Cybersecurity a proactive priority backed by billion dollar investment vision

Global energy, petrochemical and industrial segments have become unmistakably more electrified, digitised and interconnected than ever before, in their perennial quest for throughput efficiencies and lower carbon emissions.

But this digital estate - reliant on the embrace of artificial intelligence, industrial Internet of Things, cloud computing applications, automation and computerised plant control systems - needs to be secure. More so, with legacy infrastructure, usage of third-party vendors and back-office outsourcing adding another layer of potential vulnerability.

It is driving the energy and industrial cybersecurity market to a size few can confidently predict for the fear of underestimating it, and for good reason. The need to mitigate vulnerability to cyber threats, be they potential, perceived or actual ones, is only going to grow exponentially.

Being proactive and not reactive

Given the complex nature of the world we live in, the threat from rogue actors continues to rise. They range from career criminals to pariah state-entity operators looking to compromise operational technology or ‘OT’ systems that monitor, manage, and now increasingly automate physical assets.

Any OT slip-up may well extend beyond financial or reputational damage to actual physical harm. It’s why industry executives, multilateral bodies and governments appear to be responding with the seriousness that the situation deserves.

For instance, the European Union’s NIS2 Directive to strengthen digital resilience places stringent requirements on what it categorises as “strategic” industries, including energy, to improve their network and information security.

The directive details security obligations and incident reporting requirements for a much broader range of entities than previous such initiatives. It is already triggering a continent-wide focusing of hearts and minds.

At the recently concluded ONE Conference, an international cybersecurity convention held in The Hague backed by the Dutch government, it was confirmed that a new Netherlands Cybersecurity Act modelled on key tenets of the EU directive will come into effect over the second quarter of 2026.

Matthijs van Amelsfort, CEO of the Netherlands National Cyber Security Centre, told Energy Connects the move is designed to bolster cyber protection and planning, in the face of rising threat levels.

“Improved risk-based thinking and promoting strategic investment in cybersecurity systems to meet rising threats is our ultimate goal. But above anything else, it puts cybersecurity at the heart of commercial operations, something that’s a powerful statement of intent.”

Speaking at the same convention, Dutch Prime Minister Dick Schoof - host of this summer’s NATO summit - said: “The concept of strategic autonomy in the modern world is predicated on digital security, not just natural resources. It is time to take action to manage cyber risk proactively and not reactively.”

Similar overtures are in play in the US - the world’s largest energy consumer - and the big four Asian economic powerhouses of China, India, Japan and South Korea. Two of the Middle East’s biggest energy producing nations, Saudi Arabia and the United Arab Emirates, are also investing billions in industrial cybersecurity backed by legal statutes.

Meanwhile, the Global Initiative for Industrial Safety promoted by the United Nations Industrial Development Organisation has published a “manifesto” offering what it describes as a "strategic blueprint" for stakeholders to harness technology and effectively address safety risks for industries around the world.

Just as policymakers go hard on cybersecurity, two in three energy professionals (65%) say their leadership views cybersecurity as the greatest current risk to their business, according to a DNV Cyber survey published in January. Crucially, more than two-thirds of energy professionals (71%) also expect their company to “increase investment in cybersecurity this year.”

A sizeable chunk of this investment is being directed at AI-enabled real-time threat detection, automated responses to incidents, enhanced defences, and raising awareness and training.

As the International Energy Agency (IEA) noted in a recent report: “The deployment of more proactive AI-enabled cybersecurity systems that are quick to respond to threats is critical for ensuring the resilience of the energy sector. Upskilling, threat mapping and expertise sharing will be essential for keeping the energy sector ahead of the curve.”

Sizing and seizing the opportunity

While cyber-attacks are on the rise, most currently appear confined to IT and not OT infrastructure, according to TrustWave, with the cybersecurity firm noting an 80% spike in ransomware attacks targeting the energy and utilities sector in 2024 compared to the year before.

Not that these cannot be equally devastating, as the Colonial Pipeline hack of 2021 demonstrated. Hackers only compromised the operator’s billing system, but the domino effect of the inability to charge end-customers and an abundance of caution led to the pipeline being closed for six days.

Whether IT, OT, or converged platforms, no operator wants to be in that position and that’s what is driving the business. Major software-industrials vendors are upscaling their cybersecurity suite offers. Many of these are expected to be pitched at the upcoming ADIPEC 2025, widely regarded as the world’s largest energy exhibition and conference that routinely attracts around 200,000 visitors.

Projections on the industry and energy cybersecurity market’s compound annual growth rate range from 7% to 11% to the end of the current decade, based on models put forward by several industry forecasters and major consulting firms.

In dollar terms, that’s a potential end-of-decade market valuation of $100 billion, with nearly half of that projected figure coming from spending by the energy sector alone. And with digitisation now at the heart of the industrial complex, it wouldn’t be a major surprise if such a projection is exceeded by a substantial margin come the end of the decade.