Editor's note: This Beyond the Horizon column first appeared in the November-December 2023 issue of Offshore magazine. Click here to view the full issue.
By Shaun Reardon, DNV
The energy industry – not least the offshore sector – is boosting cybersecurity spending, as heightened geopolitical tensions and the accelerating adoption of digitally connected infrastructure spark concerns over the sector’s vulnerabilities to emerging cyber threats. This is according to DNV’s Cyber Priority research which explored the changing attitudes and approaches to cybersecurity in energy and maritime sectors.
A majority (59%) of the 600 energy professionals surveyed by DNV for the research say their organization is investing more in cybersecurity in 2023 compared with last year, acknowledging that cyber-attacks on the industry are a question of ‘when’ not ‘if.’
Industrial companies have been tackling IT security for decades but securing operational technology (OT) – the control systems that manage, monitor, automate and control industrial operations – is an increasingly urgent challenge. The risk of attacks in the energy sector is increasing at a time when dependence on operational technology is growing fast. The modern hacker can do more than just steal data, they have the potential to take control of a wind farm, oil and gas platform, or solar grid.
This evolving risk helps to explain why six in 10 energy professionals say that cybersecurity has become a regular fixture on their organization’s boardroom agenda.
Energy systems are deeply dependent on assets and infrastructure becoming more digitally connected to increase safety, bring down costs, increase efficiency, and enable greater renewable generation and electrification. Nine in 10 (89%) energy professionals surveyed believe that cybersecurity is a pre-requisite for the digital transformation initiatives that are making the future of the energy industry possible.
However, the energy industry cannot reap the benefits of digital transformation without robust cybersecurity. Two thirds (64%) of energy professionals worry that their organization is more vulnerable to cyber-attacks on their OT networks than at any other point in their history. Less than half of energy professionals globally (42%) think their organization’s current level of investment is sufficient to ensure the resilience of their operational assets and infrastructure.
While risks are increasing, there are significant benefits to those who invest, with greater security building confidence, enabling innovation, and increasing competitiveness. The energy transition relies on smart infrastructure, but smart is only good as long it isn’t breached by a cyber-attack.
So, what’s the next step for the offshore sector? The research found that despite growing awareness of the risks, not enough progress has been made. There is a gap for the energy industry to close between awareness and action.
When evaluating their cyber posture, energy companies should consider how they are measuring the strength of their defenses and recovery plans, how they are benchmarking performance, and whether they have identified the improvements they need to make. It’s only once they have systematically outlined the gaps in their defenses, that they can put plans in place to close them.
Regulation is the foremost driver of investment in cybersecurity in today’s energy industry. And regulation is tightening, whether it’s NIS2 in the EU or similar legislation in other countries and industries. The trend is toward stricter cybersecurity requirements when operating critical infrastructure, which includes energy and offshore sectors. Energy companies should aim to go further than what is stipulated.
This means being proactive rather than ‘ticking boxes,’ focusing on resilience alongside compliance, and looking for new opportunities that may arise from managing cybersecurity effectively. Taking a proactive approach to cybersecurity can help drive competitive advantage, particularly when used to secure the technologies needed to decarbonize the world’s energy system in the transition.
Ultimately, there must be a consistent effort to ensure cyber awareness and appropriate action at every level of an organization, from C-suite to operational roles, to ensure a cohesive approach to safeguarding operations. That way, operators can strengthen their cyber credentials and build resilience against the ever-evolving threats in an increasingly connected and targeted sector.