New research published by DNV, the independent provider of risk management and quality assurance, reveals that energy managers anticipate lives, property, and environmentally threatening cyberattacks on the sector within the next two years.
The Cyber Priority, a research report examining the state of cybersecurity in the energy sector, finds that more than four-fifths of professionals working in the energy, renewable energy, and oil and gas sectors believe that an industry cyberattack is likely to lead to operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%).
Three-quarters (74%) expect an attack to damage the environment, while more than half (57%) expect deaths.
DNV’s research is based on a survey of more than 940 energy professionals worldwide and in-depth interviews with industry executives.
Rising fears of new and more extreme consequences of cyber-attacks follow a series of high-profile security breaches in the energy sector in recent years. The survey also indicates that concerns about emerging threats have increased following Russia’s invasion of Ukraine.
Overall, two-thirds (67%) of energy professionals say recent cyber-attacks against the industry have prompted their organizations to change their security strategies and systems.
DNV Cybersecurity Director, Trond Solberg, says: “Energy companies have been tackling IT security for decades. However, securing operational technology (OT), the computing and communications systems that manage, monitor, and control industrial activities, is a more recent and increasingly pressing challenge for the sector.”
“As OT becomes more networked and connected to IT systems, attackers can access and control systems serving critical infrastructure, such as power grids, wind farms, pipelines, and refineries. Our research shows that the energy industry is becoming aware of the OT security threat, but faster Action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security,” Solberg added.
According to the survey, six in 10 C-suite-level respondents acknowledge that their organization is now more vulnerable to attack than ever. However, there are signs that some companies are taking a wait-and-see approach to confronting the threat.
Less than half (44%) of C-suite respondents believe they need urgent improvements to prevent a serious attack on their business in the coming years. Over a third (35%) of energy professionals say a serious incident should hit their company before investing in their defenses.
One explanation for some companies’ seeming reluctance to invest in cybersecurity may be that most respondents believe their organization has avoided a major cyberattack so far, the researchers say. For example, less than a quarter (22%) suspect their organization has been the victim of a serious breach in the past five years.
Solberg says: “It is worrying that some energy companies are hoping for the best approach to cybersecurity rather than actively addressing new cyber threats. This draws clear parallels to the gradual adoption of physical security practices in the energy industry over the past 50 years. year.”
He continues: “Tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 were needed to prioritize and institutionalize the sector and to introduce stricter regulations.
“Our research sends a strong signal that the industry needs to invest urgently to ensure that cybersecurity does not become the cause of future damage to life, property, and the environment.”
DNV recommends that the first step to strengthening defenses is identifying where critical infrastructure is vulnerable to attack.
The Cyber Priority shows that while many organizations invest in discovering vulnerabilities, these efforts are not sufficiently extended to companies they work with and purchase from.
Only 28% of energy professionals who work with OT say their company makes the cybersecurity of their supply chain a high priority for investment. This contrasts with the 45% of OT operating respondents who say spending on IT system upgrades is a high investment priority.
Jalal Bouhdada, founder and CEO of Applied Risk, an industrial cybersecurity company acquired by DNV in 2021, says: “Energy companies can fully monitor their vulnerabilities and have the right measures to manage the risk, but it won’t make any difference If there are undiscovered vulnerabilities in their supply chain.
“Our research identifies remote access to OT systems as one of the top three methods of potential cyber-attacks on the energy industry. We urge the industry to pay more attention to ensuring that equipment suppliers and suppliers demonstrate them from the earliest stages of procurement.”
Despite emerging cybersecurity threats, DNV’s research shows that less than a third (31%) of energy professionals confidently say they know exactly what to do if they are concerned about potential cyber risk or threat to their organization.
This finding indicates that energy companies should invest in training employees to detect instances of criminal attempts to access their systems. Fewer than six in ten (57%) energy professionals say their employers’ cybersecurity training is effective.
Bouhdada says, “A company’s workforce is the first line of defense against cyber-attacks. Effective training of your workforce, combined with ensuring you have the right cybersecurity expertise, can make all the difference in protecting critical infrastructure.
“Our research demonstrates a clear need for companies to carefully evaluate their investments to keep their people well informed on how to promptly identify and respond to incidents.”