Despite cybersecurity awareness some energy organisations have not made as much progress as required, DNV indicates.
In the Energy Cyber Priority for 2023, DNV reports that the energy industry is acutely aware of the growing threat to IT and OT systems and progress has been made but there are signs the awareness is yet to translate into sufficient action.
Moreover, several core challenges remain – lack of investment, intensifying skills shortages and poor collaboration across the enterprise between the cyber professionals and the operational teams and senior management.
The study, which is based on a survey of 600 energy professionals globally – half of them in Europe – is timely, appearing within days of reports of a Russian cyber attack on the US Department of Energy, an organisation that should be more cyber aware than most.
At the same time DNV itself also is stepping up its cyber capabilities with the acquisition of the Finland-headquartered Nixu, with around 400 cyber security specialists in Finland, Sweden, Denmark, the Netherlands and Romania.
Once de-listed from the Helsinki stock exchange, Nixu and the previously acquired industrial cybersecurity specialist Applied Risk will be combined with DNV’s existing cybersecurity services to offer a major growing cybersecurity business in Europe.
Energy sector recommendations
The survey (which includes oil and gas sector input) identifies cybersecurity as the fourth greatest business risk, closely behind operational and technical, safety and financial risks.
And this is not expected to change in the short term, with one-third expecting cybersecurity to be a top-three business risk in two years’ time.
While new regulation, such as the revised Directive on Security of Network and Information Systems in Europe, which must be transposed into member state laws by late 2024, is anticipated to unlock investment in cybersecurity, the survey suggests some companies are unprepared, not least by a lack of awareness.
DNV suggests that energy professionals should question whether their confidence around their cybersecurity posture is justifiable.
In turn, they should ask how they are measuring the strength of their defences and recovery plans, how they are benchmarking performance, and whether they have identified the improvements they need to make. Once they have outlined systematically the gaps in their defences, they can put plans in place to close them.
Other recommendations are to improve communication and collaboration, to build capacity and unlock resources and to proactively prepare for new regulation, focusing on resilience alongside compliance, and looking for new opportunities that may arise from managing cybersecurity effectively.
One way to ensure that the business is ready is to strengthen the case that cyber is key to enabling the future of the energy industry, which points to its broader strategic necessity, the report concludes. This may also be important in attracting essential but hard to find cyber talent into the industry.