Last month, a prominent technology company serving the energy industry suffered a significant cyberattack that had everyone from Bloomberg to the U.S. government debating its source, motivation and ramifications. The attack targeted an electronic data interchange (EDI) designed to “cut costs and boost speed” and impacted dozens of natural gas pipeline and retail energy companies. As a result of some vulnerabilities in the technology platform, these companies’ entire EDI systems went down. The breach compromised the data of millions of people and caused days of unplanned disruption that brought internal operations to a halt.
How does this happen? It’s clear that critical infrastructure is a primary target for both rogue and state-sponsored hackers. The FBI/DHS just issued a joint alert to that effect in February, specifically calling out the energy sector as sitting in the crosshairs of international cyber actors. We know the enormous implications of these types of systems going offline. Knocking out EDI providers doesn’t simply slow down business or cost money; it can prevent people from receiving gas and electricity in their homes. The resulting disruption is inconvenient at best, dangerous at worst, and can snowball into a variety of other issues with effects that only increase over time.
And yet here we are. Why? A large part of the issue comes down to human error. With over 90 percent of cyberattacks stemming from phishing emails, companies must remember that no one is immune. While it’s important to invest heavily in training and awareness, companies should also make sure their technology platforms both leverage trusted firewalls, anti-virus and anti-phishing protections, and employ security best practices to block phishing at the source.
Unfortunately, this is not always the case. Many industry players have suffered from a haphazard approach to technology. In the early days of retail energy, a wide range of tech startups arose to serve the new industry. They focused strongly on marketing to attract energy organizations, centering their efforts on growth and revenue. Unfortunately, some of those tech firms failed to invest in their infrastructure as diligently as they invested in sales. The technology seemed bright and shiny to their customers; meanwhile, they ran an on-premise data center out of a closet. When supporting large-scale, regulated entities that operate under strict watchdogs, that’s not just risky – it’s irresponsible.
To protect themselves from cyberattacks, energy organizations and utilities should choose technology partners that are financially viable and operationally responsible.
Here are five specific things to look for:
1. Choose a mature technology partner. Deregulated retail energy has now been around for more than 20 years. Energy organizations have grown up, and should partner with technology companies that demonstrate the same maturity. That means choosing partners who invest wisely in supporting infrastructure that keeps your data “plumbing” healthy, secure and scalable. It means working with technology vendors that are also fiscally responsible, showing consistent, dependable growth and finances that any board of directors can feel good about.
2. Get proof of compliance. Whether you partner with a provider or build an in-house technology solution, compliance is critical. This includes both industry compliance — complying with state laws and regulations related to the delivery of electricity and natural gas to customers — and technology compliance, such as protecting consumers’ data privacy.
It’s not enough for tech companies to say that they support industry best practices. You need verified, third-party evidence. Certifications like PCI and SSAE 16 SOC1 Type II are table stakes for every serious technology provider. Give bonus points if they undergo annual audits voluntarily and proactively instead of waiting to be audited externally. These qualifications put structure and validation around your approach to regulatory compliance.
3. Take data security seriously. Keeping your data secure requires a multi-faceted approach. The EU’s new GDPR certification is a great place to start; it not only ensures that you’re covered for any international data exchange but applies stringent standards to U.S. operations — always a good thing when it comes to data protection.
Look at the tech company’s data center strategy as well. Local data centers, particularly those on-site, can’t compete with the proven, robust security offered by industry leading cloud providers. Amazon Web Services, for instance, provides its users with state-of-the-art security and compliance, including ISO standards, SOC, PCI, HIPAA and more. Companies that partner with AWS inherit those protections, so their customers benefit from them as well.
4. Evaluate internal policies. Cybersecurity should never be a black box. Technology providers should have detailed, explicit data security and business continuity policies that are updated and verified regularly and are easily available and accessible to their clients. Before signing a contract, make sure your tech experts review these policies and discuss any questions or concerns with the potential vendor. Your internal IT team should have full confidence in the security measures of its solution providers before moving forward with deployment.
5. Focus on innovation. An innovative technology partner is a good thing for many reasons, but cybersecurity is at the top of the list. The depth and breadth of cyberattacks continue to evolve at an alarming pace. As a primary target, energy organizations must work with technology providers that are committed to keeping up. A focus on innovation delivers better products and more productive solutions, but may also be the X factor that keeps your data safe.
When it comes to cyberattacks, the experts often say that it’s not if, it’s when. No human is foul proof. That said, energy retailers, utilities, and wholesale gas companies can minimize the likelihood of a breach and maximize their protection by choosing a tech partner that’s mature, proven and dedicated to innovation and security.