Sustainability and cybersecurity are rarely mentioned in the same sentence. Sustainability is tangible: on a given day you might see electric vehicles zooming down the street, wind farms dotting the countryside and rain gardens collecting and conserving water. By contrast, nearly all cybersecurity solutions fall into the background of our daily lives. We turn the lights on, browse the internet, make phone calls and use smart thermostats without seeing the vast infrastructure underpinning our technology.
And yet, the infrastructure needed to enable our sustainable future requires far greater levels of cybersecurity than previously managed. Introducing new technology to power and manage the grid has prompted new cybersecurity challenges for energy companies, from utilities to electric vehicle operators. As we continue to reduce our reliance on fossil fuels, we risk becoming more vulnerable if we don’t start associating climate resiliency with cyber resiliency.
The Colonial Pipeline ransomware attack last year and the recent North Korean state-sponsored espionage on U.S. energy providers are just two examples of how disruptive the consequences of cyber-attacks can be to the energy systems we rely on. This means companies driving the energy transition – utilities, power producers, renewable energy companies, suppliers and service providers – have an additional responsibility to prepare for (and mitigate) cybersecurity risks.
Against this backdrop, the energy industry’s rapid transformation has surfaced five unique cybersecurity challenges that I believe SaaS startups are best-equipped to tackle:
The rise of more connected industrial assets and large-scale operating technology (OT) increases the industry’s attack surface. Throughout the U.S., a distributed power grid full of wind farms and rooftop solar is replacing the big central power plants of the past. Every wind, solar and battery project has connected control systems – with more complex protocols – to enable efficient command and control. Unfortunately, anything that can be optimized through software can also be weaponized through software, and many of these assets were not designed for cybersecurity resilience. When power (or oil) flows are involved, even a brief interruption in performance can have drastic social and environmental consequences.
Platform delivering full suite of security and visibility in industrial control systems (ICS) environments across OT and IoT.
- Location: Headquartered in San Francisco; founded in Lugano, Switzerland
- Founded: 2013
- Value proposition: Companies can minimize risk and maximize operational resilience through the exceptional network visibility, threat detection and actionable insights across critical infrastructure that Nozomi Networks* provides.
The energy transition has fully embraced the value that “Internet of Things” (IoT) devices can have in managing energy load, driving industrial operational efficiency and providing a more dynamic energy experience. But when it comes to cybersecurity, IoT (connected devices to enterprise OT networks) is the Achilles’ heel of energy infrastructure due to the unique composition of third-party software, firmware and componentry in any IoT device. Connected devices that have been designed for low cost at the expense of security are now intermingling with OT assets and can open up “backdoor gateways” for energy infrastructure attacks. Seemingly passive devices like your Nest thermostat, printer or an industrial sensor are less protected and may be leveraged to travel up the technology stack and access more critical networks based on the stagnant nature of the device itself – meaning IoT devices regularly sit in a dormant state where only a full system update can help remediate vulnerabilities. IoT devices may go undetected (and unmanaged), and a more fragmented asset environment in the energy transition makes attacks more complicated to detect and respond to. Many energy operators today lack the appropriate visibility required to adequately defend these complex networks.
Platform automating product security across the software supply chain lifecycle.
- Location: Fully remote organization; founded in Columbus, OH
- Founded: 2017
- Value proposition: Defenders need a way to easily, continuously and accurately assess embedded system risk. Finite State* empowers organizations to gain control of product security for their connected devices and supply chains, providing continuous visibility into connected product risk across the software supply chain lifecycle.
As the energy transition landscape has shifted to more decentralized projects, even faraway locations require secure (and often remote) asset management. Furthermore, an increasing number of subcontractors are engaging with assets as the energy and utility industries undergo a massive labor shift amidst a broader lack of cybersecurity talent. This movement is pushing operators to leverage subcontractors to meet the new scale and reach of projects. Our identity and access management needs quickly escalate when allowing more third parties to engage with our future critical infrastructure, highlighting the necessity of proper Layers of Protection analysis. A substantial number of cyber breaches occur due to human error or mismanagement.
Framework for identity and access management for distributed systems.
- Location: Palo Alto, CA
- Founded: 2016
- Value proposition: Today’s utilities and renewable power operators have millions of digital systems, such as smart meters, controllers and sensors, deployed across thousands of square miles. Xage enables operators to deliver remote access to their devices on an auditable basis with security enforcement ensured.
Given the critical nature of energy access and stability, companies driving the energy transition will be subject to increasing regulatory pressures. Cybersecurity compliance and awareness are becoming board-level conversations for energy companies, and assessing and ranking critical assets to meet regulatory standards will be top of mind for CISOs, CTOs and CIOs. Energy companies will need tools to remove siloed standards of operation and provide the transparency needed to meet regulations and avoid the social and environmental damage caused by compromised security infrastructure.
Platform streamlining regulatory compliance for critical infrastructure.
- Location: Chicago, IL
- Founded: 2014
- Value proposition: Network Perception’s platform can help electric utilities save time and resources when assessing and managing their compliance with the complex network access requirements and audit processes.
The energy industry has a cyber “target” on its back. Service interruptions can have wide-ranging, immediate and damaging impact – and many companies are so underprepared that the energy transition has been an easy mark for ransomware attacks worldwide. Many energy transition CISOs are shifting strategies from “prevent attack” to “prepare for breach”, and rapid detection and response tools are needed to limit the impact of ransomware and denial-of-service attacks.
Anti-ransomware engine using AI models to prevent attacks for enterprises.
- Location: Austin, TX
- Founded: 2017
- Value proposition: The cost of responding to and recovering from a ransomware attack is significantly higher than the cost of preventing one. With Halcyon, enterprises can identify, mitigate and prevent potential ransomware activity.
Given the energy transition’s reliance on digital technology, Energize believes ensuring an appropriate cybersecurity posture will always be necessary to reach our decarbonization goals. We cannot credibly deploy billions of dollars of renewable infrastructure to secure our energy future while leaving the “digital front (or back) door” open to malicious attacks.