Podcast: The energy transition: fast, clean… and cyber secure?

Josh Flanagan: 

Hello everyone, and thanks to all our listeners worldwide. Welcome to LRQA's Future in Focus podcast. My name is Josh Flanagan, and today we're exploring one of the biggest challenges facing the energy transition right now: how we deliver energy systems that are not just fast and clean, but also secure and resilient. 

I'm joined by Howard Hughes, Managing Director for Cybersecurity at LRQA, and Fotis Kampouris, EVP for Asia Pacific. Howard, Fotis - thank you both for joining. 

In this episode we'll be unpacking the scale and pace of global energy transition programmes, from offshore wind and hydrogen to nuclear and grid transformation. We'll explore how increasing digitisation is changing the risk landscape, why energy infrastructure is becoming a more prominent cyber target, and whether organisations can realistically deliver at speed without compromising security. We'll also look at what good leadership and oversight actually look like in this space, and why compliance alone is no longer enough when you're building assets that need to operate securely for decades. 

We'll start with you, Fotis. Help us paint the picture for our audience. Can you briefly outline some of the biggest energy projects around the globe at the moment? Where is the most momentum, and how is current geopolitical volatility influencing where and how these projects are being developed? 

Fotis Kampouris: 

Hi Josh, and thanks for the invite. It's a great question, and very relevant to what's happening today. When I step back and look at what's happening globally, the scale of activity is extraordinary. We're seeing massive solar and offshore wind plants in China, India, the Middle East, and Australia, alongside major investments in grid interconnectivity and storage - because we all know that generating electricity without transmission simply creates a different bottleneck. 

At the same time, as you've seen in the news, nuclear is re-emerging - particularly in Europe, the US, and parts of Asia - while hydrogen and carbon continue to move from ambitions to real projects, with pipelines to support heavy industry and energy security. 

What has changed is that the energy transition is no longer a decarbonisation story; it's becoming an energy security story. Governments and investors are asking where critical components and equipment are coming from, how dependent they are on vulnerable supply routes, and whether the system can still operate in a more fragmented geopolitical environment. 

The direction is becoming clear: we need bigger, faster, and more connected projects, but in a far more volatile world. 

Josh Flanagan: 

Thanks, Fotis. Howard, I'll come to you now. These projects have been ongoing for a while in many cases. When did cybersecurity become part of the conversation, and why are they high-priority cyber targets now? 

Howard Hughes: 

Thank you, Fotis, and thank you, Josh. You're right - these projects aren't new to the industry. What has changed in the last few years is a few things. 

Firstly, the sophistication of the threat actor. They're very capable. In some cases, if they're state-sponsored, they have unlimited budget. You should assume that all the tools and techniques a cybersecurity company is using, sophisticated threat actors are using too. So that's the first thing - the adversary has become a lot more capable. 

Secondly - and there are lots of examples around the world - the first time we saw a cyber attack used as part of a more kinetic military campaign was Stuxnet, against the Iranian nuclear refinement plants over a decade ago. That was effectively an OT, or operational technology, weapon used as part of a military and political campaign. It's happened regularly since. If you look at what's happening in the Middle East now, you can see certain aspects of the kinetic campaign there are supported by cybersecurity activity. 

The third thing - and this plays off what Fotis said - is that we live in a much more networked world. The blend of renewable and more traditional energy all has to be networked; people want to share across the grid. With that connectivity, and onward connectivity to other networks, you'll have heard the phrase "the attack surface" - the attack surface gets bigger. You have a larger target. When you weren't networked, when things were fragmented, threat actors had to individually go after individual power generation companies or distribution organisations. Now, with a lot more interconnection, you attack one network and you might be attacking all of the downstream energy that network provides. 

So - interesting times. I've mentioned OT a couple of times. That's something LRQA does today. If I look for a criticism, it's that we don't broadcast it enough - and we need to. We do OT testing today, and we'd look to do OT monitoring and other items connected to operational technology as we move forward. 

Josh Flanagan: 

Thanks, Howard. We've seen how quickly geopolitical events, including recent instability in the Middle East, can disrupt energy markets and infrastructure. How should this reshape the way organisations are thinking about long-term resilience in the energy transition, particularly for assets that need to operate securely for potentially decades? Fotis, I'll start with you, then Howard, please come in afterwards with a couple of points on the cyber side. 

Fotis Kampouris: 

Indeed, you mentioned, Josh, that these assets have to operate for ten, twenty, thirty, or even fifty years if you look at the nuclear environment. Recent instability in the Middle East has reminded everyone that energy systems are exposed to both physical and digital threats. We often design these assets for efficiency and output, but not always for disruption - and that's the challenge, because these systems have to operate securely for so many years to provide stability around energy. 

Resilience now has to be designed in from the beginning, and that wasn't happening before. That means we need to diversify suppliers, take a critical view of stronger dependencies, have better visibility of supply chains, and start building digital resilience into the operating model - as Howard mentioned earlier. Our mindset has to shift from optimisation to durability, and the winners will be whoever starts designing these systems that way. That's where the strategic context for cybersecurity and cyber resilience comes in - and how we work with our clients on this. Howard? 

Howard Hughes: 

Thanks, Fotis. A large part of it starts with culture as well - boardroom visibility. Don't design something, build it, and deploy it, and then add the security on afterwards. 

One thing LRQA can do with our customer base is get them to understand concepts like secure-by-design, where you build security into the network at every point of design, or the seven pillars of the zero-trust model, where you assess every single layer of the design and make sure every single layer is secure. 

So the first thing is culture and awareness - from the top of the organisation, at board level, all the way through. 96% of successful breaches last year globally came from business email compromise. Somebody clicks on a fake Amazon (other gift cards are available) gift card in their email - they think it's a good thing to do, suddenly there's malware on their computer, and that's opening up ports on the network. So culture, awareness, and training. 

The other thing is that, with the speed of technology adoption by threat actors, you almost have to adopt a particular mindset - and it's a scary one. I'd encourage anyone having client conversations to start from the position that a breach is going to occur, that the threat actor is going to be successful. So the question becomes: what are the things, if we were breached, we'd have to do? Recovery, incident response, practising disaster recovery and business continuity plans. How many of our clients run regular high-quality boardroom simulations as part of a disaster recovery exercise? Cyber's part of that. 

So there are mindset changes here as the adversaries get more sophisticated, as there are more of them, and as a lot of this is state-sponsored. Assume they're going to have amazing tools and practitioners in those threat actor groups. Practise for when you'll be breached, rather than assuming you'll be successful in the defence. 

Some of the other things, from a sales perspective: I've mentioned boardroom simulations and frameworks - whether that's something like a NIST framework. If you don't know what good looks like, assess where you are against an industry-recognised benchmark. Regular testing - both from outside in (traditional pen testing, penetration testing) and through the eyes of the adversary. Think about red teaming, where a team goes in, plays the part of the adversary, and tests your defences. 

So there are things we do today that not just the energy industry, but the whole of our client base, can use. 

Josh Flanagan: 

Perfect, thanks Howard. As we move on through the questions, it's important to talk about why this can be quite a daunting topic. In major energy transition programmes, where does cyber risk typically get missed, who's most exposed, and why? Fotis, I'll come to you on that one. 

Fotis Kampouris: 

That's a good question. Through my experience over the years, I've been exposed to a number of energy projects, and I have to say it usually gets missed very early - when the programme is still being looked at in isolation, as an engineering, procurement, and delivery exercise, instead of as a long-life operating asset. As we said at the beginning, these assets have to stay in service for twenty, thirty, forty, fifty years plus. 

The engineering teams are under pressure to move quickly. Budgets are under extreme scrutiny. All the major design and supplier decisions are getting locked in before any cyber requirements come into play. This is where LRQA can support, with our solutions around vendor assessment, supply chain management, and quality and safety - because we can look at all of these elements independently and support the different buyers or suppliers to mitigate the risk. 

The most exposed organisations are often those dealing with fragmented ownership. Quite often, one party is designing, another is procuring, another is integrating. In that environment, everybody says cyber matters, but nobody's taking accountability - they leave it to the final decision maker, which is normally the owner. So this is the challenge for me. The issue is not ignorance; it's that cyber isn't treated like a core delivery risk. And cyber has to become a secondary delivery risk. 

Josh Flanagan: 

That's great. We've spoken about some of the mistakes organisations are making - but it'd be good to cover what good oversight actually looks like. Howard, I'll come to you first. 

Howard Hughes: 

Thank you. I'll use a recent example - not an energy company, but a still-critical national infrastructure cybersecurity programme in a large transportation company. 

Their board started meetings with a safety briefing, followed by a cybersecurity briefing. So literally the second thing the board did was a cybersecurity brief: what threats are out there today? Have we been breached in the last reporting period? It wasn't after the finances or after the operational metrics - it was up at the front. Safety, cyber, then finances, people, sales, and so on. So there are some cultural changes there. You asked what good looks like - that's one of them. Start with the culture. 

In the budgetary process, traditionally cyber's been brought on as a sort of afterthought. Best practice is building cyber into a transformational change programme from the get-go. It's not just a case of one per cent of revenue, or whatever metric somebody might deploy - it's: what does it cost us to keep this system safe? What does it cost us to keep our operations running so that, ideally we're not breached, but if we are, business continuity kicks in and we can still keep serving our customers and clients? 

I'd add a final one: board-level reporting, visibility all the time - the good and the bad. Don't be afraid of a red. We've been asked to produce a lot of board-level reporting at a very granular level; the board wanted to know the details of the last breach. So it's a culture change, a bit of a mindset change, but it is very, very doable, and we're the sort of company that looks to partner with energy providers to provide that capability. 

Your thoughts, Fotis? Anything else you wanted to add? 

Fotis Kampouris: 

Thanks, Howard. You've covered the culture and accountability aspect very nicely. Perhaps I'd add competency - because the risks are moving so fast that it's very difficult to have all the right SMEs and experts in-house. This is where LRQA can come in, with our connected risk management advantage across the lifecycle - from design and procurement through to operations and change over time - to be alongside the client and help them understand what's happening every day. 

Josh Flanagan: 

Thanks, that's really great insight. One thing to take from it is that this can be quite overwhelming for certain businesses and certain projects. When it comes to cyber resilience, where's a good place to start for those listening, Howard? 

Howard Hughes: 

Traditionally - and it still holds true - pick a compliance framework and measure yourself against it. They've been around for a long time. NIST is a good scoring basis. ISO 27000 is a good scoring basis. Pick one, assess yourself against those metrics, and bring your team along with you on the journey. 

Traditionally, people would set a system up and test it. They'd say, "I'm going to do four penetration tests this year. I'm going to do one hunt this year." One area where this transformation in the industry is happening now is that you have to think continuous. We have to be right every day; the threat actor only has to be right once. If a state-sponsored threat actor wants to break into a system, they only have to be right once. We have to be right every day. 

So there's something there about continuous attack surface monitoring - looking at your estate continuously rather than just testing a few times a year, running a penetration test every quarter. Think about a continuous approach to monitoring. 

Those of you who saw the news in the last two weeks about the latest models Anthropic released - Mythos, through the Glasswing programme - found vulnerabilities on critical national infrastructure networks that were over twenty years old. 

Some of it is just basic hygiene. If you find an issue on your estate, you have to patch it that day, that hour, that minute - because it's open, and if you found it, you can be sure 100% the threat actor is going to find it too. 

Then, simulation practice. Once you've got yourself up to a suitable level of conformance and you've got a roadmap to keep improving, there's something about continuously simulating breaches on your system. Get an external company like LRQA in to think the unthinkable. Don't do a traditional attack - think of a slightly different attack you may not have thought of, and practise it again and again. 

Those would be a few best practices I'd suggest we have discussions about. 

Josh Flanagan: 

Thank you both for offering such insightful responses today. For closing thoughts: what's the one mindset shift organisations need to make to protect the energy transition, in your opinion? We'll start with you, Fotis. 

Fotis Kampouris: 

Before I go to the organisation, I'd like to go a bit beyond it. The energy transition is the most fundamental growth phase we're heading into, and we need support from governments too. Governments need to simplify and better connect the different frameworks, because - when we talk about a network around cybersecurity - think about an electricity grid between France and the UK, or Japan and Korea: different regulations and different standards make it far more difficult to connect and to communicate in the same language. So we need that kind of change in the regulatory framework, from governments and the different regulatory institutions. 

When it comes to organisations, in order to move at that speed they need to start treating cyber and resilience as something that has to be fixed now, instead of retrofitted later. It has to be part of the delivery from day one. The cost of getting cyber wrong can be detrimental: you can lose energy, you can lose supply chains, and most importantly, you can suffer reputational damage. We've seen what's happened in the Middle East and the issues that has created in the last couple of weeks. 

So for me, the mindset shift is very simple: speed and security are not competing priorities. We have to move fast, but we also need to remember that we're constantly living in a very volatile world, and resilience is what gives us permission to do so. 

Howard, over to you. 

Howard Hughes: 

I was tempted to mention culture again - I do think it's top for me - but I'll pick something else: the pace you've got to move at. Assume that state-sponsored and criminally organised threat actors have unlimited budget. They don't have to go to meetings; they don't have to ask permission. They find a target, they've got the right tools and techniques, and they want to move quickly. 

So it's about finding a partner like LRQA, bringing that partner into your ecosystem, and allowing LRQA to help you move at speed. Don't wait until next quarter to put your new mail gateway in. Don't wait until next year to budget for your replacement firewalls. Don't assume four penetration tests a year is what good looks like - that was what good looked like in the 1990s. Now you've got to think, "I'm going to do a test tomorrow." 

We've just launched AI pen testing, which uses an agent to test more effectively, more quickly, at pace, and with little or no notice - in other words, "I'd like a test tomorrow," rather than booking a test in for next month. It's about explaining to our clients that there's a sense of urgency around this, because every day you wait is another day the threat actor is performing reconnaissance on your network, producing custom-built malware - potentially a zero-day that's never been used before, that if they put on your network, your defences won't successfully defend against. 

So for me, it's all about culture and pace of change. 

Josh Flanagan: 

Thank you both. That brings us to the end of today's episode. Thank you for sharing your insights and thank you to everybody for listening. 

Today we've explored how the energy transition is not just a question of speed and scale, but of resilience. As energy systems become more connected and more exposed to geopolitical and cyber risk, organisations need to treat cybersecurity as a core delivery priority from day one - not an afterthought. 

If you'd like to learn more about how LRQA supports organisations in managing risk across the energy transition lifecycle, and our cybersecurity offering, visit lrqa.com or get in touch. 

Thanks for listening, and we'll see you on the next episode.