Cyber defence of the energy sector is deficient

Energy executives expect an increase in the amount of cyber attacks on their companies with the potential to cause damage to life, property and the environment over the next two years, reveals the “cybersecurity/cyber-insights/thecyberpriority.html" target="_blank" rel="noreferrer noopener">Cyber Priority” study conducted by DNV. Of the 948 survey participants, more than four-fifths of professionals working in the energy, renewable energy and oil and gas sectors believe a cyber attack on the sector is likely to cause operational downtime (85%) and damage to energy assets and critical infrastructure (84%). Three-quarters (74%) expect an attack to harm the environment, while more than half (57%) predict it will cause loss of life.

Concern about emerging threats is growing, mainly because less than half of them (47%) believe that the security of their operational technology (OT) – the control systems that manage, monitor and control industrial operations – is as robust as their IT security.  Six in ten of DNV’s surveyed C-level respondents recognise that their organisation is more vulnerable to attack now than ever before. 

“As OT becomes more connected and linked to IT systems, attackers can access and control systems that operate critical infrastructure, such as power grids, wind farms, pipelines and refineries. Our research shows that the energy sector is waking up to the OT security threat, but faster action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security,” explains Trond Solberg, managing director of cybersecurity at DNV.

Vulnerabilidades da cadeia de suprimentos

DNV recommends that the first step in strengthening defences is to identify where critical infrastructure is vulnerable to attack. The cyber priority reveals that while many organisations are investing in vulnerability discovery, these efforts are not being extended sufficiently to include companies they partner and buy from.

Apenas 28% dos profissionais de energia que trabalham com a OT dizem que sua empresa está tornando a segurança cibernética de sua cadeia de suprimentos uma alta prioridade para investimento. Isso contrasta com os 45% dos entrevistados operacionais de OT que dizem que os gastos com atualizações de sistemas de TI são uma alta prioridade de investimento.

Jalal Bouhdada, founder and CEO of Applied Risk, an industrial cybersecurity firm acquired by DNV in 2021, has advocated reducing the potential for “undiscovered vulnerabilities” in energy supply chains.

“Our research identifies ‘remote access to OT systems’ among the top three methods for potential cyber attacks in the energy sector. We urge the industry to pay more attention to ensuring that equipment vendors and suppliers demonstrate compliance with security best practices from the earliest stages of procurement,” he added.

The report also raises the need for energy companies to invest in training their employees, both in how to detect potential vulnerabilities and attempted attacks, and how to respond if an attack actually occurs.

Less than half (44%) of C-suite respondents believe they need to make urgent improvements in the next few years to avoid a serious attack on their business, and more than a third (35%) of energy professionals say their company would need to be impacted by a major incident before investing in their defences.

One explanation for the apparent hesitancy of some companies to invest in cybersecurity may be that most respondents believe that their organization has so far avoided a major cyberattack. Less than a quarter (22%) suspect that their organisation has suffered a major breach in the past five years.

“It is concerning to discover that some energy companies may be adopting a ‘hope for the best’ approach to cyber security, rather than actively addressing emerging cyber threats. This draws distinct parallels with the gradual adoption of physical security practices in the energy sector over the past 50 years,” Solberg said.

“It took tragic events, such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010, for the industry to prioritise and institutionalise global security protocols and for stricter regulations to be implemented. Our research sends a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment,” Solberg added.