Despite the growing cyber threat to energy companies, some are waiting for a major incident to happen before investing in essential improvements to their defences, says a report
Energy sector executives expect a major cyberattack within the next two years, with those in the Middle East and Africa more likely than those in Europe and the Americas to have this expectation. This could result in disrupted operations, harm to the environment, and loss of life.
A recently released, ‘Cyber Priority’, report developed by DNV and Longitude revealed the vulnerabilities faced by the sector companies and the challenges to overcome them.
The report draws on a survey of 948 energy professionals and a series of in-depth interviews with industry leaders and security experts from Europe, the Americas, the Middle East and Africa, and Asia Pacific.
The respondents were from a wide range of sector organisations that spanned energy industry services, power transmission and supply, renewables, and oil and gas, and varied in size: 34 per cent had annual revenues of $100 million or less and 25 per cent exceeded $500 million in revenues.
Energy is one of the top three industries reporting cyber-attacks. But its challenges are very specific.
While all industries must prevent hackers from stealing sensitive data from their IT environments, energy businesses also need to manage the threat to their operational technologies (OT).
Some 67 per cent of the survey respondents acknowledged that the shock of recent incidents has driven them to make major changes to their security strategy and systems.
However, the risk posed across the industry can be understood in light of the broader, longer-term challenges faced by their constituents.
As industry leaders look to strengthen their cyber defences and adjust to a landscape of emerging risks, the Cyber Priority research identifies four key challenges that they must contend with along the way.
• The ‘wait and see’ effect is holding back progress: Respondents are aware of the growing threat to their organisation but are often reactive in their approach to cyber security.
Sixty per cent C-suite respondents acknowledge that their organisation is more vulnerable to attack than ever before, but far fewer (44 per cent) expect to make urgent improvements in the next few years to prevent an attack.
Indeed, one in three (35 per cent) says their organisation would need to be impacted by a major incident before it would spend any more time or money on its defences.
This sentiment is more prevalent in the Middle East and Africa (44 per cent) than it is in Europe (29 per cent) and the Americas (39 per cent), despite respondents in the Middle East being more likely to expect a major cyber incident in the industry in the next few years.
A problem with waiting for an incident before investing in cyber upgrades is that organisations are more likely to make hasty, suboptimal decisions.
When it comes to OT, the reluctance of energy organisations to invest is compounded by the knowledge that reviewing and potentially transforming cyber-security systems may interrupt business as usual.
• The air gap is closing fast: When considering the risk of a cyber-attack on their industrial control systems, energy businesses have taken some comfort from the knowledge that their OT platforms have traditionally had an ‘air gap’ insulating them from the IT network. And, therefore, prioritised cyber upgrades to their IT security instead.
Today, just 4 in 10 respondents think their organisation is well prepared for an attack on its OT environment, whether executed directly or by infiltrating through the IT network
Seven in 10 say OT security is a significantly higher priority for their organisation today than it was two years ago, before the Colonial Pipeline event.
• A global shortage of expertise: In an unfolding cyber incident, where hackers have infiltrated the network and need to be contained, every second counts.
It’s, therefore, concerning that just 31 per cent of respondents assert confidently that they know exactly what to do if they became concerned about a potential cyber risk or unfolding attack.
The principal challenge here is the global talent-availability crisis.
According to the (ISC)2 Cybersecurity Workforce Study8, the cyber security workforce gap represents around 2.7 million professionals.
Within the energy sector, the challenge is compounded by organisations’ need for specialist talent that understands the OT as well as the IT domains.
These requirements reinforce the need for thorough training, intuitive processes that guide individuals into making the right choices, and greater collaboration, knowledge-sharing and support across the industry.
• Complex supply chains disguise critical vulnerabilities: Supply chains in the energy sector are global in scale and increasingly complex, relying on third and fourth parties whose cyber security systems and processes are harder to assess with certainty.
Consequently, cyber security across the supply chain is an area in which respondents are less confident than they need to be to protect their critical systems and data.
The research finds energy organisations notably less likely to rank themselves as strong at vendor and supplier security oversight than they are in other disciplines.
Just 28 per cent of energy professionals working within OT say their company is making the cyber security of their supply chain a high priority for investment.
The danger is that suppliers and equipment manufacturers may not have the people, processes, or technologies in place to demonstrate the security of their products and services. As a result, energy operators could be unaware of the vulnerabilities to which they are exposed.
In consideration of the specific challenges revealed by the research, it is recommended that energy firms adopt three principles to support them in their efforts to enhance cyber security across their IT and OT platforms:
• Allocate budgets that can make a difference: Around one in three respondents, on average, indicates that they are underinvesting in their IT and OT capabilities.
For some senior leaders, the default position for many years may have been to invest enough to ensure compliance with regulation and then review in due course.
• Determine where you’re vulnerable: One of the most urgent tasks facing companies in the energy sector is to identify where their projects and operations are exposed to threats before hackers can find them. It must be done iteratively to ensure resilience against new and emerging attack vectors.
A case in point is the emergence of Log4Shell in December 2021, where a previously undetected vulnerability was uncovered in a tool used in cloud servers and enterprise software across the world.
Within hours of its discovery, the Log4Shell flaw showed signs of becoming the worst vulnerability discovered in years, largely because hackers could exploit it without needing authentication or special privileges.
• Balance investment between training and technology: It appears that less focus is dedicated to developing a workforce skilled in understanding and identifying threats, and in detecting and containing attacks.
When asked about where they considered their organisation to be most mature in their cyber security, respondents pointed more to upgrades to core IT systems and software (59 per cent) than they did to training (41 per cent) or the introduction of cyber security expertise (25 per cent).
Cyber security professionals largely agree that there is no ‘one-size-fits-all’ approach to security that can be applied to all businesses.
Similarly, it would be a mistake to believe that a cyber security paradigm that has been tried and tested in one industry can be replicated wholesale in a sector as complex and idiosyncratic as energy, and that two very different technical domains – IT and OT – can be treated interchangeably.
It is there where external support may still take precedence over training in general cyber security standards.
The research finds some organisations making real progress toward cyber resilience, protecting their crown jewels while keeping pace with the threat.
More worryingly, a proportion of respondents are waiting for a major incident to happen before investing in essential improvements to their defences.
Organisations who increase their focus on cyber security will inevitably struggle to find the specialist talent they need and will face the broader challenge of achieving resilience across a complex and fragmented supply chain.
By Abdulaziz Khattak