A new study published by DNVthe independent risk management and quality assurance provider, reveals that energy industry executives are anticipating cyberattacks that will compromise life, property and the environment in the sector over the next two years.
The Cyber Priority, a research report exploring the state of cybersecurity in the energy sector, reveals that more than four-fifths of professionals working in the energy, renewable energy, oil and gas sectors gas believe that a cyberattack on industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%). Three-quarters (74%) expect an attack to harm the environment while more than half (57%) expect it to cause loss of life.
DNV’s research is based on a survey of more than 940 energy professionals around the world and in-depth interviews with industry leaders.
Growing fears about new and more extreme consequences of cyberattacks follow a series of high-profile security breaches in the energy sector in recent years, which include an attack that shut down the US colonial pipeline in 2021, and a series of attacks disabled parts of Ukraine’s power grid in the mid to late 2010s. DNV research also indicates that concerns about emerging threats increased after Russia invaded Ukraine. Two-thirds (67%) of energy professionals say recent cyberattacks on the industry have prompted their organizations to make major changes to their security strategies and systems.
“Energy companies have been tackling IT security for decades. However, securing operational technology (OT) – the computer and communication systems that manage, monitor and control industrial operations – is a newer and increasingly pressing challenge for the sector,” said Trond Solberg, Director general, Cyber Security, DNV.
“As OT becomes increasingly networked and connected to computing systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries. Our research reveals that the energy industry is realizing the threat to OT security, but needs to act faster to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security,” added Solberg.
Action delayed as some companies hope for the best
Six in 10 C-suite respondents to DNV’s survey agree that their organization is more vulnerable to an attack today than it has ever been. However, there are signs that some companies are taking a “wait, see, and hope for the best” approach to dealing with the threat.
Less than half (44%) of C-suite respondents believe they need to make urgent improvements in the next few years to prevent a serious attack on their business, and more than a third (35%) of C-suite professionals energy claim that their business would need to be impacted by a serious incident before investing in their defence.
One explanation for some companies’ apparent reluctance to invest in cybersecurity may be that most respondents believe their organization has so far avoided a major cyberattack. Less than a quarter (22%) think their organization has experienced a serious breach in the past five years.
“It is worrying that some energy companies are taking a ‘hope for the best’ approach to cybersecurity rather than actively addressing emerging cyber threats. This draws distinct parallels with the progressive adoption of physical security practices in the energy industry over the past 50 years,” Solberg said.
“It took tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 for the industry to prioritize and institutionalize global safety protocols, and for stricter regulations to be put in place. in place. Our research sends a strong signal that the industry needs to make urgent investments to ensure that cybersecurity does not become the cause of future harm to life, property and the environment,” added Solberg.
Supply chain blind spots cause concern
DNV recommends that the first step in strengthening defenses is to identify where critical infrastructure is vulnerable to attack. Cyber Priority reveals that while many organizations are investing in vulnerability discovery, these efforts are not broad enough to include the companies they partner with and source from.
Only 28% of energy professionals working with OT say their company makes cybersecurity of their supply chain an investment priority. This contrasts with the 45% of respondents operating in OTs who say spending on IT system upgrades is a high investment priority.
“Energy companies may have full oversight of their own vulnerabilities and have all the right measures in place to manage risk, but it won’t make a difference if there are undiscovered vulnerabilities in their supply chain. Our research identifies “remote access to OT systems” among the top three methods of potential cyberattacks against the energy industry. We urge the industry to pay greater attention to ensuring vendors and equipment suppliers demonstrate compliance with security best practices from the earliest stages of sourcing,” said Jalal Bouhdada, Founder and CEO of Applied Risk, an industrial cybersecurity company acquired by DNV. in 2021.
More workforce training is needed
Despite emerging cybersecurity threats, DNV research reveals that less than a third (31%) of energy professionals confidently say they know exactly what to do if they were concerned about a potential risk or a threat to their organization. This finding underscores the need for energy companies to invest in training their employees to spot instances of criminal attempts to gain access to their systems. Less than six in 10 (57%) energy professionals say their employer’s cybersecurity training is effective.
“A company’s personnel are its first line of defense against cyberattacks. Effective workforce training, coupled with ensuring you have the appropriate cybersecurity expertise, can make all the difference in protecting critical infrastructure. Our research clearly shows that companies need to carefully assess their investments to keep their employees well-informed on how to identify and respond to incidents in a timely manner,” Bouhdada said.