As the digital transformation continues, the energy sector must be aware of increasingly common, creative and complex industrial cyber security threats
Such is the concern among Middle Eastern and African (MENA) energy professionals over cyber security threats in the sector that 69% believe that an attack is likely to cause loss of life.
This compared with a global average of 57% was just one of the findings of The Cyber Priority, a research report by DNV which was based on a survey of more than 940 energy professionals around the world and in-depth interviews with industry executives.
Exploring the state of cyber security in the energy sector, the report found that energy executives anticipate life, property, and environment-compromising cyber attacks on the sector within the next two years. Indeed, these could include attacks on energy supplies in power grids, ship navigational systems, windfarms and systems in pipelines. Attackers could be foreign powers, competitors or criminal gangs.
A recent example of a cyber attack on the energy sector came in October 2022 when Tata Power said that their IT infrastructure and systems had been hacked. Another, in 2020, saw hackers attempt to hack into the industrial control systems of five Israeli Water Authority facilities and try raise the level of chlorine in the nation’s water supply.
With OT becoming more networked and connected to IT systems, cyber criminals can more easily access control systems operating critical infrastructure. Safety is therefore a key risk with industrial fail-safe mechanisms designed for an offline world possibly having unknown vulnerabilities that could see them undermined if they are not protected against a cyber attack.
The Cyber Priority report revealed that while some energy organisations are making real progress toward cyber resilience, preventative action is lagging the growing threat. There is still a strong signal that the energy industry and other industrial sectors need to make urgent investments to ensure that cyber security incidents do not become the cause of future safety incidents.
One of the challenges with managing industrial cyber security risks is that there is not enough best practice available – particularly within older energy infrastructure that doesn’t have cyber security built into it by design – to guide operators, suppliers, manufacturers, and regulatory authorities in building an effective force of defence.
However, it is hoped that it does not take a tragic incident for the industry to prioritise and institutionalise safety protocols, standards, and regulation. This would draw parallels to trends in the industry’s physical safety practices when it took incidents such as the 1988 Piper Alpha oil platform explosion in the North Sea and the 2010 Deepwater Horizon oil spill in the Gulf of Mexico for there to be material change.
Where the energy industry has worked together to solve its safety challenges over the past 50 years, it has made extraordinary progress. Within a relatively short period of time, it implemented global standards, improved its ways of working and use of technology, and embedded a safety-first mindset across the entire workforce. There is no reason why a similar transformation is not only achievable in the field of cyber security – and before a tragedy happens.
While industry players are already beginning to come together to develop more best practice – such as the IEC 62443 standards for cyber security in operational technology in automation and control systems, and DNV’s Recommended Practice for its application in the oil and gas industry – we need to go further in taking collective action as industrial cyber security risks increasingly become seen as business risks.
Never has it been more important for companies and authorities to come together to share knowledge, create best practice and develop new standards in the fight against industrial cybercrime.
Download a copy of The Cyber Priority from: www.dnv.com/cyberpriority
Jalal Bouhdada is the founder of Applied Risk, an Amsterdam-based industrial cyber security specialist firm established in 2012. In 2021, Applied Risk joined forces with DNV. Bouhdada is recognised as a global thought leader on industrial control systems (ICS) security and critical infrastructure protection, he is an active member of several professional security societies and has co-authored ICS security best practice guidelines for ENISA and the ISA 99.