DNV research says with industrial systems becoming network connected, energy industry waking up to emerging cyber threats

New DNV research has revealed that the rollcall of adversaries is changing in the energy industry, as environmental groups increasingly turn to direct-action methods such as hacktivism, while criminal gangs ‘follow the money’ in a disrupted economy and nation-states use cyberspace as a new theatre of war. Additionally, the increasingly interconnected nature of industry provides greater scope for the attack, especially to critical operational technology (OT) that was previously protected by the air gap separating OT from IT systems. 

Furthermore, the DNV research report, titled ‘The Cyber Priority,’ finds some organizations making progress toward cyber resilience, protecting their crown jewels while keeping pace with the threat. “More worryingly, we also see a proportion of respondents waiting for a major incident to happen before investing in essential improvements to their defences. Organizations who increase their focus on cyber security will inevitably struggle to find the specialist talent they need and will face the broader challenge of achieving resilience across a complex and fragmented supply chain,” the report added.

As industry leaders look to strengthen their cyber defenses and adjust to a landscape of emerging risks, the DNV research identifies four key challenges they must contend with. These include the ‘wait and see’ effect is holding back progress, the air gap is closing fast, the global shortage of expertise, and the ability of complex supply chains to disguise critical vulnerabilities.

For its research, DNV reached out to respondents to specify what concerns them most about a theoretical attack – they pointed toward disrupted services and operations (57 percent), reputational damage (42 percent), data breach (41 percent), and a corresponding hit to profits (39 percent). In comparison, 24 percent and 16 percent of respondents describe the loss of life and environmental catastrophe as a top concern. 

The DNV research conducted a survey of 948 energy professionals and a series of in-depth interviews with industry leaders and security experts, which was developed and created by DNV and Longitude, a Financial Times company. Fieldwork was conducted between February and March 2022. Respondents were based across Europe, the Americas, the Middle East and Africa, and the Asia Pacific. They included publicly listed companies and privately held firms, spanning energy industry services, power transmission and supply, renewables, and oil and gas.

Energy is one of the top three industries reporting cyber-attacks, and it faces specific challenges, DNV said in its report. “While all industries must prevent hackers from stealing sensitive data from their IT environments, energy businesses also need to manage the threat to their OT – the computing and communication systems they use to manage, monitor, and control industrial operations,” it added. 

As OT becomes more networked and connected to IT, cyber-attackers – who include foreign powers, terrorists, competitors, and criminal gangs – are seeing an opportunity to seize critical infrastructure, whether to demand a ransom, steal intelligence, or create widespread disruption, the report said. “An additional attraction for these hackers is that the industries that they typically targeted in the past, such as financial services, have become harder to infiltrate following widespread efforts to secure key entry points. In turn, two-thirds (67%) of the 948 energy professionals who responded to our survey acknowledge that the shock of recent incidents has driven them to make major changes to their security strategy and systems,” it added. 

The DNV report also identified that energy executives are under no illusion about the scale of the threat faced by the industry at large. “Most believe that a major incident is probable at some scale within the next two years, resulting in disrupted operations (85%), harm to the environment (74%), and loss of life (57%). Respondents in the Middle East and Africa are more likely than those in Europe and the Americas to have this expectation,” it added. 

DNV said that it did see some variation by sector, however, with all industry verticals showing concern about asset shut-down and energy supply disruption. In contrast, respondents from oil and gas and energy industry services are more likely to worry about environmental damage than those in the power transmission and supply and renewables sectors.

The report also pointed toward a disconnect that “we see in our data – with respondents anticipating a major industry event on one hand while hoping that their own organizations will escape the worst impact on the other – has parallels with the industry’s gradual adoption of physical safety protocols over the past 50 years.” 

Andre Ristaino, managing director of automation standards at the International Society of Automation (ISA), explains that site owners/operators took an inconsistent approach to personnel health and safety in the late 20th century because the discipline was still being developed and institutionalized. “The consensus back then was, ‘How do you measure safety? How can you predict an accident?’” he says. “But, once safety was studied, and elevated to an engineering discipline, the experts recognized that there was always a root cause.”

“We are concerned when we hear that some energy firms may still be taking a ‘hope for the best’ position on cyber security,” Trond Solberg, managing director for cybersecurity at DNV, said in the report. “The lessons of the past, relating to safety protocols, make this plain. It will be a tragedy if it takes a series of catastrophic but preventable attacks on control systems – resulting in a less safe operating environment across the industry – for them to rethink their approach,” he added.

The DNV report also covered Russia’s invasion of Ukraine in early 2022, which inspired fresh uncertainty in the energy industry. The rising concern of executives is reflected in their sentiments around cyber-attackers. “While the fieldwork for producing this report began two weeks before the invasion, we can compare these responses with those submitted between 24 February and 9 March, when we concluded our fieldwork,” it said. 

“Before the conflict, respondents said the adversaries that concerned them most were hacktivists, foreign powers, and malicious current or former insiders. After the invasion, we saw an understandable jump in concern around nation-states, but this was accompanied by rising apprehension across all categories,” according to the report. “This suggests that respondents expect other opportunists – whether motivated by political causes or criminal gain – to take advantage of the confusion that follows a crisis by launching their own attacks.” 

In line with these findings, “we also saw respondents become more aware of their vulnerability to cyber-attacks. Again, the conflict in Europe may have inspired the change in sentiment, but the outcome was a more general awareness of cyber risk,” according to DNV. “After the invasion, 77% said cyber security had become a higher priority for their organization than it was two years ago, up from 72% before the crisis. Higher proportions also flagged concerns that their organization wasn’t doing enough about cyber (41% to 46%) or had underinvested in the security of its operational technology (from 36% to 40%),” it added.

In consideration of the specific challenges revealed by DNV research and the insight provided by experts during discussions about the findings, the report lays down three critical takeaways that energy firms can adopt, which will support them in their efforts to enhance cyber security across their IT and OT platforms. These include allocating budgets that can make a difference, companies in the energy sector should work on determining and identifying where their projects and operations are exposed to threats before hackers can find them, and taking appropriate measures to balance investment between training and technology.

U.S. security agencies and the Department of Energy (DOE) rolled out in March a joint cybersecurity advisory that provides information on multiple intrusion campaigns conducted by state-sponsored Russian cybercriminals from 2011 to 2018 and targeted the U.S. and international energy sector organizations. Earlier, the  Federal Bureau of Investigation (FBI) had warned the U.S. energy sector about network scanning activity stemming from multiple Russia-based IP addresses. The activity is believed to be associated with cyber hackers ‘who previously conducted destructive cyber activity against foreign critical infrastructure.’ 

Last November, DNV joined forces with Applied Risk to help customers across a range of industrial sectors identify their cyber risks, build a powerful force of defense against threats, recover from attacks and win stakeholder trust and support.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.