Energy companies face new pressures as cyber security threats rise

Threats to industrial cyber security are becoming more common, complex, and creative as companies in the sector witness a continual increase in threats to their critical infrastructure. In 2020, a staggering 90 percent of companies in the manufacturing, energy and utilities, healthcare, and transportation sectors suffered an attack on the computing systems managing their operations.

The energy sector now appears among the top three most attacked industries according to insurance firm Hiscox. A series of high-profile assaults causing disruption to energy supply have given energy companies a wakeup call to the security threats they now face. For example, the attack on the Colonial Pipeline company in May 2021 led to a temporary shutdown of the largest fuel pipeline in the US and caused a brief shortage of gasoline and other petroleum products on the country’s east coast. In 2015, an attack on a series of Ukraine’s power grid substations left a quarter of a million people without power and set a precedent for the vulnerabilities facing the world’s grids. 

Recovery from an industrial cyber-attack can cost organizations hundreds of millions of dollars. Added to this, companies that build and operate critical infrastructure face new pressures to comply with emerging regulation. For example, in October last year the US Federal Administration announced new mandates on the railroad and airline industries and fines for federal contractors who fail to report breaches. These compulsory measures follow the introduction of tighter cyber security regulations for US pipeline operators issued earlier this year, and a separate mandate that government contractors secure their networks. 

IT environments have faced information security threats and active attacks for several decades already, while industrial control systems have traditionally been kept in secure silos, physically separated from IT networks. This picture is now changing. Operational technology is becoming more connected with IT networks and the industrial internet of things, allowing cyber criminals to gain entry to, and control of, operational technologies through IT networks.   

A team of researchers from the University of Tulsa has demonstrated just how easy it can be for hackers to exploit the control systems of a wind farm. In 2017, they accessed an unsupervised wind turbine by picking the lock in the turbine’s door in under a minute. Once inside the turbine, they plugged a minicomputer with attack software into the turbine’s server. This exposed several vulnerabilities that could give them full remote control of the mechanics of the entire wind farm and the potential to destroy all turbines within it. 

Know where you’re vulnerable 

The frequency and consequence of industrial cyber-attacks will become more severe in the coming years. Gartner forecasts that cyber criminals will go beyond financially motivated attacks, and progressively weaponize industrial control systems to cause harm to human life by the middle of this decade.  

With life, property, and the environment now firmly at stake, mindsets towards cyber security are tangibly shifting at the most senior levels in company management. Just a few years ago, the default position among company boards and C-suites was to ensure compliance with cyber security regulation and then move on to another year. 

Nowadays, companies increasingly realise that a significant issue could be missed in their cyber security audit samples and yet they can still be compliant. Top-level managers who are more cautious to risk are beginning to ask what compliance means and whether it gets them a get-out-of-jail card if a severe incident happens. The answer is no.  

Perhaps the biggest cyber security challenge facing the energy sector today is that many companies don’t know where they are exposed to threats. Sixty percent of organizations with industrial operations are not yet aware of where their technologies are vulnerable, according to Gartner.  

As such, the most urgent task facing companies in the energy sector is to discover where their projects and operations are exposed to threats before hackers can find them. By having a clear and complete overview of their information and control systems, companies can prioritize the vulnerabilities and non-conformities they must address to stay confidently cyber secure, and put the right people, processes, and technologies in place to build effective protection from threats. 

It’s not enough for companies to go through the process of actively discovering where they are vulnerable once every so often. This must be done iteratively to ensure resilience against new attack vectors coming onto the scene. A case in point is the emergence of Log4Shell in December, where a previously undetected vulnerability was uncovered in a tool used in cloud servers and enterprise software across the world.  

Within hours of discovery, it emerged that Log4Shell could be the worst computer vulnerability discovered in years. Exploitation of this flaw is very easy because it doesn’t require any authentication or special privileges. Cyber security teams immediately scrambled to patch the issue and safeguard their IT systems. But it was less well publicized that the nature of the vulnerability means it is also present in industrial control system environments. 

A combined force of defense 

A well-balanced blend of expertise is needed to build an effective force of defense against emerging risks in the energy sector. Companies that have made the most progress with their cyber security are taking a holistic view of their IT and operational technology system security rather than treating them separately. And their cyber security programs increasingly comprise teams that blend specialist industry knowledge, engineering expertise and information system best practice to achieve the best results for their business.  

Companies often engage with external advisors to establish cyber security best practice more rapidly, or to leverage the know-how of a bigger security community that is more able to stay updated and gain experience across companies and sectors. DNV is making significant investments in rapidly growing our cyber security business to make a bigger impact for our customers. Our journey begins by joining forces with Applied Risk.  

DNV and Applied Risk aim to build the world’s largest industrial cyber security practice, safeguarding critical infrastructure in energy, maritime, manufacturing, chemicals, and other industrial sectors. Together, we will provide real-world cyber security expertise to some of the world’s most complex infrastructure projects, helping the energy sector identify cyber risks, build a powerful force of defense against threats, recover from attacks and win stakeholder trust and support.