DNV research points to cyber security investment drive in the energy industry, but more action is needed to plug critical gaps

New research published by DNV reveals that the energy industry is boosting its cyber security spending this year, as heightened geopolitical tensions and the accelerating adoption of digitally connected infrastructure spark concerns over the sector’s vulnerabilities to emerging cyber threats.

  • Six in ten energy professionals say their organization is increasing cyber security spending in 2023, as geopolitical tensions trigger growing awareness of emerging threats
  • Industry professionals warn that budgets are still too low to safeguard safety-critical systems. Just one in three are confident that sufficient investment is going into operational technology security  
  • Tightening cyber security regulation is expected to be the greatest driver for unlocking new funding 
  • Cyber security skills shortages and barriers to collaboration emerge as key challenges to greater cyber resilience.   

A majority (59%) of the 600 energy professionals surveyed by DNV say their organization is investing more in cyber security in 2023 compared with last year, acknowledging that cyber-attacks on the industry are a question of ‘when’ not ‘if’. Two thirds (64%) believe that their organization’s infrastructure is now more vulnerable to cyber threats than ever, and say that their focus on cyber security has intensified as a result of geopolitical tensions.    

DNV’s new research report Energy Cyber Priority 2023: Closing the gap between awareness and action, finds that the energy industry is becoming increasingly mature in its understanding of the risks. Six in ten industry professionals say that cyber security is now a regular fixture on the boardroom agenda, and most (77%) report it is treated as a business risk within their organizations. Energy professionals overwhelmingly (89%) believe cyber security is a pre-requisite for digital transformation initiatives essential to the future of the industry.   

Ditlev Engel, CEO, Energy Systems at DNV

“Cyber security is critical for the energy industry, for the industry’s digital transformation and for the acceleration of the energy transition,” says Ditlev Engel, CEO, Energy Systems at DNV. “Just as governments and energy companies know they need to transition faster to meet the targets of the Paris Agreement, they also know they need to urgently step up action on cyber security. And the two are connected – safety and security are enablers of the clean energy technologies that need to be deployed and operated at scale in the coming decades.”

DNV’s wider Cyber Priority research explores the changing attitudes and approaches to cyber security in key industrial sectors, and includes a complementary report on the maritime industry: Maritime Cyber Priority: Staying secure in an era of connectivity.

More focus needed on securing operational technology 

Despite increased awareness, maturity, and investment in cyber security, less than half (42%) of energy professionals say their organization is investing enough. Just one in three (36%) are confident their organization has made sufficient investments in securing their operational technology (OT) – the systems that manage, monitor, automate, and control industrial operations.   

Most energy professionals (78%) say geopolitical uncertainty has made their organization more aware of the potential vulnerabilities in their OT as awareness grows about the potential for cyber criminals to cause operational shutdowns and disable safety systems. 

Jalal Bouhdada, Global Segment Director, Cyber Security, DNV

“While energy companies accept that cyber security risk is on the increase, some in the industry don’t think an attack is something that will happen specifically to them, and they don’t dedicate enough budget and resources,” says Jalal Bouhdada, Global Segment Director, Cyber Security, DNV.    

Tightening regulation will unlock further funding    

Energy professionals point to regulation as the factor that will most likely unlock increased budgets in their organizations, as cited by 49% of energy professionals as a top-three driver. By contrast, the next most likely catalyst for increased spending is a cyber incident (or near miss), cited by 38%.   

The sector must prepare to comply with a raft of new, stricter cyber security requirements in the coming years, as authorities encourage energy businesses to increase their resilience to emerging threats. In the EU, for example, organizations providing essential services, including many in the energy sector, face tougher regulation in the form of the revised Directive on Security of Network and Information Systems (NIS2), set to be transposed into national laws in 2024. In the US, the Department of Energy is continuing to work on the National Cyber-Informed Engineering Strategy – a bi-partisan plan to raise standards.   

“If you’re cyber secure, you’re very likely to comply with regulation, but the reverse isn’t always true: compliance doesn’t guarantee security,” says Bouhdada. “It takes the right mindset, company culture, and access skills to ensure regulation-driven investment translates into greater cyber resilience.”   

Skills shortages and collaboration set backs are major challenges 

As energy companies double down on efforts to manage the growing cyber risks facing their organizations, DNV’s research reveals that energy professionals are deeply concerned about their ability to recruit and retain the talent they need to protect them from cyber security threats. Lack of in-house cyber security skills now appears as the single most intractable barrier to cyber security in the industry.    

Where expertise is in place, concerns are emerging that cyber security professionals often struggle to communicate and collaborate with operational teams who don’t share their level of understanding of the risks, as well as with executives at the most senior levels of the organization. These difficulties, combined with differences in direct experience of cyber security, are leading to a ‘cyber-perception gap’.   

Three-quarters (76%) of respondents to DNV’s survey believe that cyber security professionals need to get better at speaking the language of energy operations. Linked to this, the same percentage say their cyber security and engineering teams must learn to collaborate more effectively if the organization is to strengthen the security of assets and infrastructure. 

In Energy Cyber Priority 2023, DNV recommends energy organizations take the following actions:

  • Step up efforts to enhance cyber security 
  • Build cyber maturity 
  • Improve communication and collaboration
  • Build capacity and unlock resources
  • Prepare for new regulation.

Download the research

 

Energy Cyber Priority 2023: Closing the gap between awareness and action

DNV Cyber Priority research

DNV’s Cyber Priority research explores the changing attitudes and approaches to cyber security in key industrial sectors. The research draws on surveys of industry professionals complemented by in-depth interviews with leaders and experts. In June 2023, we published the latest edition of the research with reports on cyber security in the Energy and Maritime industries:

  • Energy Cyber Priority 2023: Closing the gap between awareness and action. Research based on a survey of 601 energy professionals conducted in February and March 2023, complemented by in-depth interviews with leaders and experts from leading energy sector companies including Equinor, Dominion Energy, Vattenfall, Institute for Security and Safety, Skagerak Energi, SCADAfence, and DNV.
  • Maritime Cyber Priority 2023: Staying secure in an era of connectivity. Research based on a survey of 801 maritime professionals conducted in March and April 2023, complemented by in-depth interviews with leaders and experts from leading maritime organizations including the US Coast Guard, Wärtsilä, Meyer Werft, Bundeswehr (German navy), Stena Drilling, Beazley, Hamburg Port Authority, UK Chamber of Shipping, and DNV.

Images and graphs for download

 

Images and graphs can be downloaded here

About DNV

DNV is an independent assurance and risk management provider, operating in more than 100 countries. Through its broad experience and deep expertise DNV advances safety and sustainable performance, sets industry standards, and inspires and invents solutions.

Whether assessing a new ship design, qualifying technology for a floating wind farm, analyzing sensor data from a gas pipeline or certifying a food company's supply chain, DNV enables its customers and their stakeholders to manage technological and regulatory complexity with confidence. 

Driven by its purpose, to safeguard life, property, and the environment, DNV helps its customers seize opportunities and tackle the risks arising from global transformations. DNV is a trusted voice for many of the world’s most successful and forward-thinking companies.

In the energy industry

DNV provides assurance to the entire energy value chain through its advisory, monitoring, verification, and certification services. As the world's leading resource of independent energy experts and technical advisors, the assurance provider helps industries and governments to navigate the many complex, interrelated transitions taking place globally and regionally, in the energy industry. DNV is committed to realizing the goals of the Paris Agreement, and supports customers to transition faster to a deeply decarbonized energy system.