Skip to main content

Energy underpins the modern world, it powers data centres, offices, transport, and the supply chains that organisations depend upon. Yet the fact it is freely accessible to individuals and businesses is often taken for granted; however, if I had to place a series of bets (outside of who I think will win the Football World Cup) on the next big area of focus for cybersecurity attacks, it would be on the energy sector, making energy sector cybersecurity so important.

Edward Starkie
Edward Starkie

Director, GRC | Cyber Risk

estarkie@thomasmurray.com

Physical disruption to supply chains, the increased demand from data centres, and geological instability are placing extreme pressure on an industry looking to transition to methods of new energy generation that is undergoing regulation.

This article explores the signals, the cyber threats and what steps organisations either core to the energy sector, or playing a supporting role should take to protect themselves and their customers.

How Geopolitical Conflict is Driving Energy Cyber Risk

The escalation of the conflict in the Middle East has produced one of the largest supply disruptions in the history of the global oil market. The disruption to the free transit through the Strait of Hormuz has impacted global oil and liquid natural gas markets. The effects have already been felt and will continue to be felt across the globe, potentially for several years to come.

For businesses this means operational costs are rising. Energy-intensive organisations, data centres, manufacturers, logistics operators and financial market infrastructure are facing unbudgeted cost increases that were not in budget assumptions made twelve months ago. Margins are being squeezed exactly at the moment when uncertainty is increasing demand for investment in technology and operational resilience.

Why Rising Energy Demand Increases Cyber Vulnerability

Exacerbating the reduced availability is the increased consumption of electricity by data centres with AI identified as the primary driver. For cyber security professionals and risk managers this is worthy of consideration, an electricity grid under pressure is potentially more susceptible to a successful attack. Threat actors understand that targeting a strained system produces a disproportionate effect, cyber security becomes a mechanism for placing added stress on an already stretched system.

Past incidents show this isn’t theoretical. The 2015 and 2016 cyberattacks on the Ukrainian power grid cut electricity to hundreds of thousands of customers, and the 2021 Colonial Pipeline ransomware attack shut down fuel supply across the US East Coast for several days. Both demonstrated that threat actors can launch successful cybersecurity attacks on energy infrastructure, with cascading economic effects felt far beyond the immediate victim. Following Russia’s 2022 invasion of Ukraine, including attacks on wind farms in Germany, illustrated that geopolitical events translate rapidly into cyber threat activity, regardless of whether an organisation has any direct involvement in the conflict.

A direct attack on an energy producer is not the only way an energy grid could be affected. The perimeter of an organisation now extends to every vendor, partner, and supplier connected to its systems. Supply chain attacks have become an increasingly used attack vector because they allow adversaries to compromise one target and gain access to hundreds or thousands downstream. Organisations that have invested heavily in their own security but have not subjected their supply chains to equivalent scrutiny are running with a false sense of assurance. Extensive and complex supply chains are prevalent in the energy sector. Operational technology vendors, facilities management providers, and utilities themselves are attractive targets precisely because compromising them yields leverage over multiple organisations simultaneously.

Nation-state actors have long used cyber operations as an instrument of geopolitical leverage. What has changed is the directness, the scale, and the willingness to target commercial organisations as proxy victims. Because energy forms part of critical national infrastructure, organisations that support or deliver energy are likely to be considered legitimate targets, whether or not they see themselves that way.

New Energy Technologies, New Attack Surfaces

Intellectual Property (IP) created by organisations conducting research on industrial scale is being conducted in a race to become the leaders in the new energy landscape as part of the energy transition, whilst new organisation’s driven by new technologies are being spun up to provide existing alternative ways of generating energy. Both introduce new risk. New IP increases the attractiveness of an organisation and industry to attacks, whilst new businesses increase the attack surface of the physical infrastructure.

Smart grid connections, industrial control systems and EV charging networks all require robust controls and oversight to ensure threat actors cannot successfully execute attacks. Traditionally this has been called operational technology (OT), the systems that control physical processes were once largely isolated from corporate IT networks, but that isolation is largely gone. Digital transformation, remote monitoring, and smart infrastructure have connected OT environments to the same networks, and often the same internet-facing systems, as the rest of the business. In cyber security, a large attack surface is related to increased risk.

Tightening Regulation: NIS2, the UK Cyber Bill and Beyond

Regulators globally are expanding the definition of critical infrastructure and tightening the obligations that come with it. NIS2 in Europe has significantly broadened the scope of sectors subject to mandatory security requirements. In the UK, the Cyber Security and Resilience Bill signal a similar direction of travel supported by the UK Energy Sector Cyber Security Strategy.

The action of the regulators and governments show that the threat landscape has changed, and that voluntary measures have been insufficient. Organisations that are newly in scope, or that have underinvested in compliance programmes and cyber security, face both regulatory exposure and the operational risk that the frameworks are designed to address. Organisations should take note and more importantly act.

How Leading Organisations are Managing Energy Cyber Risk

The organisations that are managing these risks well are; mapping their dependencies, assessing third party risk, and have integrated geopolitical monitoring into their risk management processes, not as an afterthought but as a standing input. They have invested in detection and response capability proportionate to a threat environment where the adversary may be faster, better resourced, and more persistent than a commercial actor.

In short, they have recognised that geopolitical instability now generates cyber risk in near real-time. A diplomatic incident, a sanctions announcement, or an escalation in a regional conflict can shift the threat landscape within days.

Where to Start?

Energy cyber risk is no longer a future concern, it’s a present one shaped by geopolitics, demand pressure and an expanding attack surface. Organisations that wait for direct attack before acting will find themselves reacting to a crisis rather than managing a known risk.

If your organisation operates alongside the energy sector, the priority is clear: map your third-party dependencies, stress-test your incident response, and build geopolitical monitoring into how you assess risk day to day.

Cyber Risk

Incident Response

Thomas Murray’s incident response team is trained to respond quickly and efficiently to incidents and help your business get back on track.

Learn more