Energy executives expect more extreme cyber-attacks but defensive action is lagging, new DNV research reveals

New research published by DNV reveals that energy executives anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years. But defensive action appears to lag.

  • Energy professionals believe that cyber-attacks on the industry are likely to cause harm to life, property and the environment in the next two years. 84% expect physical damage to assets and 57% anticipate loss of life
  • Less than half (47%) believe that the security of their operational technologies (OT) – the control systems managing, monitoring and controlling industrial operations – is as robust as their IT security
  • Just 28% of energy professionals working with OT say their company is making the cyber security of their supply chain a high priority for investment
  • Fewer than a third (31%) of energy professionals assert confidently that they know exactly what to do if they were concerned about a potential cyber risk or threat
  • Less than half (44%) of the industry’s C-suite sees the need for urgent improvements to prevent a serious attack on their business, despite emerging threats.

Oslo, Norway - 19 May 2022: New research published by DNV, the independent risk management and quality assurance provider, reveals that energy executives anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years.

The Cyber Priority, a research report exploring the state of cyber security in the energy sector, finds that more than four-fifths of professionals working in the power, renewables, and oil and gas sectors believe a cyber-attack on the industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%). Three quarters (74%) expect an attack to harm the environment while more than half (57%) anticipate it will cause loss of life.

DNV’s research is based on a survey of more than 940 energy professionals around the world and in-depth interviews with industry executives.

Rising fears over new and more extreme consequences of cyber-attacks follow a series of high-profile security breaches in the energy industry in recent years.1 DNV’s research also indicates that concern about emerging threats has grown following Russia’s invasion of Ukraine. Two-thirds (67%) of energy professionals say that recent cyber-attacks on the industry have driven their organizations to make major changes to their security strategies and systems.

Trond Solberg, Managing Director, Cyber Security, DNV

“Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector,” said Trond Solberg, Managing Director, Cyber Security, DNV.

“As OT becomes more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries. Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security,” Solberg added.


Action lags as some companies hope for the best

Six in ten C-suite level respondents to DNV’s survey acknowledge that their organization is more vulnerable to an attack now than it has ever been. However, there are signs that some companies are taking a ‘wait, see and hope for the best’ approach to address the threat.

Less than half (44%) of C-suite respondents believe they need to make urgent improvements in the next few years to prevent a serious attack on their business, and more than a third (35%) of energy professionals say their company would need to be impacted by a serious incident before investing in their defences.

One explanation for some companies’ apparent hesitance to invest in cyber security may be that most respondents believe that their organization has so far avoided a major cyber-attack. Less than a quarter (22%) suspect their organization has been subject to a serious breach in the last five years.

“It is concerning to find that some energy firms may be taking a ‘hope for the best’ approach to cyber security rather than actively addressing emerging cyber threats. This draws distinct parallels to the gradual adoption of physical safety practices in the energy industry over the past 50 years,” said Solberg.

“It took tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 for the industry to prioritize and institutionalize global safety protocols, and for tighter regulation to come into place. Our research gives a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment,” Solberg added.


Supply chain blind spots cause concern

DNV recommends that the first step to strengthen defences is to identify where critical infrastructure is vulnerable to attack. The Cyber Priority reveals that, while many organizations are investing in vulnerability discovery, these efforts are not being sufficiently extended to include companies they partner with and procure from.

Just 28% of energy professionals working with OT say their company is making the cyber security of their supply chain a high priority for investment. This contrasts with the 45% of OT-operating respondents who say expenditure in IT system upgrades is a high investment priority.

Jalal Bouhdada, Founder and CEO at Applied Risk

“Energy companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, but that won’t make a difference if there are undiscovered vulnerabilities in their supply chain. Our research identifies ‘remote access to OT systems’ among the top three methods for potential cyber-attacks on the energy industry. We would urge the sector to pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement,” said Jalal Bouhdada, Founder and CEO at Applied Risk, an industrial cyber-security firm acquired by DNV in 2021.


More workforce training is needed

Despite emerging cyber security threats, DNV’s research reveals that less than a third (31%) of energy professionals assert confidently that they know exactly what to do if they were concerned about a potential cyber risk or threat on their organization. This finding points to a need for energy companies to invest in training employees to spot instances of criminal attempts to gain access to their systems. Less than six in 10 (57%) of energy professionals say their employer’s cyber security training is effective.

“A company’s workforce is its first line of defence against cyber-attacks. Effective workforce training, combined with ensuring you have the right cyber security expertise in place, can make all the difference to safeguarding critical infrastructure. Our research shows a clear need for companies to carefully evaluate their investments in keeping their people well informed of how to identify and respond to incidents in a timely manner,” said Bouhdada.



References

1 Recent high-profile cyber security breaches affecting critical infrastructure in the energy industry include a shut-down inducing attack on the US Colonial Pipeline in 2021, and a series of attacks disabling parts of Ukraine’s power grid in the mid-to-late 2010s.



About the research

The Cyber Priority explores the state of cyber security in today’s global energy sector, investigating executives’ understanding of the cyber risks their businesses face and their strategies for managing the evolving threat. The research draws on a survey of 948 energy professionals and a series of in-depth interviews with industry leaders and security experts. It was developed and created by DNV and Longitude, a Financial Times company.

Fieldwork was conducted between February and March 2022. Respondents were based in Europe the Americas, the Middle East and Africa, and Asia Pacific. They included publicly listed companies and privately held firms, spanning energy industry services, power transmission and supply, renewables, and oil and gas. The survey respondents represent a range of functions within the industry, including those with in-depth knowledge of cyber security, engineers, general managers and C-suite executives.

Download a complimentary copy of The Cyber Priority