Energy bosses expect more cyber-attacks but slow to act, warns report
20 May 2022
More than four-fifths of global professionals working in the power, renewables and oil and gas sectors recently polled believe a cyber-attack on the industry is likely to cause operational shutdowns and damage assets and critical infrastructure.
Additionally, three quarters (74%) expect an attack to harm the environment while more than half (57%) anticipate it will cause loss of life.
The assertions come in a worldwide survey of nearly 1,000 energy professionals around the world and in-depth interviews with industry executives carried out by independent risk management and quality assurance provider DNV.
The Cyber Priority research report exploring the state of cyber security in the energy sector, identified rising fears over new and more extreme consequences of cyber-attacks follow a series of high-profile security breaches in the energy industry in recent years.
Concern about emerging threats has grown following Russia’s invasion of Ukraine. Two-thirds (67%) of energy professionals responding said that recent cyber-attacks on the industry have driven their organizations to make major changes to their security strategies and systems.
Managing director, cyber security at DNV Trond Solberg warned that less than half (47%) of energy professionals believed their OT security is as robust as their IT security.
Explained Solberg: “Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector.”
“As OT becomes more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries. Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it.”
Worryingly, more than a third (35%) of energy professionals say their company would need to be impacted by a serious incident before investing in their defences.
One explanation for some companies’ apparent hesitance to invest in cyber security may be indicated that less than a quarter (22%) of respondents suspected their organisation has been subject to a serious breach in the last five years.
Solberg cautioned against a ‘hope for the best’ approach to cyber security, drawing parallels to the gradual adoption of physical safety practices in the energy industry.
“It took tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 for the industry to prioritize and institutionalize global safety protocols, and for tighter regulation to come into place.
“Our research gives a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment,” Solberg added.
DNV recommended firms identified where critical infrastructure is vulnerable to attack. Jalal Bouhdada, founder and CEO of DNV subsidiary Applied Risk cited OT systems as a particular concern.
“Our research identifies ‘remote access to OT systems’ among the top three methods for potential cyber-attacks on the energy industry. We would urge the sector to pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement,” he said.
Additionally, better workforce training was needed to ensure improved enforcement of cyber protective measure.
“Effective workforce training, combined with ensuring you have the right cyber security expertise in place, can make all the difference to safeguarding critical infrastructure,” said Bouhdada.