A 2022 Cyber Priorities study by DNV, an independent risk management and quality assurance provider, has revealed that energy executives “anticipate life, property, and environment-compromising cyber-attacks on the sector” – within the next two years.
Research suggests that while energy executives are expecting cyberattacks to increase in extremity and severity – they aren’t taking the necessary action, quickly enough. The survey of more than 900 global energy executives across the oil, gas, renewables, and power industries, found that:
- more than half of respondents believe that an attack resulting in loss of life is likely within the next two years.
- more than eight in ten expect an attack to cause operational shutdowns and damage to energy assets and critical infrastructure.
- almost three quarters expect an attack to harm the environment.
Trond Solberg, managing director for cybersecurity at DNV, said: “As operational technology (OT) becomes more connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries. Our research finds the energy industry is waking up to the threat.”
Cyber-attacks against the energy sector.
In November 2021, it was reported that one of the world’s largest wind turbine manufacturers, Vestas Wind Systems, had fallen victim to a cyber-attack, shutting down some of its IT systems. Although Vestas acted quickly, the attack impacted the internal IT infrastructure and compromised their data. It’s months and months of headaches and painstaking work to even begin to put right, without considering the reputational and financial damage.
Earlier this year, as Russia launched their attack on Ukraine, wind turbine manufacturer, Enecron, was hit by a cyberattack which cut remote service links to 5,800 wind turbines in central Europe.
And in April, German wind farm OEM, Nordex, was hit by a cyber-attack, taking multiple systems down in its storm. Even if they weren’t the intended target, they still had to pick up the pieces. And foot the bill.
→ Clue yourself up with the best security know-how in this free guide to cloud identity and access management.
"Sleepwalking into another disaster" The DNV reported the energy industry could be “sleepwalking towards another Piper Alpha or Deepwater Horizon disaster”. After the fateful night on 6th July 1988, when an explosion ripped through the Piper Alpha rig in the North Sea, it was hoped lessons would be learned; especially around change management and emergency response. And these two lessons, however much the tech has transformed, are still relevant.
Piper Alpha was never intended to export gas; it had been designed to produce and export oil. Retrofitting the rig over several phases meant the result was not only unfit for purpose, but it was wholly unsafe… the platform hadn’t even been tested against simultaneous explosions.
The disaster recovery plan was pretty basic; the majority of personnel would be taken by helicopter. But within a minute of the first explosion, the helideck was covered in so much thick black smoke that a helicopter couldn’t land on it.
We often talk about rigorous planning and testing; they’re the fundamentals of any change management project – whether it's an oil rig in 1988 or an electric grid in 2022.
Cyber threats to Operational Technology (OT).
The type of cyber-attacks in the energy sector fall in to two categories: threats to IT systems, and threats to operational technology. OT – the hardware and software that monitors or controls equipment, assets and processes within industrial environments — has become a top target for cybercriminals. And in the energy sector, OT means the safety-critical machinery found on oil rigs, electric grids, electric grids, wind and solar farms, refineries, and pipelines. OT cyber attacks have the potential to stop production, impair the integrity of safety-critical systems, or cause physical damage, personal injury or loss of life.
As a side note, it’s also important to mention here that the legal risks resulting from a cyber-attack, whether from litigation or regulatory action, is increasing – and is expected to continue to grow in the coming years. This isn’t just about the techies. This is about ensuring everyone in the organisation is accountable, should the worst happen.
OT Security Control Framework.
Gartner predicts that, by 2025, cyber attackers will have weaponised OT environments to successfully harm or kill humans – and that most CEOs will be personally liable for such incidents. So it's time to get serious.
Gartner may have delivered some pretty hard-hitting predictions, they've also included a 10-step framework for securing the OT environment.
1. Define roles and responsibilities
2. Ensure appropriate training and awareness
3. Implement and test incident response
4. Backup, restore and disaster recovery
5. Manage portable media
6. Have an up-to-date asset inventory
7. Establish proper network segregation
8. Collect logs and implement real-time detection
9. Implement a secure configuration process
10. Formal patching process
The DNV Cyber Priorities highlights four key challenges for the energy sector:
1. The classic ‘wait and see’ approach. In some cases, it’s great – but in this one, waiting and seeing just isn't good enough. 60% c-suite respondents acknowledged that their organisation is more vulnerable to attack than ever before – yet only 44% expect to make urgent improvements in the next few years to prevent such an attack.
2. The gap between IT and OT. OT platforms used to be somewhat siloed from the rest of the organisation – but new technology is closing that gap, fast. Less than half (47%) of survey respondents believe their OT cyber security is as strong as their IT security – with 38% admitting they haven’t invested as much as they need in OT cyber security.
3. Global skills shortage. There’s a lot to be asked of our friends in the energy sector; they need to know and understand the language of their specific industry (wind turbines, gas pipelines, solar farms), the engineering world, and, to top it off, the language of IT and cybersecurity. It’s no wonder that only one in five of the global energy executives asked, would know exactly how to respond if they spotted a breach…
4. Complex supply chain disguise critical vulnerabilities. Global supply chains, multiple vendors using multiple (perhaps outdated) systems and processes…where do you even begin?! ‘Remote access to OT systems’ is among the top three methods that the survey respondents expect hackers to use in order to exploit organisations (67%).
Cyber Priorities recommendations for improving the security of your energy business:
1. Know what you know – and uncover what you don’t. According to the findings of the report (and we absolutely agree), “companies in the energy sector need to identify where their projects and operations are exposed to threats before hackers can find them”.
2. Allocate budgets that will make a difference. For some business leaders (and/or those holding the purse strings), “enough budget” simply means throwing enough cash at a situation to keep the regulators and auditors happy. But in this complex world, that’s just not enough.
3. Balance investment between training and technology. All the gear, no idea? It’s a familiar notion. And it applies to the cybersecurity and energy space, too. Of course, businesses shouldn’t stop investing in cybersecurity… but they certainly should invest more in their people. As we mentioned earlier, the best talent needs to be proficient in the engineering sector, the specific field of interest, and IT security. Three areas that continue to grow and innovate. It’s important we don’t leave our people behind.
Azure makes it possible. Azured makes it easy.
With the big players like Shell, e-on and Chevron sitting pretty in Azure, Microsoft must be on to something when it comes to the energy sector. And we’ve learnt a thing or two along the way too. Our video case study with Dieter from specialised offshore wind engineering consultancy, Wood Thilsted, explains how Azured have helped transition their business in the cloud.