DNV, a leading resource organization for independent energy experts and technical advisors, published the results of a cybersecurity survey of 948 energy professionals that involved a series of in-depth interviews with industry leaders and security experts. The survey reveals that the industry still has a long way to go when it comes to cybersecurity. This is equally true for offshore wind farms. But the industry is making efforts to put things right. The 2021 Colonial Pipeline incident on the East Coast of the United States was a wake-up call. The survey shows that the majority of cyberattacks involved disruption of services or operations, reputational damage, lost or corrupted data, and financial losses (including theft, lost opportunities, etc.).
“While all industries must prevent hackers from stealing sensitive data from their IT environments, energy businesses also need to manage the threat to their operational technologies (OT) — the computing and communication systems they use to manage, monitor, and control industrial operations,” says DNV. That’s a serious challenge that makes the job significantly more difficult. “As OT becomes more networked and connected to IT, cyberattackers — including foreign powers, terrorists, competitors, and criminal gangs — are seeing an opportunity to seize critical infrastructure, whether to demand a ransom, steal intelligence, or create widespread disruption.”
Because the industries hackers typically targeted in the past, such as financial services, have become harder to infiltrate following widespread efforts to secure key entry points, they are now turning to energy companies, among others.
Hope for the best
Many company directors think they’re unlikely to be the target of a cyberattack, so they just hope for the best. But the respondents who have cybersecurity experience think differently. They provide a more pessimistic perspective on the threats their organizations face, and they see the need for better security policies. So leaders are aware of the risk that their business faces, but specialist executives may not be getting their message across to all the decision-makers.
The drive to become as resistant as possible to threats is a work in progress. For the energy industry to achieve cybersecurity maturity, it has to accept that it will be an ongoing process. DNV recommends that energy firms adopt three principles to enhance cybersecurity across their IT and OT platforms.
The first principle is to allocate budgets for updating IT and OT security. Executives need to be aware of the return on investment in security, for example by investing in certification, such as the ISA/IEC 62443 standards for cybersecurity.
The second principle is to determine where firms are vulnerable. So they need a clear and complete overview of their information and control systems and also those of their suppliers.
The third principle is finding a balance between investment in training and technology.