New research published by DNV reveals that energy executives anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years. But defensive action appears to lag behind.
The Cyber Priority, a research report exploring the state of cyber security in the energy sector, finds that more than four-fifths of professionals working in the power, renewables, and oil and gas sectors believe a cyber-attack on the industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%). Three quarters (74%) expect an attack to harm the environment while more than half (57%) anticipate it will cause loss of life.
Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector
said Trond Solberg, Managing Director, Cyber Security, DNV.
Four challenges
#1 The ‘wait and see’ effect
One in three (35%) says their organization would need to be impacted by a major incident before it would spend any more time or money on its defences. This sentiment is more prevalent in the Middle East and Africa (44%) than it is in Europe (29%) and the Americas (39%), despite respondents in the Middle East being more likely to expect a major cyber incident in the industry in the next few years.
#2 Air gap is closing fast
When considering the risk of a cyber-attack on their industrial control systems, DNV says that energy businesses have taken some comfort from the knowledge that their OT platforms have traditionally had an ‘air gap’ insulating them from the IT network.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
Specifically, Jalal Bouhdada, Founder and CEO at Applied Risk – an industrial cyber-security firm acquired by DNV in 2021 – cautions, that the days of the air gap are numbered.
Most industries are interconnected, driven by the requirement for access to data and analytics
#3 Shortage of expertise
The research’s findings highlight the need for the industry to include a greater number of cyber experts into the workforce. The principal challenge here is the global talent-availability crisis.
Namely, renewables industry is at greatest risk of employees making a misstep at the crucial moment, with just one in five respondents stressing clearly that they would know exactly how to respond.
#4 Supply chains disguise critical vulnerabilities
Supply chains in the energy sector are global in scale and increasingly complex, relying on third and fourth parties whose cyber security systems and processes are harder to assess with certainty. Consequently, cyber security across the supply chain is an area in which respondents are less confident than they need to be to protect their critical systems and data.
Key takeaways
#1 Allocate budgets that can make a difference
In an industry that is investing in major digitalization and energy-transition programmes, while contending with the pressures of an uncertain trading environment, many may struggle to reserve the budgets they need to upgrade their capabilities. Around one in three respondents, on average, indicates that they are underinvesting in their IT and OT capabilities.
#2 Find your vulnerabilities
Companies need a clear and complete overview of their information and control systems – and those of their suppliers. Ensuring the security of technology platforms can be undermined if there are vulnerabilities elsewhere in the supply chain and cyber security has not been factored adequately into contracts with suppliers and subcontractors.
#3 Balance investment between training and technology
The industry now needs to shift the balance so that its focus is more evenly distributed across these two critical areas. Businesses should certainly not reduce investment in technology upgrades, but they need to expand their training programmes while exploring carefully which specialist knowledge they do need to bring into the business.
EXPLORE MORE AT DNV’S RESEARCH ON CYBER SECURITY
