Several security and research heavyweights weigh in on the pressing security issues facing the energy sector this year and what can be done about them. Learn what McKinsey, NIST, and FERC have to say about this year’s energy threat climate and which “next steps” matter most.

Maintaining the energy trilemma is a monumental task, especially in today’s threat climate. Providing energy that is sustainable, affordable, and secure has never required more time, more resources, more oversight, and more foreplanning. Thankfully, there are some security best practices that, if implemented, will give energy companies the boost they need to feel that at least one of the three elements is safely taken care of.

Drawing from a number of reputable sources – McKinsey, NIST, and FERC – reveals several proposed best practices that have bubbled to the surface in the wake of last year’s threats. Here’s a rundown.

McKinsey: Simplify, cross-train, and digitize

Research and consulting firm McKinsey states that leading companies begin their journey towards future-proof viability by simplifying, staying organizationally agile, and digitizing where it makes sense. This aligns not only in operations but within a security context as well.

In simplification, the trend towards uniform platforms and vendor consolidation negates the effects of inherited tool sprawl. A consolidated vendor approach can create cleaner leadership points of contact when troubleshooting security strategy and can build a relationship that lasts long enough for the vendor to provide some real insights.

Organizational agility comes from cross-training your teams (upskilling, reskilling) so you plan workarounds to the ongoing cyber talent crisis right into your strategy. Align tasks around clear business missions (what’s the next big security goal?) and sacrifice work on any other project until those are done. Increased threats and decreased resources result in organizations of all sizes needing to drill deeper into the means they already have and learn to do more with less.

While this hardly bears repeating, increasing digital capabilities – such as security automation, autonomous detection and response, etc. – will only pay dividends in the future. First, it’s fewer people on the job doing things manually. Secondly, the few you still have can be most effectively used by being trained on best-in-class solutions, not reinventing the wheel. And last, a little more time and effort and a security budget now (when threats will only trend higher year after year) will warrant a massive sigh of relief in a year to come when advancing ecosystems and emerging threats become even more out of reach for outdated processes alone.

NIST: Governance, supply chain, and measurement

NIST Cybersecurity Framework 2.0 builds off the original, a set of guidelines designed to reduce risks and introduce best practices for detecting and responding to threats when they occur. This new version focuses largely on the following:


This is a significant addition. For years, the NIST framework comprised the Functions “identify, protect, detect, respond, recover.” Now, “govern” is being thrown into the mix. Touted as a “cross-cutting Function”, governance can play a part in determining priorities, assessing risks, establishing procedures, and getting clear on roles and responsibilities. The takeaway? More top-down organization is needed to combat ineffective security resource management (in a year when we can afford it the least). This coincides with McKinsey’s first and second points.

Supply chain security

This problem will only grow bigger, and the advice is to get on it now. As global supply chains (and software supply chains) continue to stretch, each with its own myriad of APIs, OS sources, and vendors of their own, the management becomes almost unreasonable. Add to that the additional partners connected to smart energy devices, charging stations, renewables, and consumer power-monitoring apps, and the real scope of the problem begins to take shape. NIST affirms that “cybersecurity risks in supply chains and third parties are a top risk across organizations” and that since the addition of supply chain security in the last update, “even more attention has been paid” to building this out. Their advice? A cryptic, “Expand coverage of supply chain.” They leave it open for companies to battle out the details, but the directive is clear.

FERC: Focus on Insider Threats

The Federal Energy Regulatory Commission (FERC) seeks to address concerns that current energy security standards do not adequately address the risk of insider threat. Hence, they proposed new security requirements for high- and medium-impact bulk electric system (BES) facilities that would require these facilities to “maintain visibility over communications between networked devices.”

Specifically, this translates to directing the North American Electric Reliability Corporation (NERC) to come up with some new Critical Infrastructure Protection (CIP) standards taking internal threats more into mind. In the meantime, the hint is clear, and there’s no need for the private sector to wait: Find ways to reduce internal risk and consult with outside security agents if necessary.

ITEGRITI has deep experience across critical infrastructure cybersecurity programs, compliance, risk, and audit.  Contact us today to learn how we can leverage this experience to help you accomplish your cybersecurity goals.

Contact Us:

ITEGRITI Services: