Energy industry must act on growing threat of cyber-attacks

Traditionally, cyber criminals have followed the money, breaching companies’ IT environments to steal data for financial gain. That was the exact intention of hacking group DarkSide when it launched a ransomware attack on the Colonial Pipeline Company in April last year.  

Energy companies have been tackling IT security challenges such as the Colonial attack for several decades. But securing operational technology (OT) – the computing and communications systems used to manage, monitor and control industrial operations – is a more recent and increasingly urgent issue.  

As OT becomes more networked and connected to IT systems, attackers can more easily access control systems operating critical infrastructure. It is now possible for attackers – who include foreign powers, terrorists, competitors, and criminal gangs –to disrupt energy supply in a power grid, destroy a wind farm, and disable the safety systems in pipelines, refineries or oil and gas platforms. It’s a reason why energy is now one of the top three industries reporting cyber-attacks.  

Realizing the consequences that DarkSide’s ransomware attack could have on the safety ofoperations, the Colonial Pipeline Company shut down the largest fuel pipeline in the US. It caused a brief shortage of gasoline and other petroleum products on the country’s east coast. The incident served as a wakeup call to the entire energy industry –critical infrastructure is now at risk from cyber-attacks.  

New research published by DNV reveals that energy executives are becoming increasingly aware of the rapidly evolving cyber security risks that the industry now faces. The Cyber Priority, our report on the state of cyber security in the energy sector, reveals that more than four-fifths of professionals in the sector believe a cyber-attack on the industry is likely to cause operational shutdowns (85%) and damage to energy assets and critical infrastructure (84%). Three quarters (74%) expect an attack to harm the environment, while more than half (57%) anticipate it will cause loss of life.   

While energy executives are waking up to the OT security threat, swifter action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security.  

What’s particularly worryingis that many companies seem to be taking a ‘wait and see’ approach to cyber security, instead of actively addressing emerging threats. Less than half (44%) of C-suite level respondents to our survey believe they need to make urgent improvements in the next few years to prevent a serious attack on their business. More than a third (35%) of energy professionals say their company would need to be impacted by a serious incident before investing in their defences.   

This draws distinct parallels to the gradual adoption of physical safety practices in the industry over the past 50 years. It took tragic events such as the Piper Alpha incident in 1988 and the Macondo disaster in 2010 for the industry to prioritize and institutionalize global safety protocols, and for tighter regulation to come into place. Our research gives a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment.  

Blind spots in the supply chaincause concern 

AtDNV, we recommend that the first step any company takes to strengthen its defences is to identify where critical infrastructure is vulnerable to attack. Our research reveals that, whilemany organizations are investing in vulnerability discovery, these efforts are not being sufficiently extended to include companies they partner with and procure from.   

Just 28% of energy professionals working with OT say their company is making the cyber security of their supply chain a high priority for investment. This contrasts with the 45% of OT-operating respondents who say expenditure in IT system upgrades is a high investment priority.  

Essentially, while energy companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, that won’t make a difference if there are undiscovered vulnerabilities in their supply chain. The sector must pay greater attention to assuring that equipment vendors and suppliers demonstrate compliance with security best practices from the earliest stages of procurement.  

More workforce training is needed 

A company’s workforce is its first line of defence against cyber-attacks and the sector seems to recognisethis. Around eight in 10 (78%) energy professionals say their organisation is making education and training a spending priority in their cyber security budgets. While this is positive news, our research reveals that less than a third (31%) of energy professionals assert confidently that they know exactly what to do if they were concerned about a potential cyber risk or threat on their organisation.  

Ultimately, effective workforce training, combined with ensuring you have the right cyber security expertise in place, can make all the difference to safeguarding critical infrastructure. Our research points to a need for energy companies to put greater focus on training their people to identify threats and respondto incidents in a timely manner.  

Time to collaborate 

While ourresearch showsthat some energyorganisations are making real progress toward cyber resilience, there is still a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment.  

The challenge with managing these emerging cyber security risks is that there is not enough best practice available to guide operators, manufacturers and regulatory authorities in building an effective force of defence – particularly within older energy infrastructure that doesn’t have cyber security built into it by design.  

When the energy industry has worked together to solve its safety challenges over the past 50 yrs, it has made extraordinary progress. Within a relatively short period of time, it implemented global standards, improved its ways of working and use of technology, and embedded a safety-first mindset across the entire workforce. There is no reason why a similar transformation is not only achievable in the field of cyber security. 

There has never been a more important time for industry to come together to share knowledge, create best practice and develop new standards in the fight against industrial cybercrime.We are already seeing industry players come together to develop technical best practice, such as the IEC 62443 standards for cyber security in operational technology in automation and control systems, and DNV’s Recommended Practice for its application in the oil and gas industry.  

We need to go further in taking collective action as industrial cyber security risks are increasingly seen as business risks. GP

For a complementary copy of The Cyber Priority, please visit:www.dnv.com/cyberpriority

TROND SOLBERG is Managing Director for cyber security. He leads DNV’s fast-growing initiative within industrial cyber security, scaling up to help DNV’s 100.000 customers improve their cyber security and resilience. Trond’s security background is cryptography and embedded security for both military and commercial purposes.