Cybersecurity: Why cyber security is critical to a successful energy transition
This is the decade when the pace of the energy transition is set. A 1.5 degrees Celsius future can be achieved with the massive scale-up of existing technologies, such as carbon capture and storage, electrification, hydrogen, batteries and renewables.
DNV’s 2022 Energy Transition Outlook, our independent model of the world’s energy system, forecasts significant roll-out of low-carbon energy infrastructure in the years ahead. For example, solar power’s share of the energy mix will grow twenty-fold and wind ten-fold by 2050. Grid investments must grow by more than 50% over the next decade to support this influx.
The scaling of energy infrastructure for a rapid energy transition is deeply dependent on critical infrastructure becoming more and more digitally connected, to make society safer, bring down costs and increase efficiency. But the rising geopolitical tensions we have seen over the last couple of years are shining a light on just how vulnerable critical infrastructure is, the more connected it becomes.
EMERGING OPERATIONAL TECHNOLOGY RISKS
Traditionally, operational technology (OT)—the control systems that manage, monitor, automate and control energy assets and infrastructure—has been “air-gapped,” due to operating in siloed environments that are disconnected from other networks. This air gap is closing fast, as OT becomes more networked and connected to IT environments, Fig. 1.
This opens the door for potential threat actors to access and control critical infrastructure, impacting the safety of people, assets and the environment. Research conducted by DNV in 2022 revealed that the vast majority of energy professionals anticipate cyber-attacks damaging assets and infrastructure (84%) and disrupting operations (85%) within two years. Most also consider it likely that cyber-attacks will compromise life (57%) and the environment (74%).
The challenge is that the central action to mitigate emerging cyber risks appears to be lagging behind the threat. Less than half (47%) of the 940 energy professionals that DNV surveyed for its Cyber Priority research report believe that the security of their organization’s OT is as robust as their IT security. Yet more than a third (35%) say their business would need to be impacted by a major incident before they would spend any more time or money on its defenses.
Six in 10 c-suite level energy executives acknowledge that their organization is more vulnerable to attack than ever before, but far fewer (44%) expect to make urgent improvements in the next few years to prevent an attack.
This perceived “wait and see” approach to cybersecurity, instead of actively addressing emerging threats, draws parallels to trends in the industry’s physical safety practices over the past 50 years. For example, it took tragic incidents, such as the 1988 Piper Alpha disaster in the North Sea, for the sector to prioritize and institutionalize safety protocols, standards and regulation. The result is that safety risks are now tightly managed, to prevent incidents from occurring. We must adopt the same culture to cybersecurity, as cyber threats create safety risks.
The energy sector now appears within the top five industries facing cyber-attacks¹. As cyber threats become more common, complex and creative, organizations at every stage of the energy supply chain must now ask themselves a critical question: are we confident that we have the right security strategies, competence and technology in place to defend ourselves against a cyber-attack?
KNOW WHERE YOU ARE VULNERABLE
The overriding principles to mitigate against assets and operations being compromised by a cyber-attack are to protect, detect, respond and recover. This is in line with industry best practice, including the National Institute of Standards, Technology’s (NIST) cybersecurity framework and IEC 62443 standards.
For many organizations, however, the challenge in ensuring cyber resilience is understanding and identifying where their vulnerabilities exist. By having a clear overview of attack surfaces and potential entry points, companies can prioritize the areas that must be addressed.
Robust, often straightforward mitigation measures can be put in place to address most areas. Organizations should regularly conduct risk assessments to understand the new vulnerabilities and emergent risks they face. Continuity and compliance are also key to effective cybersecurity management, which must address people, processes and technology.
Many companies in the energy sector are working hard to discover their cybersecurity vulnerabilities and put mitigating actions in place. These efforts must also be extended to their suppliers. Undiscovered vulnerabilities along the supply chain can completely undermine a company’s in-house cybersecurity efforts when audits are rarely conducted.
Cybersecurity requirements are often not included in procurement contracts, and cybersecurity’s due diligence is frequently forgotten when it comes to purchasing equipment, systems and software. Just half (49%) of OT security professionals say their contracts with suppliers include cybersecurity requirements, while only 28% of energy professionals working with OT say their company is making the cybersecurity of their supply chain a high priority for investment. This contrasts with the 45% of OT-operating respondents who say expenditure in IT system upgrades is a high investment priority.
BUILD A WORKFORCE PREPARED TO DEFEND
A company’s first line of defense against emerging cyberthreats is its staff. Keeping workforces up to speed on the evolving nature of the sector, and how to spot and report potential criminal attempts to gain access to their systems, is a basic but essential means of protection. Around eight in 10 (78%) energy professionals said their organization is making education and training a spending priority in their cybersecurity budgets. While this is positive news, there are signs that these efforts must be accelerated further. Our research reveals that less than a third (31%) of energy professionals assert confidently that they know exactly what to do if they were concerned about a potential cyber risk or threat on their organization.
Effective workforce training, combined with ensuring you have the right cyber security expertise in place, can make all the difference to safeguarding critical infrastructure. According to the (ISC)2 Cybersecurity Workforce Study, the cybersecurity workforce gap represents around 2.7 million professionals.² These business-critical teams must coordinate tightly with IT departments to ensure that mitigations are aligned.
TIGHTER REGULATION IS ON THE HORIZON
For companies still at the early stages of recognizing the major shift in culture that this will take, incentive may come from regulation. Organizations providing essential services (including companies in the energy sector) in the European Union (EU), for example, will soon face tougher cybersecurity regulation than ever, with the threat of more and greater fines, and/or withdrawal of license to operate, if they do not comply.
The revised NIS2 Directive strengthens cybersecurity requirements for companies; addresses cybersecurity of supply chains and supplier relationships; introduces top management accountability for non-compliance and streamlines reporting obligations. The EU’s 27 member states must transpose the regulation into national laws by the end of 2024. Energy companies that fall within scope would be wise to start preparing for compliance straight away.
THE EVOLVING THREAT
Adversaries are continuously evolving. As IT-dependent industries have strengthened their defenses, cyber criminals have turned their attention to infiltrating environments where barriers are less mature. OT security lags approximately 15 years behind that of IT, and for threat actors, that presents opportunity.
In an ever-changing world, motivations for criminals are vast. While financial gain may be a traditional motive, energy companies might now be targeted by campaigners seeking to force societal change or by foreign/state-sponsored attackers trying to undermine public confidence in critical infrastructure.
Over the coming years, as the energy transition keeps pace, and OT increasingly becomes intertwined with IT, the scope of exposure to cyber security risks that companies are susceptible to will only grow. The sector must take this threat seriously—sooner rather than later.
Lead photo: Operational Technology is becoming increasingly connected to IT systems. Image: DNV
- Executive viewpoint (May 2023)
- Drilling advances (May 2023)
- Regional report: South Australia: New life in a mature basin: S.A.’s Cooper basin CCS and exploration opportunities (May 2023)
- Advancing offshore wind energy in the United States (April 2023)
- Pioneering engineering project to power rigs with hydrogen (April 2023)
- The last barrel (March 2023)
- Applying ultra-deep LWD resistivity technology successfully in a SAGD operation (May 2019)
- Adoption of wireless intelligent completions advances (May 2019)
- Majors double down as takeaway crunch eases (April 2019)
- What’s new in well logging and formation evaluation (April 2019)
- Qualification of a 20,000-psi subsea BOP: A collaborative approach (February 2019)
- ConocoPhillips’ Greg Leveille sees rapid trajectory of technical advancement continuing (February 2019)