New research published by DNV, the independent risk management and quality assurance provider, has revealed that energy executives anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years
The Cyber Priority, a research report exploring the state of cyber security in the energy sector, finds that more than four-fifths of professionals working in the power, renewables, and oil and gas sectors believe a cyber-attack on the industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%).
DNV’s research is based on a survey of more than 940 energy professionals around the world and in-depth interviews with industry executives.
Rising fears over new and more extreme consequences of cyber-attacks follow a series of high-profile security breaches in the energy industry in recent years. DNV’s research also indicates that concern about emerging threats has grown following Russia’s invasion of Ukraine. Two-thirds (67%) of energy professionals say that recent cyber-attacks on the industry have driven their organisations to make major changes to their security strategies and systems.
“Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector,” said Trond Solberg, managing director, cyber security, DNV.
Action lags as some companies hope for the best
Six in ten C-suite level respondents to DNV’s survey acknowledge that their organisation is more vulnerable to an attack now than it has ever been. However, there are signs that some companies are taking a ‘wait, see and hope for the best’ approach to address the threat.
Less than half (44%) of C-suite respondents believe they need to make urgent improvements in the next few years to prevent a serious attack on their business, and more than a third (35%) of energy professionals say their company would need to be impacted by a serious incident before investing in their defences.
One explanation for some companies’ apparent hesitance to invest in cyber security may be that most respondents believe that their organisation has so far avoided a major cyber-attack. Less than a quarter (22%) suspect their organisation has been subject to a serious breach in the last five years.
Supply chain blind spots cause concern
DNV recommends that the first step to strengthen defences is to identify where critical infrastructure is vulnerable to attack. The Cyber Priority reveals that, while many organisations are investing in vulnerability discovery, these efforts are not being sufficiently extended to include companies they partner with and procure from.
“Energy companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, but that won’t make a difference if there are undiscovered vulnerabilities in their supply chain. Our research identifies ‘remote access to OT systems’ among the top three methods for potential cyber-attacks on the energy industry. We would urge the sector to pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement,” said Jalal Bouhdada, founder and CEO at Applied Risk, an industrial cyber-security firm acquired by DNV in 2021.
More workforce training is needed
Despite emerging cyber security threats, DNV’s research reveals that less than a third (31%) of energy professionals assert confidently that they know exactly what to do if they were concerned about a potential cyber risk or threat on their organisation.
“A company’s workforce is its first line of defence against cyber-attacks. Effective workforce training, combined with ensuring you have the right cyber security expertise in place, can make all the difference to safeguarding critical infrastructure. Our research shows a clear need for companies to carefully evaluate their investments in keeping their people well informed of how to identify and respond to incidents in a timely manner,” said Bouhdada.
DNV, an independent energy expert and assurance provider, has been chosen as a partner by the International Association of Oil & Gas Producers (IOGP) to support the decarbonisation initiatives of IOGP members
Nigeria is expected to witness 109 oil and gas projects to commence operations across the value chain during the next four years, accounting for more than 24% of the predicted total projects starts during that time, according to GlobalData, a leading data and analytics company
Ministry of Mines and Hydrocarbons of Equatorial Guinea and the joint venture partners at Block G offshore Equatorial Guinea have agreed a material time extension of the Production Sharing Contract (PSC) until 31 December 2040, covering the producing Ceiba and Okume Complex Fields
Apex International Energy (Apex) announced that the Fajr-8 development well was tested at a daily rate of 2,440 barrels of oil and negligible water
Alain Charles Publishing
11-13 Lower Grosvenor Place,
London, SW1W 0EX, UK
T: +44 20 7834 7676
F: +44 20 7973 0076