Powering Security: Why Secure Communications are Non-Negotiable for Energy and Utilities

How Resilient Communications Facilitates Operational Continuity for Energy and Utilities

Cyberattacks on energy and utility companies are increasing in both frequency and sophistication, with reports finding an 80% year-over-year increase in attacks targeting the sector. While these attacks pose a direct threat to the entire energy sector, they reach further to impact public safety and national security. By prioritizing secure, resilient, and mission-critical communications, the energy and utilities sector can help safeguard its infrastructure, provide uninterrupted service delivery, and confidently power the future.

The conversation needs to move past why security is an urgent necessity and focus on how to build resilience that helps guarantee operational continuity. When an attack or a breach inevitably happens, the single most critical asset that limits damage and determines recovery speed is the integrity of the communications infrastructure. This is the operational lifeline.

______________________________________________________

Listen Now

Tune in to Episode 1 of the Critical Briefings podcast — expert insights about securing comms and staying resilient.

______________________________________________________

Pillar 1: Identity and Platform Sovereignty (The Zero Trust Foundation)

True resilience is not just about encrypting a message; it's about guaranteeing who is communicating and ensuring the utility itself, not a third party, controls the keys and access rules.

Cryptographic Identity Verification

Beyond basic passwords and Multi-Factor Authentication (MFA), modern secure communications must adopt cryptographic identity verification.  

• The problem open registration poses: Many encrypted messaging services rely on open public key infrastructure (PKI) models where anyone can join a private conversation. To secure utility conversations, every user (control room operator, field technician, partner) must be cryptographically authenticated via organization-issued credentials.
• The solution: Communications platforms for utilities must tie digital identity directly to an organization's internal system (e.g., Active Directory). This helps ensure that compromised devices cannot impersonate users and gain access to critical discussions or operational data. As a result, a cyber breach cannot escalate into a command-and-control failure.
  

Customer Key Ownership and Data Sovereignty

To truly manage risk and meet stringent NERC CIP requirements, utilities must own the encryption keys even if the platform is cloud-hosted.

• Beyond End-to-end encryption (E2EE): E2EE protects the content but not the platform that facilitates the interaction. Platforms designed for critical infrastructure must be deployable in sovereign, customer-controlled or sovereign-managed clouds. This gives the utility physical and technological control over the network components and the encryption keys, o that no government subpoena or foreign legal jurisdiction can access their communications without their authorization.
• The solution: High-assurance secure mobile communications solutions, like those offered by BlackBerry, can provide certified, end-to-end encrypted voice, messaging, and file sharing. This allows command and control teams to communicate securely without interception during a full-scale network event.

Pillar 2. High-Assurance Certification and Validation

In critical sectors, "secure" must be proven by independent, rigorous third-party assessment. Certifications shift the focus from a vendor's marketing claims to a third-party regulator's assurance.  

Common Criteria (CC) Certification

The Common Criteria (CC), formalized as ISO/IEC 15408, is an international standard for evaluating IT security products. It is the gold standard for many government and critical infrastructure deployments.  

• Protection Profiles (PPs): In the US, the National Information Assurance Partnership (NIAP) requires evaluations to conform to Protection Profiles (PPs). These profiles define the mandatory security requirements for specific product categories (e.g., mobile devices, VPNs), ensuring the product is tested against a consensus-based, real-world threat model.  
• Assurance Level: CC certification proves the security robustness of a product's hardware and software, covering everything from permissions and access control to cryptographic implementation (e.g., FIPS 140-2 validated encryption).  

Regulatory and Framework Compliance

While certifications validate the technology, compliance frameworks validate the practices and policies around that technology.

• NERC CIP: For energy and utilities, NERC CIP (Critical Infrastructure Protection) standards mandate specific controls around electronic security perimeters, configuration change management, and incident response planning for Bulk Electric System (BES) Cyber Systems.  
• NIST Frameworks: The NIST Cybersecurity Framework (CSF) and specific NIST Special Publications provide a detailed taxonomy of security outcomes that guide organizations in managing their cyber risk, often prescribing the use of strong cryptographic controls and PKI for security services like confidentiality, integrity, and non-repudiation.

The Solution

Choosing tools that are certified to protect communications across a large, distributed, and highly regulated mobile workforce, like those from the BlackBerry® Secure Communications suite, offer government-grade, extensively certified, and end-to-end encrypted solutions. These tools are designed to protect highly sensitive information and maintain operational continuity against state-level threats and sophisticated cyberattacks.

Pillar 3: Empowering the Frontline with Secure Tools

Operational continuity relies heavily on the people managing the assets, both in the control room and in the field. If their tools are vulnerable, it jeopardizes their ability to maintain service resilience.

Secure Collaboration for Speed and Safety

Using consumer-grade communication tools, like personal phones and unencrypted chat apps for official business, creates massive security and compliance gaps. A secure, purpose-built platform assures that:

• Sensitive Data is Contained: Operational data, diagrams, and sensitive discussions are kept within an encrypted, controlled environment.  This minimizes data leakage and helps the utility maintain ownership and control over its real-time communications flow.
• Faster and Safer Incident Response: During a power outage or physical event, rapid communication is key to restoring service. Secure voice and messaging allow teams to share live telemetry, coordinate crews, and execute complex recovery plans without fear of interception or modification. This directly translates to faster response times and reduced outage duration.

The Solution

Ensuring operational resilience during any incident is the domain of a Critical Event Management (CEM) platform, such as the highly validated BlackBerry®  AtHoc® solution. These tools integrate emergency notification and incident response into a unified framework. Built for resilience with native failover capabilities, these systems keep communication flowing across multiple channels to alert staff, coordinate recovery, and maintain a full audit trail for compliance, even if primary enterprise systems go down.

The Path Forward: A Call to Action

The energy and utilities sector is undergoing an unstoppable digital transformation that is essential for creating a more sustainable and efficient future. However, it can only succeed on a foundation of unyielding security with secure communications at its core. Communication failures don't just threaten utility operations, but also public safety and national security. Building resilient communication systems allows the industry to protect critical infrastructure, keep services running smoothly, and move confidently into the future.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.