Driving cybersecurity excellence in energy

The ENISA Threat Landscape 2025, published last October, shines a harsh light on this reality.¹ Europe’s energy sector remains one of the region’s most attacked critical infrastructures, with bad actors focusing heavily on OT compromise, supply-chain infiltration and cross-border operational interdependencies.  

This aligns with research published in December 2023 by SecurityScorecard, which found that that no less than 90% of the largest global energy companies had experienced a third-party breach over the previous 12 months.² 

At the same time, AI-enhanced phishing and social-engineering techniques are making attacks harder to detect, increasing the speed and scale at which adversaries can operate. 
Across the sector, a range of risks consistently emerge as the most material to operations, regulation and safety.

Operational technology/industrial control systems security challenges. The OT and industrial control systems (ICS) underpinning power generation, transmission and grid stability rely on legacy technologies and proprietary protocols and have extremely low downtime tolerances. This makes them difficult to secure using traditional IT approaches, and while frameworks such as IEC 62443 provide direction, many organizations remain early in their OT security maturity journey.

Supply chain and third-party risk. Threat actors increasingly target suppliers, integrators and service providers as an alternative path into energy operators. Third-party vulnerabilities can quickly become operator-level exposures, extending risk far beyond direct system boundaries.

Cloud adoption and data security. Energy transition, prosumers, EV infrastructure and IoT devices all generate dramatically more data. Cloud platforms provide the scale required to process this data but introduce new identity, access and configuration risks, particularly where data flows across IT and OT environments.

Cyber hygiene and fragmented responsibility. Decentralized decision-making and siloed tooling create inconsistent control coverage. Gaps in configuration, monitoring and governance undermine resilience and slow effective detection and response.

Increasing regulatory demands. Compliance obligations continue to expand and consistent implementation across IT and OT remains challenging. Key legislations includes the EU’s NIS2 Directive, GDPR, national critical-infrastructure regulations (CAF), ISO 27001 and sector-specific trading requirements, alongside the Cyber Security and Resilience Bill requirements being rolled out this year.

Talent shortages. The scarcity of OT-aware cybersecurity specialists continues to constrain internal capability, with only 20% of electric utilities feeling confident in their cybersecurity workforce according to Cybersecurity Hiring in the Utilities Sector: 2025 Navigating the Talent Shortage in Energy, Water, and Critical Infrastructure

Insider threats. Employees, contractors and partners with trusted access pose risks ranging from unintentional error to deliberate sabotage, particularly in environments where controls differ across physical and digital assets.

Artificial intelligence. Generative AI and now Agentic AI are increasingly acting as  force multipliers across these risks, enabling bad actors to rapidly scale reconnaissance, initiate highly convincing social engineering campaigns and automate elements of the attack lifecycle. Cybersecurity risk is accordingly becoming faster-moving, more interconnected and more sensitive to how modern AI tools and platforms are integrated and governed within the energy and utilities space – placing an ever-greater onus on maintaining data quality, identity controls and system integrity.

A strategic framework for strengthening energy cybersecurity 

To respond effectively, energy organizations must build resilience across three interconnected dimensions: people & governance, secure processes & resilience, and technology & tooling. 

Together, these align with frameworks such as NIST CSF, Zero Trust and IEC 62443, embedding security directly into operational and business outcomes.

1. People & governance: creating the conditions for consistent, scalable security

Strong governance is the foundation of a mature security organization. Leading energy companies must establish a clearly defined Target Operating Model (TOM) that unifies security responsibilities across IT and OT and ensures accountability is aligned to business priorities. Given persistent talent shortages, many organizations adopt a hybrid capability model – combining internal teams with external specialists who bring deep expertise in security architecture, OT environments, cloud security and regulatory alignment.

2. Secure processes & resilience: embedding security into the way work gets done

Even well-funded security programs struggle without coherent processes. Energy organizations are increasingly adopting DevSecOps and security-by-design practices to improve consistency and reduce risk.

• DevSecOps and shift-left security – embedding security early in the lifecycle reduces remediation cost and improves delivery outcomes. Effective shift-left security includes:
  • Threat modeling during design
  • Secure coding practices and automated scanning
  • Dependency and container analysis
  • Monitoring and observability
  • Security guardrails embedded into pipelines.
• Infrastructure as Code and Policy as Code – IaC and PaC turn standards into executable controls, ensuring consistent enforcement across cloud, hybrid and on-premise environments.
• Supply chain and vendor assurance – supply-chain complexity requires structured oversight, including:
  • Rigorous vendor security assessments
  • Contractual security requirements aligned to recognized standards
  • Continuous vulnerability monitoring
  • Cross-functional governance (e.g. supply-chain risk committees)
  • Clear lifecycle management for legacy systems.

3. Technology & tooling: ensuring investment translates into risk reduction

Many organizations invest heavily in security tools but struggle to realise full value without clear strategy and integration. A structured approach begins with a tooling maturity assessment across cloud, endpoint, identity, network, and OT domains. Benchmarking against NIST CSF, CIS Controls, and MITRE ATT&CK provides a clear, data-driven view of strengths and gaps.

A targeted tooling strategy will define:

• Rationalization opportunities
• Integration and automation priorities
• KPIs to measure coverage, responsiveness, and effectiveness
• Skills and operating-model implications.

Conclusion

Energy companies face an increasingly complex and hostile threat landscape. To ensure resilience, they must move from reactive controls to intentional, security-by-design operating models grounded in strong governance, modern engineering practices and structured vendor assurance. Those organizations that succeed will not only reduce exposure – they will strengthen operational stability, improve regulatory confidence and build lasting trust with customers and partners. 

How Capco helps energy organizations build cybersecurity excellence

At Capco, we are ready to help energy leaders make this transition and turn cybersecurity into a sustained competitive advantage.

We partner with energy leaders to design, implement and scale cybersecurity capabilities that are resilient, efficient and aligned to operational realities. We enable success through:

• Target Operating Model (TOM) design to unify IT–OT security responsibilities
• Strategic roadmaps that prioritize initiatives and sequence delivery
• Programme leadership and delivery support to drive disciplined execution
• Deep technical SME expertise across security engineering, data and architecture
• Governance and reporting frameworks that strengthen accountability
• Risk-based budgeting and investment planning
• Capability uplift and coaching to build sustainable internal expertise.

Below, we set out our three key offerings to help our clients navigate the principal challenges they encounter.

Adaptive Security Assurance (ASA). Providing a structured, repeatable approach to improving security maturity, ASA enables continuous confidence in security posture as technology, regulation and threat landscapes evolve. It is broken down into 5 key steps to ensure the most important security areas are continuously prioritized and worked on:

• Discovery – understand organizational context, regulatory frameworks and risk appetite
• Assessment – evaluate current maturity and identify gaps
• Roadmap – prioritize initiatives and define success measures
• Development – deploy initiatives, embed controls, and integrate tools
• Continuous assurance – monitor progress and adapt to emerging threats.

Security tooling maturity assessment. We assess tooling effectiveness across cloud, endpoint, identity, network and OT domains, identifying integration opportunities and improvement actions. Typical outputs include:

• Tool rationalization recommendations
• Integration and architecture guidance
• KPI and measurement frameworks
• Audit-ready documentation.

Data security strategy & implementation. We help organizations build enterprise-wide data security strategies aligned to business priorities and Zero Trust principles. This encompasses:

• Understanding where data resides
• Classifying and protecting sensitive assets
• Implementing modern controls such as encryption, tokenisation, and DLP
• Embedding policy-as-code for consistent enforcement
• Establishing sustainable data-security governance.

References

¹ https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
² https://securityscorecard.com/company/press/energy-sector-research/