Calendar An icon of a desk calendar. Cancel An icon of a circle with a diagonal line across. Caret An icon of a block arrow pointing to the right. Email An icon of a paper envelope. Facebook An icon of the Facebook "f" mark. Google An icon of the Google "G" mark. Linked In An icon of the Linked In "in" mark. Logout An icon representing logout. Profile An icon that resembles human head and shoulders. Telephone An icon of a traditional telephone receiver. Tick An icon of a tick mark. Is Public An icon of a human eye and eyelashes. Is Not Public An icon of a human eye and eyelashes with a diagonal line through it. Pause Icon A two-lined pause icon for stopping interactions. Quote Mark A opening quote mark. Quote Mark A closing quote mark. Arrow An icon of an arrow. Folder An icon of a paper folder. Breaking An icon of an exclamation mark on a circular background. Camera An icon of a digital camera. Caret An icon of a caret arrow. Clock An icon of a clock face. Close An icon of the an X shape. Close Icon An icon used to represent where to interact to collapse or dismiss a component Comment An icon of a speech bubble. Comments An icon of a speech bubble, denoting user comments. Ellipsis An icon of 3 horizontal dots. Envelope An icon of a paper envelope. Facebook An icon of a facebook f logo. Camera An icon of a digital camera. Home An icon of a house. Instagram An icon of the Instagram logo. LinkedIn An icon of the LinkedIn logo. Magnifying Glass An icon of a magnifying glass. Search Icon A magnifying glass icon that is used to represent the function of searching. Menu An icon of 3 horizontal lines. Hamburger Menu Icon An icon used to represent a collapsed menu. Next An icon of an arrow pointing to the right. Notice An explanation mark centred inside a circle. Previous An icon of an arrow pointing to the left. Rating An icon of a star. Tag An icon of a tag. Twitter An icon of the Twitter logo. Video Camera An icon of a video camera shape. Speech Bubble Icon A icon displaying a speech bubble WhatsApp An icon of the WhatsApp logo. Information An icon of an information logo. Plus A mathematical 'plus' symbol. Duration An icon indicating Time. Success Tick An icon of a green tick. Success Tick Timeout An icon of a greyed out success tick. Loading Spinner An icon of a loading spinner.

DNV report shows energy executives expect escalation in cyber-attacks

© Supplied by DNVDNV Cyber Priority.
DNV Cyber Priority.

New research published by DNV reveals that energy executives anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years.

The risk assurance group surveyed more than 940 energy professionals from around the world, working the in the oil and gas, renewables and power sector.

The resulting research report, the Cyber Priority, finds that more than four-fifths of respondents believe a cyber-attack on the industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%).

In addition, nearly three quarters (74%) expect an attack to harm the environment while more than half (57%) anticipate it will cause loss of life.

Concerns around emerging threats have grown in recent months, particularly following Russia’s invasion of Ukraine.

The warning follows a series of successful attacks launched on UK companies and regulators, including the Scottish Environmental Protection Agency (Sepa) in 2020, and drilling contractor KCA Deutag in 2021 – in addition to larger more sophisticated attacks on US pipeline infrastructure.

However, DNV’s research suggests the majority of companies are not adequately prepared. Six in ten C-suite level respondents acknowledged that their organisation is more vulnerable to an attack now than it has ever been, and less than half (44%) said they needed to make urgent improvements in the next few years to prevent a serious attack on their business.

© Supplied by DNV
DNV managing director for cyber security Trond Solberg.

“Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector,” commented DNV managing director for cyber security Trond Solberg.

“As OT becomes more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries. Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security,” he continued.

Meanwhile, more than one third (35%) of all those surveyed said their company would need to be impacted by a serious incident before investing in their defences.

“It is concerning to find that some energy firms may be taking a ‘hope for the best’ approach to cyber security rather than actively addressing emerging cyber threats. This draws distinct parallels to the gradual adoption of physical safety practices in the energy industry over the past 50 years,” Mr Solberg added.

“It took tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 for the industry to prioritise and institutionalise global safety protocols, and for tighter regulation to come into place.

“Our research gives a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment.”

Supply chain vulnerabilities

DNV’s recommendation is that the first step to strengthening corporate defences is to identify where critical infrastructure is vulnerable to attack.

The report suggests that, while many companies are investing in vulnerability discovery, these efforts are not being sufficiently extended to include companies they partner with and procure from.

Indeed, only 28% of respondents working with OT say their company is making the cyber security of their supply chain a priority for investment. Meanwhile, almost half said expenditure in IT system upgrades remains a high investment priority.

Jalal Bouhdada, Founder and CEO at Applied Risk, an industrial cyber-security firm acquired by DNV in 2021, made the case for reducing the potential for “undicosvered vulnerabilities” in energy supply chains.

“Our research identifies ‘remote access to OT systems’ among the top three methods for potential cyber-attacks on the energy industry. We would urge the sector to pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement,” he added.

The report also raises the need for energy companies to invest in training their employees, both to spot potential vulnerabilities and attempted attacks, and in how to respond if an attack does in fact occur.

Recommended for you

More from Energy Voice

Latest Posts