Information sharing about cyberthreats and cybersecurity is a key element of protection for every industry. Malicious attackers share information, and their intended victims also benefit from sharing what they learn about ongoing and potential threats.
But sharing threat and security information is particularly critical for the energy sector for a variety of related reasons. First and foremost, the electrical grid and other energy-related facilities are practically the definition of critical infrastructure. Major disruption or damage to these facilities could cause serious financial and economic dislocations at a minimum, and the potential for catastrophic damage is very real.
The World’s Largest Machine
Adding to the critical nature of energy industry cyberthreats is the nature of potential attacks and attackers. Cyberattacks against firms in other industries are typically launched by criminal groups that are in it for the money. But while energy firms might be threatened by cyber blackmail, attackers are more likely to be aiming at destruction or disruption via acts of cyber terrorism or cyber warfare.
Such attacks can be expected to be both exceptionally sophisticated and dangerous. Moreover, the North American electrical grid in particular is highly interconnected, so much so that it has been characterized as the world’s largest machine, as noted by InsideCounsel. Any disruption of this system can propagate through the grid almost instantaneously, without regard to which organizations own or operate the facilities where the initial disruption occurs.
These concerns have existed within the energy industry and government cybersecurity organizations for some years. As early as the 1990s, the Clinton administration issued directives that led to the formation of the North American Electric Reliability Corporation (NERC), a public-private partnership organization tasked with safeguarding the electrical grid. This agency then established a Critical Infrastructure Protection (CIP) program.
But the looming Internet of Things (IoT) promises to greatly magnify the challenge of protecting energy infrastructure from cyberattacks. As facilities and their components go increasingly online, their vulnerabilities increase, as well — as does the need for protective information sharing.
Information Sharing in a Regulated Environment
The energy sector is also highly regulated, complicating the process of information sharing among energy firms and other relevant players. On the one hand, firms must provide certain types of information to regulatory agencies as a matter of compliance. On the other hand, rules originally designed to prevent financial collusion may restrain firms from sharing specific data.
The result is a complex legal environment. Thus, InsideCounsel advised energy firms that are planning on information sharing to consider possible implications for legal liability, as well as the potential consequences of divulging information to competitors or the public.
In short, cybersecurity information sharing in the energy industry is both critical and complicated — and growing more so in both respects. And it is not only a concern for the energy industry itself. As cyberthreats grow more sophisticated and the world becomes increasingly interconnected, the security and communication concerns of the energy industry are pointing toward the future of cybersecurity for all industries.