Energy companies invest to ward off cyber threats

Energy companies are boosting investment in cybersecurity, seeing it as the greatest current threat to their business, according to DNV Cyber’s latest Energy Cyber Priority report

Two in three energy professionals (65%) say their leadership views cybersecurity as the greatest current risk to their business, according to the report, with 71% expecting their company to increase investment in cybersecurity this year.

Energy companies are making progress in cybersecurity, with growing attention being paid to employee training and securing operational (OT systems). Challenges remain, however, as the energy transition creates new attack opportunities, threat actors become more sophisticated and digital technologies potentially increase exposure to cyber risk.

Of the 375 energy professionals surveyed globally for the research, three-quarters (75%) report that their organisation has stepped up the focus on cybersecurity because of growing geopolitical tensions over the last year, with the threat from cyber-criminal gangs and malicious insiders becoming increasing concerns.

“Achieving the energy transition is central to society at large. The whole energy sector – companies and governments alike – are working together on this massive challenge, which is increasingly complex because the technologies underpinning the transition are largely digital and scaling rapidly. With this comes cybersecurity risks,” said Ditlev Engel, CEO, Energy Systems at DNV. “Cybersecurity should be a priority for all players in the energy sector to achieve the climate goals and guarantee energy security, as geopolitics make the world more hostile and uncertain.”

“Even as the energy industry becomes more mature in its cybersecurity posture, it must continue to strengthen and adapt to remain resilient against a growing number of increasingly sophisticated threats. From attacks on supply chains, recruitment of malicious insiders, and the use of AI, adversaries are upping their game and the energy industry needs to keep up,” said Auke Huistra, director of Industrial and OT Cybersecurity at DNV Cyber.

Five challenges

DNV Cyber’s new report argues that energy companies must double their cybersecurity efforts to overcome five principal challenges:
• securing physical infrastructure, to protect against increasing attacks on OT Systems;
• overcoming complex cybersecurity supply chains, as threat actors go to suppliers and sub-suppliers to gain access to companies operating large assets, and 34% of those surveyed suspecting undisclosed breaches among their suppliers.
• increasing employee vigilance, as adversaries are constantly changing their approach and targeting employees with more sophisticated tactics
• embedding new skills in the workforce to prepare for more sophisticated attacks and address skills and knowledge gaps; and
• embracing AI: while 47% of cybersecurity professionals fear they will fall behind unless they harness AI, generative AI enables cyber criminals to launch more convincing scams. Two-thirds of energy professionals (66%) agree that attackers’ use of AI in phishing attacks has made it more difficult to determine whether emails are genuine. 

“To further strengthen their cybersecurity, energy companies should – as a priority – broaden their efforts to secure OT and support greater security and transparency in the supply chain,” said Huistra. “They should reset and redesign cyber’s relationship with the business, take a more innovative approach to training, and build understanding of AI.”