Energy professionals anticipate cyber-attacks will cause significant disruption to operations over the next two years, but the industry can do more to avoid costly consequences, according to a new report from risk manager DNV.
‘The Cyber Priority’, a research report exploring the state of cybersecurity in the energy sector, finds more than four-fifths of professionals working in the power, renewables, and oil and gas sectors believe a cyber-attack on the industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%).
DNV managing director for cybersecurity Trond Solberg (pictured) said: “Energy companies have been tackling IT security for several decades.
“However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector.
“As OT becomes more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries.
“Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it.
“Less than half (47%) of energy professionals believe their OT security is as robust as their IT security.”
Six in 10 C-suite level respondents to DNV’s survey acknowledge that their organisation is more vulnerable to an attack now than it has ever been.
However, there are signs that some companies are taking a “wait, see and hope for the best” approach to address the threat, according to the report.
Less than half (44%) of C-suite respondents believe they need to make urgent improvements in the next few years to prevent a serious attack on their business, and more than a third (35%) of energy professionals say their company would need to be impacted by a serious incident before investing in their defences.
DNV suggests one explanation for some companies’ apparent hesitance to invest in cybersecurity may be that most respondents believe their organisation has so far avoided a major cyber-attack.
Less than a quarter (22%) suspect their organisation has been subject to a serious breach in the last five years.
“It is concerning to find that some energy firms may be taking a ‘hope for the best’ approach to cybersecurity rather than actively addressing emerging cyber threats,” added Solberg.
“This draws distinct parallels to the gradual adoption of physical safety practices in the energy industry over the past 50 years.”
Ensuring supply chain partners meet robust cybersecurity standards and investing in workforce training are crucial measures to better protect against possible intrusions, DNV recommends.