The energy sector is increasing investment in cybersecurity in response to increased concerns over the sector’s vulnerabilities to emerging cyber threats, according to new research from DNV.
These concerns have been sparked by heightened geopolitical tensions and accelerated adoption of digitally connected infrastructure, according to DNV’s new research report, Energy Cyber Priority 2023: Closing the gap between awareness and action, which finds that the energy industry is becoming increasingly mature in its understanding of the risks and boosting investment accordingly.
Geopolitical uncertainty is at the forefront of the concerns, with 78% citing that this has made their organisation more aware of the potential vulnerabilities in their operational technology (OT).
“Cybersecurity is critical for the energy industry, for the industry’s digital transformation and for the acceleration of the energy transition,” says Ditlev Engel, CEO, Energy Systems at DNV.
“Just as governments and energy companies know they need to transition faster to meet the targets of the Paris Agreement, they also know they need to urgently step up action on cybersecurity. And the two are connected – safety and security are enablers of the clean energy technologies that need to be deployed and operated at scale in the coming decades.”
Key research findings include:
- 59% of the 600 energy professionals surveyed by DNV say their organisation is investing more in cybersecurity in 2023 compared with last year, acknowledging that cyber attacks on the industry are a question of ‘when’ not ‘if’.
- 64% believe that their organisation’s infrastructure is now more vulnerable to cyber threats than ever and say that their focus on cybersecurity has intensified as a result of geopolitical tensions.
- Six in ten industry professionals say that cybersecurity is now a regular fixture on the boardroom agenda.
- 89% believe cybersecurity is a pre-requisite for digital transformation initiatives essential to the future of the industry.
- 76% of respondents believe that cybersecurity professionals need to get better at speaking the language of energy operations.
The report however identifies gaps in awareness and investment in cyber risk mitigation strategies. Less than half of energy professionals say their organisation is investing enough. Just one in three (36%) are confident their organisation has made sufficient investments in securing their OT.
“While energy companies accept that cybersecurity risk is on the increase, some in the industry don’t think an attack is something that will happen specifically to them, and they don’t dedicate enough budget and resources,” says Jalal Bouhdada, Global Segment director, Cyber Security, DNV.
Recommendations to fill the gaps
Surveyed energy professionals suggested that cybersecurity gaps would be filled if regulation unlocked increased budgets. Thirty-eight percent suggested a cybersecurity incident or near miss would also catalyse action and spending.
DNV suggests that in the coming years, the sector will need to comply with many new, stricter cybersecurity requirements, in order to boost resilience to emerging threats.
“If you’re cyber secure, you’re very likely to comply with regulation, but the reverse isn’t always true: compliance doesn’t guarantee security,” added Bouhdada. “It takes the right mindset, company culture, and access to skills to ensure regulation-driven investment translates into greater cyber resilience.”
DNV’s report highlights that many energy professionals are concerned about recruiting and retaining the skills and talent to ensure protection from cyber threats, adding that the “lack of in-house cybersecurity skills now appears as the single most intractable barrier to cybersecurity in the industry.”