MANY energy professionals believe cyberattacks on the industry in the near future will result in a loss of life and many companies are not doing enough to protect themselves, according to a recent report.
Published on Thursday by Norwegian risk management firm DNV, the paper found that “energy executives anticipate life, property and environment-compromising cyberattacks on the sector within the next two years”.
DNV notes fears over “more extreme consequences” to these security breaches than in recent years, citing as examples the 2021 shutdown-inducing attack on the United States colonial pipeline, and a series of disabling attacks against parts of Ukraine’s power grid in the mid-to-late 2010s.
The research is based on a survey of almost 1 000 energy professionals and in-depth interviews with executives from different countries around the world.
Almost half of the respondents said control systems at their companies were not as secure as their information technology (IT) systems, and less than a third said management at their firms was making cybersecurity a top priority.
“As [operational technologies] become more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries,” said Trond Solberg, managing director of cybersecurity at DNV. “It is concerning to find that some energy firms may be taking a ‘hope for the best’ approach to cybersecurity rather than actively addressing emerging cyber threats,” he added.
DNV published its report the same day United Kingdom attorney general Suella Braverman addressed a conference at London-based think tank Chatham House, underlining the need for a clear and common framework for applying international law to cyberspace following the outbreak of war in Ukraine.
Russian-backed hackers have targeted multiple European institutions in recent weeks.
Microsoft reported in late April that at least six Russian-aligned groups had launched 240 cyber operations against Ukraine since the invasion began, and the US, European Union and UK have since blamed Russia for a hack against a satellite network that knocked thousands of German wind turbines offline.
Italian police also said they had thwarted a pro-Russian attack on network infrastructure during the Eurovision Song Contest, in which Russia had been barred from participating.
But while hostile states are believed to be the greatest threat to critical energy infrastructure, experts and government officials have warned that the risk of organised criminal activity in this area is not to be underestimated.
“The line between nation-state and criminal actors is increasingly blurry as nation-states turn to criminal proxies as a tool of state power, then turn a blind eye to the cybercrime perpetrated by the same malicious actors,” Mieke Eoyang, US deputy assistant secretary of defence for cybersecurity, told Congress last May.
– Organised Crime and Corruption Reporting Project