DNV reports investment, skills shortage, poor collaboration remain major challenges across energy sector

New DNV data finds that the energy industry is more aware of cybersecurity threats and is increasing investment to address them. The move comes amid heightened geopolitical tensions, emerging compliance requirements, and the accelerating adoption of digitally connected infrastructure. The research also detects greater focus is needed on securing safety-critical systems, as investment, skills shortage, and poor collaboration remain major challenges across the sector.

DNV reported that six in ten energy professionals say their organization is increasing cyber security spending in 2023, as geopolitical tensions trigger growing awareness of emerging threats. This comes as a step change in cyber threat awareness, where the energy industry is acutely aware of the growing cyber threat to IT and OT (operational technology) systems. However, industry professionals warn that budgets are still too low to safeguard safety-critical systems with just one in three confident that sufficient investment is going into OT security.

“But awareness of the risk is not limited to the threat of immediate attack. Our research this year also underlines the growing strategic importance of cyber security to the energy industry. Indeed, nine in 10 (89%) energy professionals believe cyber security to be a pre-requisite for the digital transformation initiatives that are making the future of the industry possible,” DNV said in its research report, titled ‘Energy Cyber Priority 2023: Closing the gap between awareness and action.’ The research draws on a survey of 600 energy professionals, complemented by in-depth interviews with experts from various energy sector companies, including Equinor, Dominion Energy, Vattenfall, Institute for Security and Safety, Skagerak Energi, SCADAfence, and DNV.

DNV also reported that about 77 percent of respondents treat cybersecurity as a business risk within their organizations. “Energy businesses are upgrading and connecting their legacy technology and infrastructure: to improve safety, increase efficiency, and decarbonize the industry through increased electrification, based on a growing share of renewable generation.” 

Despite increased awareness, maturity, and investment in cyber security, less than half, about 42 percent of energy professionals say their organization is investing enough. Just one in three, around 36 percent, are confident their organization has made sufficient investments in securing their OT.   

Furthermore, most energy professionals, almost 78 percent, say geopolitical uncertainty has made their organization more aware of the potential vulnerabilities in their OT as awareness grows about the potential for cybercriminals to cause operational shutdowns and disable safety systems. Moreover, two-thirds say their focus on cyber has intensified as a direct result of tensions. The situation is made more complicated because attribution of cyber-attacks is difficult, and the connection between specific incidents and foreign powers is rarely clear-cut. 

In recent DNV research on the overall outlook for the energy industry, eight in ten of the most digitally advanced energy companies say that digital technologies are enabling their energy transition. “This is where cyber security comes in. Simply put, the industry cannot reap the benefits of digital transformation without robust cyber security. It’s why respondents to the research who consider their organization to be digitally advanced are noticeably more likely (72%) to believe cyber-attacks are a major threat to their organization than the average (59%),” it added.

“Cyber security is critical for the energy industry, for the industry’s digital transformation, and for the acceleration of the energy transition,” Ditlev Engel, CEO of energy systems at DNV, said in a media statement. “Just as governments and energy companies know they need to transition faster to meet the targets of the Paris Agreement, they also know they need to urgently step up action on cyber security. And the two are connected – safety and security are enablers of the clean energy technologies that need to be deployed and operated at scale in the coming decades.”

“While energy companies accept that cyber security risk is on the increase, some in the industry don’t think an attack is something that will happen specifically to them, and they don’t dedicate enough budget and resources,” according to Jalal Bouhdada, global segment director for cybersecurity at DNV.   

The report also shows how the profile of cyber-attackers has changed since early 2022. “In the immediate aftermath of the Russian invasion, we saw the industry shift into high alert with professionals expressing concern about all potential attackers. In the year since, energy executives remain highly attuned to the threat created by the Ukraine war – either by politically-driven hacktivists6 or by hostile states – but they appear to have become less concerned about longer-term adversaries such as criminal gangs and malicious insiders,” DNV reported.

Innovation on the part of cyber criminals is indeed a persistent challenge, with new methods being shared and adopted by different adversaries. Fileless malware and ‘living-off-the-land’ attacks, in which cyber criminals exploit native tools within a company’s system to carry out an attack, is a case in point, the research report said. It also addressed that tightening cybersecurity regulation is expected to be the greatest driver for unlocking new funding, and cybersecurity skills shortages and barriers to collaboration emerge as key challenges to greater cyber resilience. 

DNV research also found specific areas where energy businesses are trying to catch up with the threat. “Security by design, for example, should be the ambition for all companies – the idea that protections are built into assets and networks as they are developed, rather than retrofitted. If the industry is incorporating cyber security into the DNA of its infrastructure, it would be a big step towards it routinely treating the discipline as seriously as physical health and safety.”

The report also detailed that some progress has been made in this regard. More than half of respondents (54%) say, for example, they consider security at every stage of the lifecycle of their assets and infrastructure. “At the same time, around seven in 10 (69%) tell us that cyber is a consideration during the early phases of new infrastructure projects. If security teams are involved at these early stages, there are opportunities for them to influence asset and infrastructure planning,” it added.

Addressing supply chain vulnerabilities, the DNV report said that beyond the walls of the organization, energy professionals are increasingly aware of the cyber risks posed by their suppliers. “Recent examples include serious breaches at critical energy infrastructure in the US and Europe, which resulted from the supply-chain attack on software developer 3CX earlier this year. Successfully managing this risk represents another test of the maturity of cyber security relative to health and safety.” 

The report added that “more than half energy professionals (57%) tell us that their organization has good oversight of supply chain vulnerabilities, indicating some confidence in their third-party risk management. However, they also identify the need to address supply chain vulnerabilities as one of the top-five challenges in cyber security. The question is whether ‘good oversight’ in this context signals that they are taking effective action, or whether they just have awareness of vulnerabilities. The picture is also less certain if we look across the energy system,” it added. 

DNV reports that the three core challenges across the energy sector include investment, skills shortage, poor collaboration, and the cyber perception gap.

Despite board-level awareness of cyber risk, energy professionals are concerned that investment is not flowing at the levels required to address the issue. Less than half of energy professionals, about 42 percent, think their organization’s current level of investment is sufficient to ensure the resilience of their operational assets and infrastructure, while just one in five agrees strongly that enough investment is being made.

“Organizations are also deeply concerned about their ability to recruit and retain the talent they need to protect themselves from cyber security threats. The lack of in-house cyber security skills is regarded as the single most intractable barrier to maturity in the industry. More than a third of energy professionals (38%) pick out this issue,” DNV reported. “And in some parts of the world, the skills shortages are especially pronounced. In Asia Pacific, for example, 48% of energy professionals are concerned about the issue, which is in line with recent studies that found the gap between the current cyber workforce in the region and the number of workers needed to grow by 52% or 2.16 million people in a year.” 

The report added that one of the challenges that companies face is that cyber training, although vital, is challenging to get right. 

“Our research finds that cyber security professionals struggle to communicate and collaborate with operational teams who don’t share their level of understanding, as well as with executives at the most senior levels of the organization,” DNV said. “These difficulties, combined with differences in direct experience of cyber security, [are] leading to a ‘cyber-perception gap’ among respondents. Our research suggests, for example, that some senior leaders might not have the full picture of the threat.”

DNV called upon energy organizations to step up efforts to enhance cybersecurity, as fundamentally, the risk of attacks in the sector is increasing at a time when dependence on OT is growing fast, and companies must take steps to strengthen their resilience accordingly. The report also suggests building cyber maturity with energy professionals should question whether their confidence around their cybersecurity posture is justifiable. 

“In turn, they should ask how they are measuring the strength of their defences and recovery plans, how they are benchmarking performance, and whether they have identified the improvements they need to make. Once they have outlined systematically the gaps in their defences, they can put plans in place to close them,” it added. 

The report also recommends that enterprises improve communication and collaboration, build capacity and unlock resources, and prepare for new regulation to ensure compliance – to avoid increasingly challenging penalties from regulators, and in recognition that stronger requirements are on the way – but should also aim to go further than what is stipulated. 

Lastly, the report highlighted that “one way to ensure that the business is ready is to strengthen the case that cyber is key to enabling the future of the energy industry, which points to its broader strategic necessity. This may also be important in attracting essential but hard-to-find cyber talent into the industry.”

Last month, Mandiant detected novel OT/ICS-oriented malware, tracked as CosmicEnergy, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.