As the pressure to increase sustainability intensifies in many industries, the intersection of cybersecurity and climate change has become more apparent. Whereas sustainability and cybersecurity were conventionally seen in isolation, now they are inextricably linked.
The escalation of extreme weather events, such as the intensifying Atlantic hurricane seasons, has underlined the interconnected vulnerability of critical infrastructure to climate-related disruptions. Previous hurricane events have ripped through critical infrastructure and left communities without power and potable water, but they can also compromise digital networks, affecting a significant proportion of businesses. This was exemplified by the destructive Hurricane Ian in September 2022.
Research conducted by Bridewell in February 2023 revealed that a remarkable 84% of cybersecurity decision-makers working in U.S. critical infrastructure believe the challenges of climate change put their cybersecurity at risk. A quarter of those surveyed also expect hurricanes, floods, and similar events to cause more damage and hinder their efforts to protect crucial systems and data. At the same time, the new technologies designed to reduce emissions, increase efficiency, and mitigate the effects of climate change are introducing new vulnerabilities.
Overcoming such challenges demands a greater level of expertise in areas that sit outside the wheelhouse of many organizations. In particular, there are three key challenges organizations should be paying attention to so they can undertake a re-evaluation of traditional approaches to infrastructure security and resilience.
Challenge one: The security risk posed by green technologies
As the global push towards net-zero carbon emissions becomes ever more urgent, organizations are rapidly adopting green technologies. This transition, however, has inadvertently expanded the attack surface for cyber threats.
This is because many of these technologies, some of which are still in their infancy, present unique regulatory and security challenges. They often rely on specialized equipment or software that may lack established security protocols, posing significant risks when integrated with legacy systems and opening up security vulnerabilities. They also frequently fall outside the purview of stringent regulation, thereby increasing cyber risks.
The overwhelming consensus among security leaders is that these new sustainable technologies are potential gateways for cyberattacks, with 91% of respondents taking this view in the Bridewell research.
Maintaining new solutions once they are integrated is a significant concern. For as many as 47% of critical infrastructure operators, the challenges of managing and protecting rapidly deployed ‘green’ technologies are compromising their organization’s cybersecurity, the research found.
To mitigate these risks, organizations should implement a security-by-design approach, ensuring robust security is integral to all sustainable systems from the outset. Selecting reliable third-party vendors and maintaining clear, organization-wide communication about these new technologies and their threat levels is essential. Continuous training and education will further strengthen defenses against the unique challenges posed by green technologies.
Challenge two: Evolving hacktivism
With well-resourced criminal cyber gangs and nation-state-sponsored groups now having a new array of poorly protected technologies to target, alongside existing critical national infrastructure, an emerging trend is showing a rise in 'hacktivism' related to climate change issues.
Last year, for example, a group motivated by environmental concerns targeted oil and mining companies and published internal emails. The Financial Services Information Sharing and Analysis Center reports a 28% increase in cyber activities motivated by environmental concerns within the finance sector. This new form of cyber activism represents a complex challenge, intertwining ethical, political, and security considerations.
It is vital for organizations to strengthen their cybersecurity posture to address the evolving challenges of hacktivism. This includes regular updates to security systems, rigorous monitoring for unusual activities, and comprehensive response plans. Fostering a deeper understanding of the motivations behind climate-related hacktivism can help anticipate potential targets and tactics.
Challenge three: Expertise and awareness in short supply
As new opportunities present themselves to bad actors, the sector lacks the relevant in-house cyber expertise and awareness to deal with these threats. Bridewell's research highlights that 43% of critical infrastructure organizations are under-equipped in terms of skilled personnel to integrate these new technologies safely. Almost half (49%) of organizations surveyed also lack C-suite understanding of the cyber threats emerging from sustainable technologies, revealing significant blind spots at the highest levels of national security decision-making.
The evolving tactics of cybercriminals, who now have easier access to sophisticated tools, including AI, compound the risk. Their enhanced toolsets enable them to bypass existing protection, detection, and response capabilities offered by businesses operating in the critical infrastructure world. This increased availability of 'off-the-shelf' tools has put greater capabilities in the hands of less technically proficient criminals, heightening the potential for destructive attacks.
Ongoing education and training for in-house teams are crucial in building a comprehensive understanding of new technologies, their dependencies, and associated security threats. Continuous training for teams across IT and OT (operational technology) creates a more all-round understanding of new technology deployments, their interdependencies, and their threats to security.
Hybrid SOC models, which combine internal expertise with outsourced specialists, are also emerging as an effective solution to address the existing cyber skills gap. This approach allows for a more robust and dynamic response to the evolving cyber threat landscape.
Reflecting on the challenges – and achieving the right balance
All critical infrastructure organizations must address questions of sustainability and climate change. The pressures from governments and regulators leave them no choice, and many are effectively on the frontlines. But any company operating in electricity generation and distribution, gas, water, or transportation is also right in the firing line of cyber criminals of all stripes.
Striking the balance between meeting sustainability goals and managing robust cybersecurity measures has its challenges, but ultimately will be critical. As organizations navigate an array of concerns that are not just complex but also very sensitive, there are steps that can be taken to allow them to be best prepared in the face of emerging threats. Implementing a security-by-design approach, having comprehensive response plans, and ongoing training and development will all play a critical role.
Engaging proactively with cybersecurity experts from outside the organization will also help to provide access to the levels of awareness and specialist technical knowledge required to integrate advanced security tools whilst fostering a culture of continuous learning and vigilance among their teams.
Through these concerted efforts, it is possible for nations to protect critical infrastructure while advancing towards a sustainable future.
Chase Richardson, Lead Principal for Cybersecurity and Data Privacy at Bridewell
Chase Richardson lives in Houston, TX where he leads US Operations at Bridewell, a global Cybersecurity consulting firm. He joined Bridewell last year to open its first US office. Prior to Bridewell, Chase was a founding member of another Cybersecurity consulting firm in Houston where he helped grow the business from 5 to 50 employees over 4 years, specializing in Cybersecurity Risk, Governance, and Compliance, Offensive Penetration Testing, Security Operations and Data Privacy. Chase has an MBA from Emory University and is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional (CIPP/US).