Experts warn energy sector is next to be hit by cyber attacks

Based on responses from 940 energy professionals globally and in-depth interviews with industry executives, DNV's new research titled 'The Cyber Priority,' has found that more than four-fifths of professionals working in the power, renewables, oil and gas sectors expect a cyber attack on the industry has the potential to cause operational shutdowns (85 per cent) and damage to energy assets and critical infrastructure (84 per cent).

Three quarters of the critical infrastructure professionals (74 per cent) anticipate a cyber attack would harm the environment and (57 per cent) anticipate it will cause loss of life. Two-thirds (67 per cent) of energy professionals say that recent cyber attacks on the industry have driven their organisations to make major changes to their security strategies and systems.

According to Trond Solberg, DNV managing director cyber security, energy companies have been tackling IT security for decades.

"Securing operational technology (OT) the computing and communications systems that manage, monitor and control industrial operations is a more recent and increasingly urgent challenge for the sector."

"As OT becomes more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries."

"Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security," Solberg said.

The DNV data also revealed that six in ten C-suite level respondents acknowledge that their organisation is more vulnerable to an attack, but also found that the 'wait, see and hope for the best' approach is common before a threat is addressed.

It is concerning to find that some energy firms may be taking a hope for the best approach to cyber security, Solberg emphasised, rather than actively addressing emerging cyber threats.

VIEW ALL

"This draws distinct parallels to the gradual adoption of physical safety practices in the energy industry over the past 50 years."

"It took tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 for the industry to prioritise and institutionalise global safety protocols, and for tighter regulation to come into place."

"Our research gives a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment," Solberg added.

To prevent a serious attack on their business, less than half (44 per cent) of c-suite respondents have indicated urgent improvements need to be made the next few years and more than a third (35%) of energy professionals believe their company would need to be impacted by a serious incident before investing in cyber security upgrades.

The Cyber Priority data has also revealed that many organisations are investing in vulnerability discovery, their partner companies are excluded from these investments.

Energy companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, according to Jalal Bouhdada, founder and CEO at Applied Risk, an industrial cyber-security firm acquired by DNV, who further explained that it won't make a difference if there are undiscovered vulnerabilities in their supply chain.

"Our research identifies remote access to OT systems among the top three methods for potential cyber attacks on the energy industry."

"We would urge the sector to pay greater attention to ensuring that equipment vendors and suppliers demonstrate compliance with security best practice from the earliest stages of procurement," Bouhdada said.

While emerging cyber security threats are on the rise, DNV's research further reveals that less than a third (31%) of energy professionals are confident that they would know exactly what to do about potential cyber threats to their company. Training employees to identify instances of hackers gaining access to their systems is a key takeaway for energy companies based on the data, with just six in 10 (57%) of energy professionals confirming the cyber security training provided by their employer is effective.

Bouhdada added that a company's workforce is its first line of defence against cyber attacks.

"Effective workforce training, combined with ensuring you have the right cyber security expertise in place, can make all the difference to safeguarding critical infrastructure."

"Our research shows a clear need for companies to carefully evaluate their investments in keeping their people well informed of how to identify and respond to incidents in a timely manner," Bouhdada said.

[Related: New research reveals uptick in Trojan cyber attacks impacting SMEs]