Key points
The energy industry’s safety record has taken huge steps forward over the past 50 years. But the strong safety culture that the sector now practices has been learned from tough experiences.
Tragic incidents, such as the 1988 Piper Alphadisaster in the North Sea, spurred the sector to better prioritise, institutionalise, standardise, and regulate safety. The result is that the sector will not tolerate a ‘hope for the best’ safety culture, and risks are tightly managed to prevent incidents from occurring.
Today, the industry faces the rapid emergence of new safety risks. The 2020s is the decade where we will see the digital technologies underpinning industry 4.0 mature from experimentation into large-scale application.
Critical infrastructure is becoming more and more digitally connected to make society safer, bring down costs, increase efficiency and decarbonise the world we live in. The challenge is that critical infrastructure becomes increasingly vulnerable the more connected it becomes.
Traditionally, operational technology (OT) – the control systems that manage, monitor automate and control energy operations – has been ‘air-gapped’, operating in siloed environments that are disconnected from other networks. The air gap is now closing fast, as OT becomes more networked and connected to IT environments.
This opens the door for cyber criminals to access and control critical infrastructure, impacting the safety of people, assets, and the environment. The Cyber Priority, a research report published by DNV this year, revealed that the vast majority of the 940 energy professionals surveyed anticipate cyber-attacks damaging assets and infrastructure (84%) and disrupting operations (85%) within two years. Most consider it likely that cyber-attacks will compromise life (57%) and the environment (74%).
Action is lagging the threat
While energy executives are waking up to the OT security threat, swifter action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security.
What’s particularly concerning is that many companies seem to be taking a ‘wait and see’ approach to cyber security, instead of actively addressing emerging threats. This draws distinct parallels to the gradual adoption of physical safety practices over the past 50 years.
Less than half (44%) of C-suite level respondents to our survey believe they need to make urgent improvements in the next few years to prevent a serious attack on their business. More than a third (35%) of energy professionals say their company would need to be impacted by a serious incident before investing in their defences. Â
Our research gives a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment.
Know where you are vulnerable
The overriding principle to mitigate against assets and operations being compromised by a cyber-attack is to put measures in place to protect, detect, respond and recover. This is in line with industry best practice including the National Institute of Standards and Technology’s (NIST) cyber security framework.
For many organisations, however, the challenge in ensuring cyber resilience is understanding and identifying where their vulnerabilities are. By having a clear overview of attack surfaces and potential entry points, you can prioritise the vulnerabilities and non-conformities that must be addressed. Robust, and often straightforward, mitigation measures can be put in place to address most vulnerabilities.
Continuity and compliance are also key to effective cyber security risk management. Cyber security management systems addressing people, processes and technology are essential. Companies must be able to clearly define who is responsible for which environments, systems and security programmes, and that measures are in place to maintain them. Once in place, cyber security management systems should be regularly audited, reviewed, and updated to ensure that best practices are used, and compliance gaps are closed.
Organisations should regularly conduct risk assessments to understand the vulnerabilities and risk in their OT environments. They should analyse and act on the results of assessments to improve their cyber readiness and identify the resources needed to address risks.
Beware of supply chain blind spots
Whilemany organisations are investing in their own cyber security, our research indicates that these efforts are not being sufficiently extended to include companies they partner with and procure from.
Just 28% of energy professionals working with OT say their company is making the cyber security of their supply chain a high priority for investment. This contrasts with the 45% of OT-operating respondents who say expenditure in IT system upgrades is a high investment priority.
Essentially, while energy companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, it won’t make a difference if there are undiscovered vulnerabilities in their supply chain.
The danger is that suppliers and equipment manufacturers can lack the people, processes, or technologies to make their products and services cyber secure. As a result, energy operators could be unaware of the vulnerabilities to which they are exposed.
Companies need to invest in the security of their suppliers. The protection of technology platforms can be undermined if there are vulnerabilities elsewhere in the supply chain and cyber security has not been factored adequately into contracts with third parties and subcontractors.
Sharing is caring
The challenge with managing emerging cyber security risks is that there is not enough best practice available to guide operators, manufacturers and regulatory authorities in building an effective force of defence – particularly within older energy infrastructure that doesn’t have cyber security built into it by design.
The energy industry’s safety record has not been built in silos. It’s only by sharing knowledge, experiences and lessons, and by working in close collaboration across the public and private sectors, that new standards and best practices are set.
There has never been a more important time for energy companies to come together and apply this mindset to the cyber security domain so that companies can excel in their digitalisation and automation efforts.
We are already seeing examples of pan-industry collaboration creating technical best practice in OT security. The IEC 62443 standards for cyber security in operational technology in automation and control systems is a great example.
At DNV, we have also brought leading players in the sector together to publish recommended practices that guide industrial companies in people process and technology best practices for cyber security.
DNV-RP-G108 provides a guideline for how to apply the IEC 62443 series of standards in the oil and gas industry while DNV-RP-0496 provides guidance on cyber security resilience management for ships and mobile offshore units in operation and can also be applied to renewables. For companies operating, managing and securing existing power grid substations, DNV-RP-0575 provides guidance on becoming cyber resilient.
As threats to industrial cyber security become more common, complex and creative – and as regulatory oversight begins to tighten to address the threat of a rapidly evolving cyber security landscape – the sector must now go further in taking collective action as industrial cyber security risks are increasingly seen as business risks.
Enabling digital transformation
With life, property, and the environment firmly at stake, mindsets towards cyber security are tangibly shifting in the energy sector. Those responsible for this increasingly important domain are coming under more pressure to assure boards that their organisation is compliant and confidently cyber secure. But, with large demands being made on company finances, they may struggle to obtain the budgets they need to upgrade their capabilities.
Around a third of energy professionals indicate that their companies are underinvesting in their IT and OT security capabilities. In arguing the case for the investment needed, it pays to demonstrate how cyber security compliance can add value by supporting business continuity, license to operate and reputation. Put simply, companies cannot reap the benefits of digitalisation, without cyber security.
Download a free copy of The Cyber Priority from: www.dnv.com/cyberpriority
For more information about DNV Cyber Security, visit here
