A doctoral dissertation by Mikko Suorsa, to be defended at the University of Vaasa, Finland, reveals that the energy retail sector is an essential yet vulnerable part of the energy industry’s value chain and of critical infrastructure. Having received comparatively little attention in cybersecurity efforts, the sector requires strengthened resilience, and the study introduces concrete methods to achieve this. It is one of the first studies to focus specifically on energy retail organizations.
While energy generation and transmission grids have traditionally been strictly protected as part of critical infrastructure, the cybersecurity of the energy retail sector has received far less attention. This dissertation, in the field of industrial management, shows that the sector is increasingly targeted by hybrid threats and cyberattacks: Retail organizations process sensitive personal, consumption and location data of millions of Europeans and are closely interconnected with broader energy systems that are essential for the continuity of societal functions.
“Deficiencies in cybersecurity resilience can provide attackers with a pathway into the entire energy value chain, as retail organizations are closely connected to critical systems. Such breaches can lead to identity theft, disrupt commercial operations and cause significant financial losses, as well as weaken critical infrastructure and the resilience of essential societal functions. Cyber operations during the war in Ukraine have demonstrated that attacks targeting IT systems can also enable access to operational technology systems controlling power generation and transmission,” Suorsa warns.
Resilience is built on corporate culture, security controls, and risk management
As a solution, Suorsa proposes a comprehensive approach to cybersecurity management that strengthens a company’s ability to withstand disruptions and recover quickly as part of maintaining critical infrastructure. The study also provides senior management with tools to address increasingly stringent regulatory requirements, such as the EU’s NIS2 Directive.
“Cybersecurity is a strategic factor for business continuity, not merely a concern for the IT department. A strong security culture develops when cybersecurity is integrated into management objectives and positive employee behavior is systematically recognized. Personnel should also be actively encouraged to report risks and security incidents,” Suorsa emphasizes.
The research provides three key tools for strengthening cyber resilience:
- Management commitment and employee engagement: Clear responsibilities, an active role for management, and encouraging staff to report security incidents strengthen resilience across the organization.
- Critical cybersecurity controls: Access management, access rights governance, change management, testing, malware protection and employee training safeguard core operations.
- Risk management and proactive analysis: Identified cyber risks are managed through layered controls and attack–defence modeling, improving situational awareness and response capabilities.
“Without cyber resilience, even a minor security incident can escalate into a major disruption, halt commercial operations, compromise customer data and damage a company’s reputation and business continuity. From a critical infrastructure perspective, such impacts can extend to society as a whole. Conversely, strong cyber resilience enables an energy company to withstand cyberattacks and recover relatively quickly with minimal impact,” Suorsa concludes.
More information
Mikko Suorsa, Strengthening Information Security Resilience in the European Energy Retail Sector: A Multi-Method Study of Cultural Factors, Critical Controls, and Key Risks (2026)
Key concepts
The content is provided for information purposes only.