Cybersecurity in the Energy Sector: Managing Risk, Complexity, and Resilience in a Digitally Connected Era

As the energy sector undergoes rapid digital transformation, cybersecurity has shifted from a technical afterthought to a strategic imperative. During the session “Cybersecurity in the Energy Industry: Protecting Critical Infrastructure in a Connected Era,” held at IIoT World Energy Day 2025, a panel of experts explored how the convergence of IT and OT, the expansion of digital supply chains, and the rise of AI are reshaping how the industry approaches cyber risk.

The evolving nature of supply chain risk

One of the most pressing concerns addressed by the panel was the increased complexity of the energy sector’s supply chains. While supply chain risk is not a new issue, recent years have forced a re-evaluation of how it’s managed. Companies now realize that vulnerabilities can originate not just from their primary vendors but deep within second-, third-, or even fourth-tier suppliers. Software supply chain attacks, such as those seen in the SolarWinds incident, have underscored just how damaging these hidden dependencies can be.

This growing awareness has led to more rigorous vendor vetting, greater emphasis on digital identity management, and stronger monitoring throughout the lifecycle of systems and devices. Importantly, this awareness is no longer limited to security teams; regulators, executives, and policy-makers are now demanding greater transparency and accountability in how supply chain risks are assessed and mitigated.

Legacy infrastructure meets modern threats

Despite growing awareness, the energy industry continues to operate on infrastructure that is decades old. These legacy systems, many of which were designed before cybersecurity was a consideration, present a persistent challenge. Replacing them is often impractical due to cost, downtime, and operational dependencies.

The panel emphasized the importance of practical solutions that focus on risk reduction rather than wholesale replacement. Network segmentation, limited access privileges, and robust monitoring remain some of the most effective tools for securing outdated systems. These measures are widely known but inconsistently applied. Panelists noted that the industry does not necessarily need more innovation in this area, but more consistent implementation of known best practices.

Artificial intelligence is changing both offense and defense

AI is becoming a double-edged sword in energy cybersecurity. On one hand, it offers new tools for anomaly detection, predictive analytics, and real-time threat response. On the other, malicious actors are leveraging AI to scale attacks, identify vulnerabilities more efficiently, and launch sophisticated phishing and data exfiltration campaigns.

Panelists noted a worrying trend: attackers are using AI not just to automate traditional attack methods but to aggregate stolen data and weaponize it in new ways. This includes using AI to simulate legitimate communication, breach authentication systems, or even generate synthetic identities. This development signals a shift in attack vectors and calls for more advanced and adaptive defenses on the OT side, not just IT.

Shifting from compliance to risk-based security strategies

Historically, electric utilities have operated under rigid regulatory frameworks. These have been valuable in setting minimum standards, but many panelists argued that they fall short in today’s dynamic threat environment. Rather than focusing on checklist-based compliance, organizations should adopt a risk-based approach to cybersecurity.

A risk-based model allows organizations to tailor their security investments to the systems and processes that pose the greatest risk to operations, safety, or financial stability. This shift also enables more dynamic decision-making, where responses to threats can be adapted in real time rather than limited to regulatory timelines and static controls.

Redefining trust in a zero-trust world

One of the key takeaways from the panel was the need to redefine the concept of trust in critical infrastructure. In the past, once a device or user was granted access to a network, it was assumed to be safe. This model has proven unsustainable in today’s environment.

A zero-trust architecture assumes that no device, user, or network component should be automatically trusted, even if it exists within the perimeter. Every device must have a verifiable identity, and access privileges must be tightly controlled, monitored, and regularly audited. This level of control is particularly important in OT environments where the consequences of a breach can include not just data loss, but physical damage, environmental harm, or loss of life.

Talent and team-building: Beyond the cybersecurity “superstar”

Another issue raised during the discussion was the persistent shortage of cybersecurity professionals, particularly those with OT experience. Rather than continuing to search for rare “unicorn” candidates who understand both OT systems and modern cybersecurity, panelists advocated for building multidisciplinary teams from within. That means upskilling existing staff in IT, engineering, and controls systems to work collaboratively on OT security challenges.

Mission-driven recruitment, purpose-based work culture, and internal development were highlighted as key components of a sustainable cybersecurity workforce. Panelists noted that effective OT security doesn’t rely on individual heroes but on building resilient, collaborative teams supported by leadership and aligned with organizational goals.

Communicating cybersecurity’s value without relying on fear

While fear-based messaging has long been a tactic in cybersecurity awareness campaigns, panelists argued that it has diminishing returns. Decision-makers are increasingly desensitized to warnings about catastrophic attacks. Instead, education, relevance, and alignment with business objectives were cited as more effective communication strategies.

Linking cybersecurity investments to business continuity, operational efficiency, and long-term risk reduction resonates more effectively with executives and board members. At the same time, organizations need to ensure that security teams have the support, resources, and visibility to be integrated into strategic decision-making.

The importance of secure-by-design principles

Looking to the future, panelists emphasized the need to shift from reactive security measures to proactive, secure-by-design architectures. Rather than bolting on security after systems are deployed, it should be embedded from the earliest stages of engineering and design. This includes applying identity management, encryption, access control, and anomaly detection at the device and control system level.

Secure-by-design also means building systems that are resilient to failure, where isolated breaches do not lead to cascading disruptions. This resilience-first mindset draws on lessons from industries like healthcare and aerospace, where system integrity and safety have long been guiding principles.

While technological solutions continue to evolve, the core message from the panel was that the energy industry must focus on execution, collaboration, and strategic alignment. Whether through basic segmentation, identity management, or secure system design, consistent application of known practices will deliver more value than chasing the latest tools.

The path forward also includes increased collaboration between industries, greater cross-pollination of ideas globally, and more effective coordination between private companies and government entities. Cybersecurity in the energy sector is not just a technical issue—it is a matter of operational continuity, national security, and public safety.