Cybersecurity for Critical Infrastructure in 2021

Our critical infrastructure is more connected than ever — and that’s a double-edged sword.

Juan Muldoon, Partner, Energize Ventures
April 5, 2021

At Energize Ventures, we believe that software can be a powerful tool driving the transition of energy and sustainable industry. There is an important digital layer that allows electricity grids, transportation networks, data centers, manufacturing plants, and telecommunication providers to operate massive complex systems efficiently. Hardware, software, and advanced data analytics solutions combine to operate and improve the world around us. The way we interact with assets — whether that is wind turbines, substations, assembly robots, or our bank accounts — is digital.

Today, anything that can be optimized through software could also be weaponized through software. Having a strong cybersecurity posture is crucial for critical infrastructure. The unfortunate truth is that our national infrastructure is a major target for adversaries seeking to disrupt our way of life. According to a Ponemon Institute report, three-quarters of energy companies and utilities have experienced at least one recent data breach. McKinsey estimates that while industrial firms spend 7% to 11% of their revenue on IT deployments and maintenance, they spend less than 1% on cybersecurity to protect those investments!

So, how has the industrial cybersecurity landscape changed in the last year?

More Entry Points: The attack surface has changed. Traditionally analog-based industries were forced to accelerate their digital roadmaps in response to the COVID-19 pandemic. Many operations had to become “digital first” to accommodate remote access and control. IT professionals from utilities and power operators who swore they would never buy software as a service are now migrating to hybrid stacks and multi-cloud architectures. This complexity and fragmentation has led to lack of visibility. The “attack surface” is much broader.

Growth in the Three V’s: Volume, vulnerability, and variety of endpoints. Network complexity leads to vulnerability. Nowadays, connected devices are everywhere. From phones and tablets to sensors, smart meters, and security cameras, the modern industrial floor is full of digital tools. Often, lighter IoT devices have poorer security parameters and can be used as a back door to gain entrance into networks. Visibility is the first step to improve cybersecurity posture — yet many industrial CISOs today still lack adequate tools to identify and manage connected devices on their networks.

The Great Convergence: Operations technology (OT) and information technology (IT). The “boundary” is no longer defined by the corporate network as operating assets (wind turbines, manufacturing robots, etc.) and IoT devices make up a majority of the technology surface. In the industrial space, OT assets also tend to be older, longer-lived machines, many of which were not designed with connectivity and digital operations in mind. A decade ago, operational initiatives and purchase decisions were made primarily at the plant-level (including security); today, VPs of IT and CISOs have budget control over enterprise-wide cybersecurity deployments. As modern threats often move horizontally from IT systems to OT systems, solutions must integrate both to adequately protect the network.

How are industrial CISOs and CIOs prioritizing resources in 2021? Industrial cybersecurity teams have shifted budget from “protect” (traditional firewalls, VPNs, etc.) to “assume breach”. After conversations with more than a dozen budget owners in the Energize network, we are focusing our efforts on the following areas:

  • Advanced detection through analytics. Anomaly detection through advanced analytics can help identify threats across the network, especially as attacks move from one surface (IT) to another (OT). Industrial CISO’s are adopting state-of-the-art visibility and detection tools like Energize portfolio companies Nozomi Networks and Awake Security.
  • Zero trust: With the shift to remote work and explosion in devices and applications delivered to multiple endpoints, CISO’s have taken a “zero trust” approach (don’t trust anything, verify everything) whereby every endpoint must be authenticated every time it logs on. Zero trust architecture is particularly relevant for distributed assets. Energize portfolio company Zededa is a leader in edge orchestration and security.
  • SaaS security: Even the staunchest proponents of on-premise architectures are now migrating to cloud-based services for operations. Budgets are growing to manage security infrastructure across multi-cloud and hybrid environments. With access to more applications and sensitive information moving to the cloud, security for software as a service helps detect insider threats and manage access and privilege risks.
  • Compliance. Especially in regulated industries, many security teams spend countless hours documenting, reporting, and preparing audits. Furthermore, there is a growing disconnect between security operations and board-level accountability that we expect will narrow with regulation and investor pressures.
  • Embedded product security. Whether for industrial or consumer use cases, buyers expect devices to be secure endpoints that can be added to existing systems. In practice, however, security is not always designed into new products as it can be costly and time-consuming.
  • Supply chain. The power, manufacturing, and industrial markets have complex supply chains spanning OEMs and systems integrators. Connected devices have several touchpoints for configuration, deployment, and maintenance, and operators rely on third party consultants and in-house field labor. The industry needs secure device lifecycle management tools.
  • Efficient response. Cybersecurity teams in the energy and manufacturing world are often overwhelmed with the volume and complexity of alerts and incidents that must be investigated, remediate, and reported. Security Orchestration Automation and Response (SOAR) and Endpoint Detection and Response (EDR) tools have risen in popularity as constrained cyber teams are adapting to do more with less.

The last few years have shown us the importance of resiliency: preparation, flexibility, and response in the face of unforeseen circumstances. As the energy and industrial sectors continue to digitize, it is crucial for them to maintain strong cybersecurity postures to prevent and withstand potentially catastrophic events. If you are working on these areas, we’d love to be in touch — reach out to to kick off the conversation.