Representatives of the frequently targeted energy industry are more concerned about the risk of cyberattacks than before the Russian invasion of Ukraine, a new global risk report has found. Apprehension also increased regarding insufficient investments and activities of their organisations.
Due to the massive impact of the war, the global energy sector has recently become the centre of attention and concern, including in the realm of cybersecurity.
The energy infrastructure is particularly popular as a target for cyberattacks, as consequences can be far-reaching and it can be used as a lever for blackmail or as a starting point for a military operation.
The awareness of such cybersecurity risks among energy professionals is growing. Yet, defensive actions are still lagging behind, said the report by DNV, a risk consultancy, published on Thursday (19 April).
“Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems that manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge for the sector,” said Trond Solberg, managing director for cyber security at DNV.
The global DNV research surveyed 948 energy professionals and interviewed a series of industry leaders and security experts on their perceptions of cyber risks and preparedness.
DNV is an international assurance and risk management provider based in Norway.
“Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it,” Solberg said in a press statement.
Targeting the sector
Sven Herpig, head of international cybersecurity policy at the think tank Stiftung Neue Verantwortung, told EURACTIV the energy sector is frequently targeted in the cyberspace, “not only by cybercriminals, who aim to make money from such attacks but also in order to gain access and prepare the battlefield, as has been happening in Ukraine for years”.
In this sector, physical infrastructures are closely connected to cyber-infrastructures. Potentially high offline repercussions of cyber attacks could be used as leverage in war, for example.
How disruptive such cyberattacks can be could be seen in the US Colonial Pipeline ransomware cyber-attack, where a leaked password led to a state of emergency in 17 US states and resulted in massive fuel shortages.
In Germany, for example, the remote maintenance of wind turbines was compromised after the KA-SAT network operated by the US company Viasat was attacked by Russia. This attack, which took place only an hour before the invasion, was officially attributed to Russia by the EU earlier this month.
“While a high number of attacks does not equal high vulnerability, safety standards need to be put in place to avoid worse attacks,” Herpig said.
Harmful, possibly deadly, attacks expected within two years
Amid numerous reports of cyber incidents, it seems logical that energy professionals are increasingly concerned.
According to the report, they believe that cyberattacks on the industry are likely to cause harm to life, property, and the environment within the upcoming two years. Over 80% expect physical damage to assets and 57% anticipate loss of life.
Yet, less than half of the respondents believe that the security of their operational technologies is as robust as their IT security. And fewer than a third can confidently assert that they know precisely what to do if they were faced with a potential cyber risk.
In Europe, 29% of respondents believe defence investments are only undertaken after a cyber incident takes place, meaning that these organisations would merely react rather than prepare.
Since the aggression against Ukraine, energy professionals are more worried about nation-states as the source of cyberattacks, but concerns rose across all categories.
“This suggests that respondents expect other opportunists – whether motivated by political causes or criminal gain – to take advantage of the confusion that follows a crisis by launching their own attacks,” the report said.
Actions are needed
However, rising concerns are not necessarily leading to concrete steps to improve defence. Instead of taking a “hope for the best” approach to cybersecurity, as some energy firms appear to be doing, emerging cyber threats should be actively addressed, DNV’s Solberg emphasised.
In reaction to the collected responses, the DNV report recommends allocating more budget, determining specific vulnerabilities and focusing on better training rather than just upgrading the IT systems and software.
[Edited by Zoran Radosavljevic]