Energy executives anticipate life, property, and environment-compromising cyberattacks on the sector within the next two years, according to new research by DNV, a risk management and quality assurance provider.
The Cyber Priority, a research report exploring the state of cybersecurity in the energy sector, finds that more than four-fifths of professionals working in the power, renewables, and oil and gas sectors believe a cyberattack on the industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%). Three quarters (74%) expect an attack to harm the environment, while more than half (57%) anticipate it will cause loss of life.
Rising fears over new and more extreme consequences of cyberattacks follow a series of high-profile security breaches in the energy industry in recent years. DNV’s research also indicates that concern about emerging threats has grown following Russia’s invasion of Ukraine. Two-thirds (67%) of energy professionals say that recent cyber-attacks on the industry have driven their organizations to make major changes to their security strategies and systems.
The report found 3 key cybersecurity trends in the energy sector:
1. Action lags as some companies hope for the best
Six in ten C-suite level respondents to DNV’s survey acknowledge that their organization is more vulnerable to an attack now than it has ever been. However, there are signs that some companies are taking a ‘wait, see and hope for the best’ approach to addressing the threat.
Less than half (44%) of C-suite respondents believe they need to make urgent improvements in the next few years to prevent a serious attack on their business, and more than a third (35%) of energy professionals say their company would need to be impacted by a serious incident before investing in their defenses.
One explanation for some companies’ apparent hesitance to invest in cybersecurity may be that most respondents believe that their organization has so far avoided a major cyberattack. Less than a quarter (22%) suspect their organization has been subject to a serious breach in the last five years.
2. Supply chain blind spots cause concern
DNV recommends that the first step to strengthening defenses is identifying where critical infrastructure is vulnerable to attack. The Cyber Priority reveals that, while many organizations invest in vulnerability discovery, these efforts are not being sufficiently extended to include companies they partner with and procure from.
Just 28% of energy professionals working with OT say their company is making the cybersecurity of their supply chain a high priority for investment. This contrasts with the 45% of OT-operating respondents who say expenditure in IT system upgrades is a high investment priority.
3. More workforce training is needed
Despite emerging cybersecurity threats, DNV’s research reveals that less than a third (31%) of energy professionals assert confidently that they know exactly what to do if they are concerned about potential cyber risks or threats to their organization. This finding points to a need for energy companies to invest in training employees to spot instances of criminal attempts to gain access to their systems. Less than six in 10 (57%) of energy professionals say their employer’s cybersecurity training is effective.
Download a complimentary copy of The Cyber Priority at: www.dnv.com/cyberpriority