Inevitable (MCJ Podcast)

Episode: Securing the Energy Grid from Cyber Threats with Xage Security

Host: Cody Simms
Guest: Roman Arutyunov, Co-founder & SVP of Products, Xage Security
Date: March 27, 2025

Episode Overview

This episode delves into the pressing issue of cybersecurity in energy systems, exploring how evolving threats—from ransomware to nation-state attacks—are escalating with the increased digitization and distribution of the energy sector. Cody Simms speaks with Roman Arutyunov of Xage Security, a company specializing in protecting critical infrastructure, about how utilities and energy producers can defend the grid and what "zero trust" security really means in this high-stakes context. The conversation addresses how the transition to renewables, distributed energy resources, and the adoption of AI both transforms and complicates cybersecurity challenges in the sector.

Key Discussion Points

1. Introduction to Xage Security & Cybersecurity in Energy

• Xage Security’s Mission: Founded to protect critical infrastructure sectors—energy, utilities, manufacturing, defense. Focus on the hardest-to-defend assets and enabling access for people, applications, and systems without compromising security ([02:21]).
• Energy Sector Focus: Xage has major energy clients (Chevron, Aramco, Kinder Morgan) and works at the intersection of critical infrastructure and cybersecurity ([03:09]).

2. Evolving Threat Landscape for Energy Systems

• Changing Attitudes: 10-15 years ago, energy companies underestimated cyber threats; now, there are over 60 attacks per day on energy infrastructure ([03:47]).

  “About 10, 15 years ago... no one's really going to want to hack a utility. That was a false sense of security that radically changed.” — Roman ([03:47])

• Main Threat Vectors:

  • Ransomware: Financially motivated, rapidly increasing.
  • Nation-State Actors: Sophisticated, stealthy, often undetected for months/years, motivated by control, sabotage, espionage ([03:47], [05:21]).

  “The big component there is just to extend the control, ... so then when they need it, they can be leveraged.” — Roman ([05:21])

• Real-World Cases:

  • Referenced the “supply chain” style attacks (e.g., Salt Typhoon in telecoms, analogous incidents in energy sector) where actors exploit deeply embedded, legacy technologies ([06:12]).

  “There have been similar scope attacks in the energy sector... they have been living off the land... within the energy networks.” — Roman ([06:12])

3. IT vs. OT and the Vulnerable Intersection

• Definitions:

  • IT (Information Technology): Focused on protecting data, intellectual property, and systems like SaaS apps, ERPs, HR systems, endpoints such as laptops ([07:47] – [08:30]).
  • OT (Operational Technology): Encompasses assets like sensors, meters, control systems—managing physical infrastructure, often highly automated, proprietary, difficult to patch ([08:56] – [09:32]).

  “OT is driven by assets like sensors, meters, control systems. These assets are now digital... processing data, making decisions, and taking action in a highly automated fashion.” — Roman ([08:56])

• Risks at the IT/OT Intersection:
  Old, unpatched systems get connected for digital transformation and business optimization, creating vulnerabilities. Systems not designed for remote access now require it for efficiency, broadening risk ([12:00]).

  "Any company may be working with hundreds of partners... and they all need access as well." — Roman ([12:00])

• High Stakes:
  Compromised OT can lead to environmental damage, blackouts, fires, even physical safety crises—not just loss of proprietary data ([09:32]).

4. ‘Zero Trust’ Security and Xage’s Approach

• Zero Trust Principle:
  No implicit trust is given based on network location or prior authentication; every access must be explicitly authenticated and authorized ([13:26]).

  “Zero trust... there is no implicit trust. Any type of an asset or interaction with an asset needs to be explicitly authenticated and authorized before it can take place.” — Roman ([13:26])

• Industry Struggle:
  Legacy systems and distributed assets make it nearly impossible to rely solely on traditional credentials (like "admin/password") and centralized controls. Renewables add further distribution and ownership complexities ([14:55] – [15:42]).

  “Unlike IT systems, operational systems are highly distributed and they're becoming even more distributed in the energy space.” — Roman ([14:55])

5. Transitioning Grids: Oil & Gas vs. Renewables

• Commonalities:
  Both are now highly connected, increasingly AI-driven, and still rely on a mix of legacy and new assets ([16:32]).

  "An approach to cybersecurity is that you got to protect them all... attackers will find the weakest link and go from there." — Roman ([16:32])

• Distinct Issues with Renewables:

  • Often, utilities don’t own the resources they rely on.
  • Assets are spread across thousands of locations, under varied ownership, operated by multiple third parties ([17:41] – [18:56]).
  • Utilities need confidence in the cyber posture of assets they don’t directly control.

6. Regulation and Security Standards

• Regulation Is Catching Up:
  Sector is highly regulated (NERC CIP and successors), but new standards are being created to cover more assets—including renewables—and to address supply chain security ([20:06]).

  “There's a new iteration of [NERC CIP] that’s putting in even stricter controls... that now includes renewable energy assets.” — Roman ([20:06])

• Trade-Off:
  Regulation and permitting can slow deployment but are critical for system security ([20:45] – [21:05]).

7. Distributed Grids & ‘Security in Distribution’

• Built-In Redundancy Doesn’t Eliminate Threat:
  Distribution means optionality, but attackers can exploit the weakest links to trigger chain reactions or systemic failures ([23:00]).

  “Attackers will exploit the weakest point and spread from there... there were ways to spread from there. Now you have a chain reaction of events.” — Roman ([23:00])

8. The AI Factor: Double-Edged Sword

• Risks:
  AI massively lowers the barrier for launching sophisticated phishing and social engineering attacks. AI-generated content is often indistinguishable from legitimate communication ([24:57]).

  “AI generated content oftentimes looks even better than the company's own marketing content.” — Roman ([24:57])

• Examples:

  • Phishing attacks using AI are difficult for both users and security teams to detect.
  • "MFA fatigue"—tricking users into approving malicious logins by overwhelming them with authentication requests ([28:09]).

    “If you bombard a technician with an MFA request... likely... just click Accept... malicious actors leverage the fact that you're so tired.” — Roman ([28:09])

• Defensive Use:
  Adopting proactive security hygiene (frequent credential changes, zero trust access, adaptive MFA, network segmentation) is essential as AI accelerates attack sophistication ([27:00]).

9. Human Element & Emerging Attacks

• People as Primary Target:
  Over 80% of attacks stem from stolen credentials—often via phishing and social engineering—rather than technical system exploits ([29:30]).

  “Majority, like 86% of them, is through this type of attack vector. Very low percentage is through actual exploits of a vulnerability on a system...” — Roman ([29:30])

• Mitigation Focus:
  Proactive technical controls (MFA, zero trust, segmentation) now prioritized over pure user training, especially in operational environments where MFA adoption is still low (10–20%) compared to enterprise IT (70%) ([30:30]).

10. Real-World Attack Example

• State-Sponsored Grid Infiltration:
  Russian state actors penetrated a U.S. energy grid via a contractor’s less-secure remote access. Classic “supply chain” vulnerability; attackers install Remote Access Trojans (RATs) and "live off the land" until commanded to act ([32:19]).

  “State actors leveraged remote access through a contractor... their employees were able to access the energy systems. So that’s a big concern.” — Roman ([32:19])

• SolarWinds:
  Similar concept—once an attacker is inside, lateral movement and undetected persistence are the next risks ([33:13]).

11. Xage Security, Investment, and Industry Momentum

• Growth Story:
  Xage has raised from both VCs and strategic industry investors (Aramco, GE, SAIC); now ~100 employees and experiencing swift expansion as energy and defense sectors prioritize operational cybersecurity ([34:31]).

  “These companies are all users of Xage products... strong growth in the sector become even stronger as they adopt more AI technologies.” — Roman ([34:31])

• Trend: Behind the Meter & Onsite Power Growth:
  More companies (esp. data centers) are generating or managing their own power; the proliferation of “smart” devices, meters, and renewable assets creates billions of new endpoints to secure ([35:57] – [36:40]).

  “... in the last 15 years, [utilities] went from really no connected devices... to billions of connected devices that they have to now manage and secure.” — Roman ([36:40])

Notable Quotes & Memorable Moments

• On Old Versus New Threats:
  “Unfortunately, these systems are pretty easy to take advantage of and to hack... you may have widespread damage or a fire before it even takes action.” — Roman ([10:57])

• On Zero Trust:
  “Everything needs to be verified, everything needs to be authorized. For every single interaction, whether it’s from human or from another application or machine, we control those very tightly...” — Roman ([14:20])

• AI and the Human Element:
  “It’s very hard for any normal employee or user to detect a phishing attack versus the AI generated phishing attack versus a legitimate company email. That’s a real problem.” — Roman ([24:57])

• The Scope of the Challenge:
  “My home with rooftop solar is a power generator and with an EV charger is a gas station. It’s all my own home. It wasn’t that way five years ago.” — Cody ([37:29])

Key Timestamps

• [02:21] — What is Xage Security?
• [03:47] — Energy sector threat landscape and motivations
• [06:12] — Nation-state attack examples (Salt Typhoon, supply chain risks)
• [07:47] — IT vs. OT definitions and cyber implications
• [12:00] — Digital transformation and converged vulnerabilities
• [13:26] — Zero trust security explained
• [16:32] — Transitioning attack surfaces: Oil/gas vs. renewables
• [18:56] — Utilities and distributed asset control
• [20:06] — Regulatory landscape (NERC CIP, new inclusions for renewables)
• [23:00] — Distributed resources and the myth of built-in security
• [24:57] — AI as attacker enabler; phishing and automation
• [29:30] — Majority of attacks stem from social engineering
• [32:19] — Real-world breach example: State actors via contractor access
• [34:31] — Xage’s growth, funding, and strategic partnerships
• [36:40] — The explosion of connected devices in the energy sector

Conclusion

This episode makes clear that as the energy sector modernizes—ushering in renewables, distributed resources, and AI—the complexity and urgency of defending critical infrastructure mount dramatically. Roman Arutyunov’s expertise and Xage’s zero trust approach highlight the need to rethink old paradigms, prioritize proactive defense, and stay ahead of attackers who now wield both technological and psychological tools. The grid of the future, with billions of connected devices and ever more porous boundaries, will demand vigilance, innovation, and a shared culture of security.

Listen to the full episode for deep dives on zero trust, AI threats, and Xage Security's mission to keep the future grid secure.