Energy sector cybersecurity still a growing priority
Achieving cybersecurity maturity in the energy sector is a work in progress, new research from DNV has indicated.
The study, based on a survey of almost one thousand energy professionals across the world, has revealed that most believe a major incident is probable within the next two years and most likely to cause operational shutdowns and damage to assets, harm to the environment or loss of life.
Notably two-thirds acknowledged that the shock of recent cyber incidents, such as the 2021 ransomware attack on the Colonial pipeline, has driven them to make major changes to their security strategy and systems.
However, despite the anticipation of a serious incident, they seem less likely to believe their own organisation will be affected by the most extreme, life threatening consequences with fewer than one quarter describe this or environmental damage as a top concern.
Have you read?
How to protect your business from a supply chain cyber-attack
Cybersecurity for a decentralising energy system
From their perspective, the greatest concern of an attack is disrupted services and operations, cited by over half, while other top concerns include reputational damage, data loss or corruption and financial losses due to theft or other causes such as lost opportunities.
In terms of threat actors, hacktivists and foreign powers and state sponsored actors are the most concerning and competitors of least concern.
Cybersecurity challenges
Based on the survey findings, DNV identifies four key challenges, of which one is a ‘wait and see’ effect, which is holding back overall progress. Still, one-third said their organisation would need to be impacted by a major incident before it would spend any more time or money on its defences.
Another is what DNV refers to as the ‘air gap’ between OT and IT closing fast, but fewer of the respondents think their organisation is prepared for an attack on the OT environment than on the IT environment.
A third challenge is the global shortage of expertise while the fourth is that the supply chains in the sector, global in scale and increasingly complex, can disguise critical vulnerabilities. Just over one quarter of energy professionals working within OT say their company is making the cyber security of their supply chain a high priority for investment.
In the survey conclusions DNV reminds that cybersecurity needs to be a continuous process and is not something a business can deploy overnight and revisit at a later date.
It needs more than just enough budget and one can make a difference, based on a determination of where the organisation is vulnerable and with a balance between training and technology.
“Cyber activity cannot take place without first-hand knowledge of industry pressures and the operational reality of energy environments,” says DNV’s cyber security managing director Trond Solberg in the conclusions of ‘The Cyber Priority’ survey.
“Training in IT cybersecurity is vital but, for a robust cyber defence, businesses also need deep understanding of each energy domain, whether nuclear, renewables or oil and gas, and assurance that cyber processes will not impact production or their long-term goals around the energy transition.”
