High-profile breaches notwithstanding, the energy sector has largely embraced a reactive, rather than preventative, posture when it comes to cybersecurity, according to the results of a global survey.
“We are concerned when we hear that some energy firms may still be taking a ‘hope for the best’ position on cybersecurity,” said Trond Solberg, managing director, cybersecurity, for DNV, which along with Longitude, a Financial Times company, surveyed 948 energy professionals between February and March. Fewer than 31% of respondents, including those in the increasingly digitalized oil and gas sector, “assert confidently” that they know what steps they should take to mitigate cyber risks, researchers concluded in “The Cyber Priority” report released in June.
“It will be a tragedy if it takes a series of catastrophic but preventable attacks on control systems – resulting in a less safe operating environment across the industry – for them to rethink their approach,” Solberg said.
One of the biggest challenges in combating industrial cyberattacks is the rapid elimination of the so-called “air gap” that traditionally segregated critical operational technology (OT) networks from their more protected, but more vulnerable, information technology (IT) systems. “Most industries are interconnected, driven by the requirement for access to data and analytics,” said Jalal Bouhdada, founder and CEO of Applied Risk BV, The Netherlands, a DNV company.
Companies, likewise, need more experts in cyber on their payrolls — experts, which the study found, simply are not available, especially those well versed in both IT and OT systems. “There’s a shortage of industrial cyber professionals,” said Leo Simonovich, vice president and global head of industrial and digital security with Siemens Energy. “And when you have a massive talent shortage, you need to band together to create leverage, especially if you are a small or medium-size operator. Some energy businesses barely have IT teams, let alone operational technology teams focused on security.”
The complex supply chains intrinsic to the energy sector and largely inadequate insight of vendors’ cybersecurity systems also represent infections waiting to happen. Only 12% of the OT-operating companies surveyed ranked oversight of vendor and supplier cybersecurity efforts as among their core areas of maturity. Of those, a mere 8% of respondents from oil and gas companies claimed to have a firm grasp on their third-party suppliers’ protection measures.
“There are a lot of companies in oil and gas that use standards to help them ensure security in implementation, but you still need the full cooperation of the vendor. If the vendor doesn’t have enough insight, the customer’s evaluation will also be flawed,” said Margrete Raaum, CEO of KraftCERT, a Norwegian cybersecurity organization.
Meanwhile, western support for Ukraine in the ongoing war with Russia has raised the stakes, given the aggressor’s documented propensity for orchestrating cyberattacks.