, but with significantly more risk, as manual extraction processes have been completely eliminated, and highly networked infrastructure is in place. Please bear in mind, each time the phrase “and their entire supply chain” appears, it represents myriad points of vulnerability.
Utilities are exceptionally well versed in their own cyber risks but may not have any idea about the cyber risks among these varied suppliers. They have their own controls but aren’t looking toward the threats that are external to their organizations.
Furthermore, a single disruption across any one of these steps can have an amplified effect, with the potential to disrupt the lives of millions of people. While this appears to be an exaggeration, it really isn’t. Consider if a security breach takes down the transportation system, which prevents the delivery of raw material to the energy generating station, millions could briefly go without power. The interconnected grid allows the energy company to immediately buy power from its nearest energy generating “neighbors,” — but this comes at a significant cost to the utility — and this cost must be calculated within the costs of the risk.
In early 2022, a cyberattack on the major European oil refining hubs of Amsterdam-Rotterdam-Antwerp (ARA) disrupted transfer of refined oil, further compounding the effect of the energy crisis.
Consider the Colonial Pipeline attack in May of 2021 — not only did Colonial have significant losses, but also major fuel retailers had major hits to their bottom lines, as they had no gasoline to sell.
The C-level leadership as well as the risk, compliance, and governance officers need to able to quantify business risk across their suppliers, subsidiaries, and partners. With clear insights, they will be able to directly address their own business risk and develop risk tolerance KPIs. They will have the information for benchmarking, allowing them to instigate audits, establish incentives, or even renegotiate agreements within the supply chain, allowing them to manage and mediate risk across their entire corporate ecosystem.
Recently, the World Economic Forum’s Cyber Resilience in the Oil and Gas Community invited 60+ cyber leaders to build a framework to strengthen cyber resilience across the entire gas and oil sector.
To get a clearer picture, by benchmarking their cyber risk against their corporate peers, individual sectors, and geographic regions, they will be able to make more real-world calculations. An energy company that discovers that they are in quite a good position when it comes to cyber risk is open to further business opportunities as well. For example, a regional player who transfers power during times of high demand must calculate additional risk and rewards as compared to their nearest power-generating utilities if that “neighbor” is attacked during one of those high-demand times.
Some may dismiss supply chain threats as something that only manufacturers need to worry about, but, if all the reports in the news have taught us anything, they imperil any business with critical dependencies.
Roy Peretz is VP of Product Management of Opora, www.opora.io, which focuses on tracking, assessing, monitoring, and identifying new threats within an organization’s entire business ecosystem.
