The past year has transformed the North American energy landscape, bringing seismic shifts, groundbreaking innovations, and industry-defining moments. As we enter 2024, DNV’s experts will write a series of blogs to dissect the major trends and developments from 2023 and provide insight on what we can expect in 2024.
Cyber security was a big story in the news, whether it was the U.S. government’s new National Cyber Security Strategy to the biggest distributed denial of service attack to shutting down one of the largest illicit online marketplaces. This is reflected when we look at our 2023 research into key cyber security efforts in the energy sector. In DNV’s Energy Cyber Priority 2023, we found that 60% of 601 survey respondents reported that their organization is increasing cyber security spending. However, only 42% feel that it is enough of investment given the risks. Further, only a third of respondents are confident that sufficient investment is being directed to operational technology security. This is a trend that DNV expects to continue for the foreseeable future based on the corporate- and operational-level perception gap of cyber security risk.
How do we close the gap between awareness and action?
It starts with a holistic mindset change from corporate and operational stakeholders. Our survey indicates a 14% difference in perception between executives and system operators on cyber security efforts at all stages of operational lifecycle. Clearly, executives think they are more secure than operators or maintainers working with the particular systems. Similarly, more executives believe that cyber security is included in the design or early phases of infrastructure development as compared to those at the operational level. To close this perception gap, executives need empirical evidence of the cyber security vulnerabilities present in their systems AND a direct association of the vulnerabilities to operational and business risks. Without an accurate understanding of the impacts, executives will not be convinced of the true nature of the risk and necessary remediations that they should support.
A cyber-educated workforce—whether it be operators, maintainers, or owners—can help your organization understand and prioritize cyber risks and build effective controls before a cyber incident occurs. More than a third (38%) of our survey respondents identified a lack of in-house cyber security capabilities and skills. Similarly, 32% indicate that the cost of investment in cyber security solutions is a substantial challenge.
Directly hiring more cyber security staff may not be feasible in many circumstances. However, educating your existing operations staff to understand the cyber threat landscape along with core cyber security practices can go a long way in reducing the likelihood of cyber incidents. To support this effort, DNV has developed an awareness course to educate engineers, operators, maintainers, and managers on cyber risks and appropriate countermeasures. The interactive course is easily integrated into learning management platforms and presents material in easy-to-follow modules, gamified scenarios, and knowledge checks. A more educated workforce will also be able to demonstrate need-based cyber security investments more effectively to corporate leaders.
Looking to 2024 and beyond
Regulatory changes will also impact the level of cyber security investment in the energy sector. In Europe, the NIS-2 Directive has come into effect to better secure critical infrastructure components. In North America, NERC CIP standard 004-7 (Personnel & Training) and standard 011-3 (Information Protection) came into effect at the start of the new year.i Furthermore, state and regional energy commissions are getting more involved in the protection of energy infrastructure. For example, Florida House Bill 1645 requires that the Public Service Commission assesses the security and resiliency of the state’s electric grid and natural gas facilities against both physical and cyber threats. The legislation requires all electric utilities, natural gas utilities, and pipelines to participate in or provide information necessary to conduct the assessment to be completed within one year, regardless of ownership.ii
Focusing on the energy transition, cyber security is critical for the ever-increasing digitalization and interconnectedness of our critical infrastructure systems. As Ditlev Engel, CEO, Energy Systems at DNV said, “Just as governments and energy companies know they need to transition faster to meet the targets of the Paris Agreement, they also know they need to urgently step-up action on cyber security. And the two are connected—safety and security are enablers of the clean energy technologies that need to be deployed and operated at scale in the coming decades.”
To increase your focus on reducing the likelihood and impact of cyber events, DNV recommends energy organizations take the following actions:
- Know your systems and understand the vulnerabilities and threats to them
- Build cyber maturity by increasing cyber defenses and employing effective continuity strategies
- Improve communication and collaboration
- Build internal capacity and unlock external resources
- Prepare for new regulation.
To learn more about DNV’s cyber security offerings in North America, contact us at ESNA-Cyber@dnv.com.
i North America Electric Reliability Corporation, Standards, Compliance & Enforcement Bulletin, December 17, 2023, https://www.nerc.com/pa/comp/news/Documents/2023_12_11_StandardsCompliance_Bulletin.pdf
ii Florida House of Representatives, House Bill 1645, Effective July 1, 2024, loaddoc.aspx (myfloridahouse.gov)
Contact us
