Global energy industry is upscaling its cybersecurity spending this year, as heightened geopolitical tensions and the accelerating adoption of digitally connected infrastructure spark concerns over the sector’s vulnerabilities to emerging cyber threats.
New research published by DNV reveals that a majority, 59 per cent of the 600 energy professionals surveyed say their organization is investing more in cybersecurity in 2023 compared with last year, acknowledging that cyber-attacks on the industry are a question of ‘when’ not ‘if’.
Two thirds 64 per cent believe that their organization’s infrastructure is now more vulnerable to cyber threats than ever and say that their focus on cybersecurity has intensified as a result of geopolitical tensions.
DNV’s new research report, “Energy Cyber Priority 2023: Closing the gap between awareness and action”, finds that the energy industry is becoming increasingly mature in its understanding of the risks. Six in ten industry professionals say that cybersecurity is now a regular fixture on the boardroom agenda, and most 77 per cent report it is treated as a business risk within their organizations.
Energy professionals overwhelmingly 89 per cent believe cybersecurity is a prerequisite for digital transformation initiatives essential to the future of the industry.
“Cybersecurity is critical for the energy industry, for the industry’s digital transformation and for the acceleration of the energy transition,” says Ditlev Engel, CEO, Energy Systems at DNV. “Just as governments and energy companies know they need to transition faster to meet the targets of the Paris Agreement, they also know they need to urgently step-up action on cybersecurity.
To him, “and the two are connected – safety and security are enablers of the clean energy technologies that need to be deployed and operated at scale in the coming decades.”
More focus needed on securing operational technology.
Despite increased awareness, maturity, and investment in cybersecurity, less than half 42 per cent of energy professionals say their organization is investing enough.
Just one in three 36 per cent are confident their organization has made sufficient investments in securing their operational technology (OT) – the systems that manage, monitor, automate, and control industrial operations.
Most energy professionals 78 per cent say geopolitical uncertainty has made their organization more aware of the potential vulnerabilities in their OT as awareness grows about the potential for cyber criminals to cause operational shutdowns and disable safety systems.
“While energy companies accept that cybersecurity risk is on the increase, some in the industry don’t think an attack is something that will happen specifically to them, and they don’t dedicate enough budget and resources,” says Jalal Bouhdada, Global Segment director, Cyber Security, DNV.
Energy professionals point to regulation as the factor that will most likely unlock increased budgets in their organizations, as cited by 49 per cent of energy professionals as a top-three driver. By contrast, the next most likely catalyst for increased spending is a cyber incident (or near miss), cited by 38 per cent.
The sector must prepare to comply with a raft of new, stricter cybersecurity requirements in the coming years, as authorities encourage energy businesses to increase their resilience to emerging threats.
In the EU, for example, organisations providing essential services, including many in the energy sector, face tougher regulation in the form of the revised Directive on Security of Network and Information Systems (NIS2), set to be transposed into national laws in 2024.
In the U.S., the Department of Energy is continuing to work on the National Cyber-Informed Engineering Strategy – a bipartisan plan to raise standards.
“If you’re cyber secure, you’re very likely to comply with regulation, but the reverse isn’t always true: compliance doesn’t guarantee security,” says Bouhdada. “It takes the right mindset, company culture, and access skills to ensure regulation-driven investment translates into greater cyber resilience.”
As energy companies double down on efforts to manage the growing cyber risks facing their organizations, DNV’s research revealed that energy professionals are deeply concerned about their ability to recruit and retain the talent they need to protect them from cybersecurity threats. Lack of in-house cybersecurity skills now appears as the single most intractable barrier to cyber security in the industry.