Cybersecurity is racing up the energy sector's agenda in response to growing fears of attacks but companies are still not spending enough to safeguard critical systems, says a new survey by global consultancy DNV.
In a sign of the rising prominence of cybersecurity in energy sector budgeting, 59% of 600 energy professionals surveyed said their organisation is investing more in this segment compared with last year, and 78% reckoned geopolitical uncertainty had made it more aware of the potential vulnerabilities in operational technology (OT).
Almost two thirds said they believe that their organisation’s infrastructure is now more vulnerable to cyber threats than ever and that their focus on cybersecurity has intensified as a result of geopolitical tensions.
Yet only 42% said their organisation is investing enough in cybersecurity to safeguard critical systems, with just 36% describing investments as sufficient to secure their OT.
Jalal Bouhdada, DNV’s global segment director for cybersecurity stated: “While energy companies accept that cybersecurity risk is on the increase, some in the industry don’t think an attack is something that will happen specifically to them, and they don’t dedicate enough budget and resources.”
Wind at risk
Wind farms and associated power infrastructure have been identified as one of the sectors that is most vulnerable to cyber attacks due, in part, to reliance on remote operations and the need for multiple interfaces through technology such as inverters and transmission equipment.
DNV cited the example of a Russian cyber attack on satellite internet operator ViaSat in the second quarter of 2022, which had the effect of deactivating thousands of wind turbines in Germany when their satellite-dependent monitoring systems were taken offline.
Bouhdada told Upstream’s sister renewables publication Recharge that this kind of vulnerability was not inherent to the wind sector, but could be exposed in the interfaces on older projects.
“The legacy systems for all new energies, including offshore wind, solar and hydrogen, can be more insecure. Interfaces can be particularly vulnerable if interconnections are not secured by design. This is being improved by a more holistic design approach to the whole life cycle,” he said.
DNV noted that energy businesses are also responding by upgrading and connecting their legacy technology and infrastructure to improve safety, increase efficiency and decarbonise through increased electrification, based on a growing share of renewable generation.
More regulation welcomed
The sector has to comply with a raft of new, stricter cybersecurity requirements in the coming years, as authorities encourage energy businesses to increase their resilience to emerging threats.
In the EU, much of the energy sector faces tougher regulation in the form of the revised Directive on Security of Network and Information Systems (NIS2) while the US Department of Energy is working on a National Cyber-Informed Engineering Strategy.
In the survey, 49% of the energy professionals point to regulation as the factor that will most likely unlock increased budgets for cybersecurity in their organisations, with 38% citing cyber incidents as the most likely catalyst for increased spending.
Six in ten industry professionals say that cybersecurity is now a regular fixture on the boardroom agenda.
“This is where regulation is important, as the need to comply with requirements makes it more more likely that funding will be approved,” Bouhdad told Recharge.
"An appetite for longer term investment is needed. The ad hoc approach is not working."
Cybersecurity skills shortages and barriers to collaboration, such as communication also emerged as key challenges to greater cyber resilience.
“If you’re cyber secure, you’re very likely to comply with regulation, but the reverse isn’t always true: compliance doesn’t guarantee security,” Bouhdada stated. “It takes the right mindset, company culture, and access skills to ensure regulation-driven investment translates into greater cyber resilience.”
Ditlev Engel, chief executive for energy systems at DNV stressed that cybersecurity is critical for the energy industry, for the industry’s digital transformation and for the acceleration of the energy transition.
“Just as governments and energy companies know they need to transition faster to meet the targets of the Paris Agreement, they also know they need to urgently step up action on cybersecurity. And the two are connected — safety and security are enablers of the clean energy technologies that need to be deployed and operated at scale in the coming decades,” he stated.
Almost 90% in the DNV survey said they see cybersecurity as a pre-requisite for digital transformation, pointing to a crucial role in attaining the gains in efficiency, safety and lower emissions that the digital transformation offers.
* A versiopn of this article first appeared in Upstream’s sister renewables publication, Recharge.