Cyber risk in utilities extends far beyond the control room door, writes Steven Elce, head of cybersecurity at Expleo,. A vulnerability in a supplier environment or an insecure remote connection can now create consequences much closer to core operations.

The drive towards more flexible, data-led energy systems has brought operational technology and enterprise IT into closer contact. This is improving visibility and helping operators manage a more complex energy landscape, but it has also removed many of the boundaries that once contained cyber risk.

For utility leaders, the priority is ensuring resilience has been designed into every connection, from initial system design through to supplier management and recovery planning.

A wider attack surface

For many years, separation did much of the heavy lifting in OT security. Control environments operated with limited external connectivity and predictable data flows. That model is becoming harder to sustain as utilities connect operational systems with enterprise platforms, cloud-based analytics, field devices and supplier services.

A compromised identity service, engineering workstation, data platform or remote-support provider may never touch a control system directly. It may never touch a control system directly, yet can still restrict visibility, slow incident response or hinder the ability to make safe operational changes. In a utility environment, those indirect effects can be just as significant as a direct attack on OT.

That makes the service view as important as the asset view. Utilities need to understand which systems underpin monitoring, engineering activity, asset management and recovery, then identify where disruption could affect safe operation or the integrity of physical assets.

Connectivity should therefore be treated as something to govern, not simply something to enable. Every connection needs a clear operational role and accountable ownership. Controls must also allow teams to isolate a compromised environment without cutting off the visibility or access needed to keep the wider operation running.

Regulation is raising the bar

The regulatory direction is now catching up with the way energy systems are being operated. The UK energy sector’s Cyber Security Strategy sets out a roadmap for improving visibility of cyber risk across the most critical parts of the energy system by the end of 2026, including stronger processes for identifying and prioritising operators where disruption could have the greatest impact.

The strategy recognises that cyber risk is no longer limited to the biggest utility operators. Smaller technology providers, cloud platforms and engineering partners can all play an important role in keeping services running. If one of these suppliers is disrupted or compromised, the impact can reach far beyond that individual organisation.

For utilities, that shifts regulation away from a narrow compliance exercise and towards better operational discipline. System design, supplier assurance and change control all need to reflect the fact that a new platform, remote service or analytics capability can become part of the operational risk picture.

Securing AI adoption

AI can help utilities make better use of operational data, from identifying unusual system behaviour to improving maintenance planning. Its value, however, depends on the quality of the data and the way its outputs are used.

Where AI informs operational decisions, utilities need to be clear about the limits of its role. A recommendation generated from outdated or poorly governed data can create a false sense of confidence, particularly when teams are under pressure to act quickly. Human validation, also referred to as maintaining a human in the loop, remains essential in scenarios where outputs could influence asset maintenance priorities or operational configurations.

Security teams must adhere to consistent discipline. AI tools are required to undergo established change-control and assurance procedures, with access to operational data and systems being strictly defined. Whether these capabilities are procured from a third-party provider or developed internally is also significant: each approach entails distinct responsibilities for supplier assurance and change management that must be thoroughly understood prior to deployment. The objective is to enhance insight while avoiding the creation of new entry points into critical environments.

Resilience by design

Digital transformation programmes should treat cybersecurity as a design constraint from the outset. Before a new platform or data connection goes live, teams should understand the operational process it supports and how that process would continue if the service became unavailable.

A loss of cloud access or supplier support may leave control systems running, while depriving operators of the visibility or diagnostic data needed to manage them safely. Resilience exercises should therefore go beyond the familiar cyber-incident playbook and test how teams work in a degraded state, who takes decisions when information is incomplete and whether critical services can be restored in a controlled sequence.

The measure of a successful digital programme is whether the utility can continue operating safely and recover with control when a critical service is disrupted.

https://expleo.com/global/en/

News Archives – Energy Sustainability Solutions