article banner

Understanding energy industry cybersecurity risks

rich text with image

Digital computing has become an essential tool for nearly every industry in the U.S. economy, including the energy industry. To protect company data, the need for energy companies to use a robust cybersecurity system has grown as well.

Understanding how data flows into, out of and within your system -- and installing the technology that will manage those reams of data -- can not only enhance your company’s cybersecurity, it can also help the company become more efficient and cost-effective.

“The problem is: There’s so much disruption out there that our clients often come to us and say, ‘We don’t even know where to begin on this,’” said John Stilwell, a principal for Technology Transformation at Grant Thornton. The key elements are cybersecurity, data analytics and data governance.

A fuller discussion of these issues can be found in Grant Thornton’s recent webcast, “Energy Symposium Session: Cybersecurity and Technology Disruption.”

Countering cyberattacks

One only has to read the news to discover how recent data security breaches have plagued the energy industry:

  • A ransomware attack in May shut down Colonial Pipeline, one of the nation’s largest gasoline pipelines.
  • In April, hackers broke into software called “SolarWinds,” spreading a virus that worked its way through private and government computer networks, including U.S. Department of Energy files.
  • An IBM report in February found that energy systems ranked third in the number of cyberattacks they faced in 2020, behind finance and manufacturing. That’s up from ninth in 2019.

Data “is in a constant state of evolution and growth,” said Will Whatton, Grant Thornton, Technology Transformation principal. “You have to have a mindset where you are responsible for your security.”

That isn’t easy in today’s world, where the pandemic has changed the way business is conducted. Workers often operate from remote locations, and companies need to upgrade technology systems to keep up with these workplace changes.

Data classification is an important step toward protecting your company’s information, Whatton said. Proper classification identifies the most valuable resources in an organization and instructs the network’s security system to protect that data and treat it as a company asset. Data is tagged in a way that will identify the degree of access: public, internal only, confidential or restricted.

Some key questions to consider in determining how to classify data in your system include:

  1. What is the business value of the data?
  2. How is the data being used?
  3. How is it stored – on the network or in the cloud?
  4. How is it transmitted into and out of the system?

Understanding how other companies may use company data can help to determine how to structure control, through tactics such as encryption and access restriction, Whatton said. A system also needs to be in place to determine which types of information should be deleted at the appropriate time. To protect against data leakage, monitoring procedures must be established to notify the company immediately when the rules are about to be breached – so transmission is halted before there’s a data leak.

Transition to advanced data analytics

A company that’s using an older information technology system may be missing out on some advantages that a newer system could bring. In addition to enhancing cybersecurity, software tools can do much more than they did in the past in providing business analytics and cost controls, Stilwell said.

In the past, a business decided what it wanted to learn from the data it collected and the IT department or a contracted provider structured the system so that it could answer those questions.

Now, there’s another technique, called the “big data” or “data lake” approach. This involves creating a platform that can capture all sorts of information from a variety of sources – possibly more than a company realizes it can obtain or use. Analysts then curate the data into subject areas that are pertinent to a company and organize them in whatever ways the company wants.

“We help our clients understand what’s going to be the most powerful solution,” Stilwell said.

Strategic visioning is a way to help clients define what they need in each area of the business. “One of our first steps is to ask, ‘Where do you think you really want to be?’ It’s easy to think that you need to give everyone a Ferrari, but in fact, what you need is an F-150 pickup truck in this case and a Honda Civic in another case,” he said. The IT tools need to be flexible so they can provide answers to users with diverse needs, and they should automate and streamline routine procedures such as compliance reports for regulators.

The software vendor has to provide speed and agility, and on top of that, a client must determine if the application will fit the company’s culture and if the program will scale and grow with the company.

“Centralize the analytics but then decentralize how people want to do it. Give people freedom to get to the answer their way. More users will buy in and there will be pervasive use of the analytics system,” Stilwell said.

Strategize for data governance

Many companies are global and their data may flow at different times. Some organizations make acquisitions and need to transfer and merge data. Others may have autonomous business units with diverse needs. For all of them, a master data management system is essential.

“It really drives data trust,” Whatton said. “Ultimately, there has to be a single version of the truth.”

Along with that data governance will come better data analytics, more standardization, greater ability to expand the system when needed, more flexibility to roll with changes in the industry or in the company’s team, and more visibility.

“Ultimately, you are increasing your operational efficiency and are able to arrive at data-driven decisions much, much faster,” he said.

Whatton said data governance is like the U.S. system of government:

  • Like the executive branch, data governance sets policies, procedures, standards and organizational structure.
  • Like the legislative branch, it sets rules on the way data is transitioned from one point in the organization to another.
  • Like the judicial branch, there is monitoring and enforcement of the rules so the system becomes proactive.

On the flip side, if there is no data governance system, any problems that crop up can cripple the entire organization, Stilwell said. And as a company grows or makes acquisitions, the result can be “a mess.”

There can be all sorts of operational inefficiencies: Employees don’t know which customers to call, can’t make the best purchases, are inconsistent from one department to another, or cannot pull together the type of report that will guide the company to make the right decisions.

“There are a lot of missed opportunities to leverage data that will make you stand out in the marketplace,” Stilwell said.

Investing in a technology upgrade may feel like the company is taking a quantum leap, he said – but it is not a quantum leap. “It is a continuous improvement program -- making the initial investment, finding and learning and continuously growing and evolving to make it better,” Stilwell said.


HS_Stilwell_John.JPG John Stilwell
Business Applications
T +1 913 272 2721
HS-Whatton-Will-bw.jpg Will Whatton
T +1 832 476 3639