This article was adapted from the Climate Tech Weekly newsletter, delivered Wednesdays.
Attivo Networks. Dragos. Rangeforce. Swimlane. If you pick through the portfolio list for Energy Impact Partners (EIP), you’ll find a wide variety of climate tech startups — and at least nine ventures with one core focus: securing digital and physical networks.
EIP’s latest investment in this category, Corelight, is a specialist in network detection and response — working with some of the world’s largest Fortune 500 companies, government agencies and research institutions. Given EIP’s main backers — mainly utilities and power companies but also some industrial players such as Enterprise Holdings (yes, the rental car company) — its decision to lead Corelight’s $75 million Series D round in early September makes sense.
After all, energy is the next frontier for hacking incidents and cyber attacks. It’s not just a matter of commerce and convenience, it’s a matter of national security. Just ask Colonial Pipeline CEO Joe Blount, forced to shut down its 5,500-mile-long natural gas pipeline for five days this spring after a ransomware incident, triggering fuel shortages throughout the Southeastern U.S.
"We knew we had a threat, and we knew that threat had to be contained. And therefore, we shut the pipeline down in order to do that," Blount said during a recent talk about his company’s response. "There was not enough detail to know whether it was beyond the IT system, whether it hit the [operational technology] system, whether we even had a physical risk on the pipeline at that point in time."
By creating ownership [of the challenge] but getting visibility and empowering security teams, only then can we get at this complexity.
As the world transitions to renewable energy — and to an increasingly distributed grid — there’s a growing appreciation about the vulnerability of these systems. "Having a very forward-thinking security posture is going to be table stakes," EIP partner Shawn Cherian told me when we chatted about the development last month. "As we poll our partners about priorities, security is almost one of the top three items."
According to data crunched by TechCrunch, venture funding for cybersecurity entrepreneurs grew to $11.5 billion in the first half of this year — more than double what it was during the first six months of 2020. Improving cybersecurity for "critical infrastructure" is also a big focus for President Joe Biden, who issued a statement to mark Cybersecurity Awareness Month (yes, this month).
"Our 100-day action plan to improve cybersecurity across the electricity sector has already resulted in more than 150 utilities serving 90 million Americans committing to deploy cybersecurity technologies, and we are working to deploy action plans for additional critical infrastructure sectors," he wrote.
Increasingly, security considerations — for both digital and physical assets — will need to become a consideration for climate tech and green infrastructure. Remember all those carbon capture facilities and pipelines proposed under the still-pending U.S. infrastructure bill? They’re prime candidates for major cybersecurity investments. Ditto wind turbines and solar panels.
The pandemic helped bring these issues to the fore, said Leo Simonovich, vice president and global head of industrial cyber and digital security at Siemens Energy, when we chatted last week. Cyber could become "the great showstopper," the big barrier to adoption for technologies ranging from cloud computing to smart controls, he suggested.
"Many operators don’t know how vulnerable they are," Simonovich told me. "By creating ownership [of the challenge] but getting visibility and empowering security teams, only then can we get at this complexity."
As companies seek to enable the flow of data from the wellhead to the substation — and technicians are asked to perform and handle tasks such as logging into wind farms from their homes — energy companies and investors must layer security with the need for better visibility into energy assets. And the sooner climate tech startups build security considerations into their core development concerns, the better.