Energy companies are taking cyber threats seriously at the highest levels, as two in three energy professionals (65%) say their leadership views cybersecurity as the greatest current risk to their business, according to new research on the state of cybersecurity in the energy sector. More than two thirds of energy professionals (71%) expect their company to increase investment in cybersecurity this year. 

According to the latest Energy Cyber Priority report from DNV Cyber, energy companies are making progress in cybersecurity. This includes greater awareness at leadership level, with 78% of energy professionals confident their leaders sufficiently understand cyber risk. Successes have been delivered by employee training, as more than eight in 10 (84%) say they know exactly what to do if they are concerned about a potential cyber threat. Growing attention is being paid to operational technology (OT) cybersecurity – securing the systems that manage, monitor, and automate physical assets – as two thirds (67%) expect greater OT security investment in the year ahead. Challenges remain, however, as the energy transition creates new attack surfaces and as threat actors become more sophisticated. 

Digital technologies are essential to drive and enable the energy transition, but each potentially broadens an energy company’s exposure to cyber risk – whether due to their increased use of sensitive data, greater dependence on third-party tools and components, or the introduction of connected environments through which hackers can infiltrate from system to system. 

“Achieving the energy transition is central to society at large. The whole energy sector – companies and governments alike – are working together on this massive challenge, which is increasingly complex because the technologies underpinning the transition are largely digital and scaling rapidly. With this comes cybersecurity risks,” says Ditlev Engel, CEO, Energy Systems at DNV.

The energy transition is making cyber risk unavoidable, and this is reshaping attitudes in the energy industry, as half (49%) of energy professionals believe their organizations should accept additional cyber risk as a necessary trade-off for innovation. 

Of the 375 energy professionals surveyed globally for the research, three-quarters (75%) report that their organization has increased focus on cybersecurity because of growing geopolitical tensions over the last year. Some 72% are concerned about the potential for attacks directed by foreign powers, up from 62% in 2023. Eight in 10 (79%) are concerned about the threat from cyber-criminal gangs, up from 50% in 2023. The research records a rise in concern about malicious insiders, up from 51% in 2023 to 62% this year.  

“Even as the energy industry becomes more mature in its cybersecurity posture, it must continue to strengthen and adapt to remain resilient against a growing number of increasingly sophisticated threats. From attacks on supply chains, recruitment of malicious insiders, and the use of AI, adversaries are upping their game and the energy industry needs to keep up,” says Auke Huistra, Director of Industrial and OT Cybersecurity at DNV Cyber. 

DNV Cyber’s new report Energy Cyber Priority 2025: Addressing Evolving Risks, Enabling Transformation argues that energy companies must double their cybersecurity efforts to overcome five principal challenges: 

• securing physical infrastructure
• overcoming complex cybersecurity supply chains 
• enhancing employee vigilance 
• embedding new skills in the workforce 
• embracing AI. 
  

Connecting physical infrastructure to modern IT architectures and other assets creates new vulnerabilities. Recognizing the potential to cause harm, threat actors are increasing their attacks on OT systems, with the potential to directly cause physical safety incidents. More than two thirds of energy professionals (71%) acknowledge that their organizations are more vulnerable to OT cyber events than ever before, an increase from 64% in 2023. More than half (57%) admit that their OT defences lag their IT defences. 

Supply chains are a major worry for energy companies as threat actors go to suppliers and sub-suppliers to gain access to companies operating large assets. Around half (53%) of energy professionals indicate that cybersecurity issues are typically included in their procurement requirements and processes. Just 16% are very confident that their organization can demonstrate full visibility of the supply chain and any vulnerabilities, and more than a third (34%) suspect undisclosed breaches among their suppliers.  

Employee vigilance continues to rise, but adversaries are constantly changing their approach and targeting employees with more sophisticated tactics. Three quarters of energy professionals (76%) worry that their organization’s cybersecurity training is not advanced enough to prepare for more sophisticated attacks. Skills and knowledge gaps are also an issue, as half (46%) of energy professionals say a lack of skills and talent is making it more challenging for their organizations to secure their organizations.  

Generative AI’s increasingly human-sounding tone and capacity for detail enables cyber criminals to launch more convincing scams. Two-thirds of energy professionals (66%) agree that attackers’ use of AI in phishing attacks has made it more difficult to determine whether emails are genuine. Cybersecurity professionals understand that neglecting AI will put them at a disadvantage, as almost half (47%) fear they will fall behind adversaries unless they harness AI. 

 Cyber Priority  

DNV Cyber’s Cyber Priority research explores the changing attitudes and approaches to cybersecurity in key industrial sectors. The latest edition of the research for 2024/25 draws on a cross-sector survey of more than 1,150 professionals and interviews with industry leaders. Research was conducted between September 2024 and January 2025.  

The report Energy Cyber Priority 2025: Addressing Evolving Risks, Enabling Transformation explores the views of 375 energy professionals who responded to the survey, complemented by in-depth interviews and analysis from DNV Cyber experts and industry leaders, including from E-REDES, Siemens Energy, Fortified Technologies, and Fortum. 

The report Maritime Cyber Priority 2024/25: Managing Cyber Risk to Enable Innovation explores the views of almost 500 maritime professionals who responded to the survey, complemented by in-depth interviews and analysis from industry leaders and DNV Cyber experts.