能源基础设施的网络安全：为什么采购需要处于第一线

Introduction Digital transformation has fundamentally altered the energy sector, integrating AI and other highlyinterconnected systems into critical infrastructure. While these technologies optimize performance and reliability, they also expose the industry to unprecedentedcybersecurity threats. Any innovation that lacks rigorous security controls is a strategic liability. Without robust security frameworks, breakthroughs in cloud computing, private LTE, and IT/OT integration canswiftly deteriorate from valuable assets into critical risks. Four Technology Trends That Pose CriticalCybersecurity Threats to Energy Infrastructure 1. Artificial Intelligence and Machine Learning As AI and ML become integral to power gridmanagement, predictive maintenance, and demandforecasting, energy companies face severalcybersecurity risks: structures fail to keep pace with the continuousadvances in AI. Shadow AI Compliance and Contractual Gaps Another critical cybersecurity risk involves theunregulated use of company data, typically referredto as “Shadow AI.” In the absence of strict internalgovernance, well-meaning employees often feedsensitive company data into public AI tools, unknowinglybypassing security protocols. This exposes theorganization to a multitude of security risks, as dataentered into these unsanctioned tools can be stored,reused, or leaked outside the organization’s control. A primary vulnerability lies in outdated complianceframeworks and contractual blind spots that fail toaccount for AI’s dynamic, evolving behavior.In the absence of strong government regulation,companies are turning to voluntary frameworksdeveloped by the National Institute of Standards andTechnology (NIST) in 2023. However, the voluntary,non-certifiable nature of these frameworks places aheavy burden on businesses to self-evaluate whetherAI vendors are truly compliant and secure, given theirunique risk tolerances. Accountability Compounding this challenge is AI’s accountability risk. AIcontract clauses introduce liability shifts, where vendorsdisclaim responsibility for the quality of outputs whileemployees continue to rely on them for critical decisions. Slow Regulatory Updates Timing adds another layer of complexity. The irregularpace of regulatory updates further exacerbates thischallenge, as government frameworks and contract 2. IT/OTIT/OT Convergence IT/OT convergence is the integration of informationtechnology systems with operational technology. A lackof control and governance of IT/OT convergence withinthe energy infrastructure creates security gaps: Internet-connected control networks significantly expandthe attack surface for Supervisory Control and DataAcquisition (SCADA) controls, pipeline valve monitors,and grid data analytics that now interface with corporateIT networks or cloud services. Remote access and VPNtools rank among the highest vulnerabilities to remotethreats, making it essential for companies to strictlyprotect how they interface with OT. Simple oversights, such as improper Virtual LocalArea Network (VLAN) and firewall configurations orlax Privileged Access Management (PAM), remain theprimary culprits of IT-OT malware diffusion. To mitigate these risks, companies must go beyondtechnical controls and embed stronger security practicesdirectly into the procurement lifecycle: •Third-Party Testing:Sourcing third-partypenetration testing services that independentlyvalidate vendor solutions before deployment. •Enforcing Compliance:Requiring suppliers tostrictly follow NERC CIP or ISA/IEC 62443 standardsto secure the infrastructure, ensuring that everyconnected component meets the same criteria. •Contractual Obligations:Mandating routine riskassessments in all technology contracts to regularlymonitor exposure. With procurement playing a central role in how ITand OT tools are selected, validated, and governed,organizations can significantly reduce the likelihood thatinternet-connected networks will compromise physicaloperations. 3. Next-Gen Connectivity inRemote Operations 4. Cloud and Off-Premise SaaSAdoption High fiber optic rents in remote operations, coupled withthe potential for reduced insurance premiums, are drivingincreased adoption of Private Long-Term Evolution(PLTE) networks. Energy companies must accompanythis uptake with adequate cybersecurity policies. As companies continue to migrate to the cloud, they areoften compelled to adopt Software-as-a-Service (SaaS)models for core Enterprise Resource Planning (ERP) andCustomer Relationship Management (CRM) systems. This reliance shifts the security burden toward externalvendors, making third-party risk management acritical priority for cyber resilience. While the cloudoffers benefits, such as faster patching and morerobust backups, it’s entirely reliant on “best-in-class”governance. Without it, the shared responsibility modelcan create significant security gaps. Newfound private LTE owners often lack mature threatmonitoring on cellula