Energy executives brace for more extreme cyber-attacks worldwide

Senior energy executives around the world anticipate life, property, and environment-compromising cyber-attacks on the sector within the next two years, according to new research published by risk management and quality assurance provider DNV on Thursday.

In a survey of more than 940 energy professionals from around the world and in-depth interviews with industry executives, DNV found that more than 80 percent of them working in the power, renewables, and oil and gas sectors believe a cyber-attack on the industry is likely to cause operational shutdowns (85 percent) and damage to energy assets and critical infrastructure (84 percent).

The Cyber Priority, a research report exploring the state of cyber security in the energy sector, also found that 74 percent of the respondents expect an attack to harm the environment while more than half (57 percent) anticipate it will cause loss of life.

High-profile breaches
The research follows rising fears over new and more extreme consequences of cyber-attacks follow a series of high-profile security breaches in the energy industry in recent years.

“Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector,” Trond Solberg, Managing Director, Cyber Security, DNV, said in a statement.

The survey also revealed growing concern about emerging threats following Russia’s invasion of Ukraine. Two-thirds (67 percent) of energy professionals said that recent cyber-attacks on the industry have driven their organisations to make major changes to their security strategies and systems.

“As OT becomes more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries. Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it. Less than half (47 percent) of energy professionals believe their OT security is as robust as their IT security,” Solberg added.

‘Hope for the best’ approach
According to the survey, the apparent hesitation of some companies to invest in cyber security could be because most respondents believe that their organisation has so far avoided a major cyber-attack.

“It is concerning to find that some energy firms may be taking a ‘hope for the best’ approach to cyber security rather than actively addressing emerging cyber threats. This draws distinct parallels to the gradual adoption of physical safety practices in the energy industry over the past 50 years,” said Solberg.

“It took tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 for the industry to prioritise and institutionalise global safety protocols, and for tighter regulation to come into place,” Solberg said.

Six in ten C-suite level respondents said that their organisation was more vulnerable to an attack now than it has ever been.

Less than half (44 percent) of C-suite respondents believe they need to make urgent improvements in the next few years to prevent a serious attack on their business, and more than a third (35 percent) of energy professionals say their company would need to be impacted by a serious incident before investing in their defences.