The energy sector should be better prepared for cyberattacks, according to DNV – pv magazine USA

May 19, 2022Anne Fisher

According to DNV, an independent assurance and risk management provider operating in more than 100 countries, energy is among the top three industries that report cyberattacks. Last year, Colonial Pipeline, the main supplier of transportation fuel consumed on the east coast of the United States, was shut down as a result of an attack on ransomware. The Darkside attack led to rising prices and panicky purchases of fuel pumps until a payment of $ 4.4 million in bitcoins was made. How did this happen? According to a Bloomberg report, it was simply a stolen username and password from a VPN that did not use multi-factor authentication.

Cyber ​​priority A report released today by DNV surveyed 948 energy professionals and found that although the IT environment is protected, energy companies need to increase the security of their operating technologies (OT), which are the computing and communication systems they use to management, monitoring and control of industrial operations. The survey found that less than half of respondents (47%) believe that their OT security is as reliable as their IT security, and less than a third of those who work with OT believe that their company is doing security for its supply chain top priority.

Energy companies have been dealing with the issue of IT security for decades. However, the provision of operational technology (OT) – computing and communication systems that manage, control and control industrial operations – is a more recent and increasingly urgent task for the sector. As OT becomes more networked and connected to IT systems, attackers can access and control systems running on critical infrastructure such as power grids, wind farms, pipelines and refineries. Our study shows that the energy industry is waking up from the security threat of OT, but faster action is needed to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security, said Trond Solberg, head of cybersecurity, DNV.

Lack of security is not because they are unaware of the possibility of cyberattacks. Four-fifths of respondents believe that a cyber attack on the industry is likely to lead to shutdowns (85%) and damage to energy assets and critical infrastructure. Three-quarters (74%) expect the attack to harm the environment, while more than half (57%) believe it will kill people.

Russia’s invasion of Ukraine has only heightened concerns and awareness of the threat. Six out of ten Class C respondents admit that their organization is now more vulnerable to attacks than ever before. However, it seems that some companies take a wait-and-see approach before taking action. One explanation for this approach may be that less than a quarter (22%) suspect that their organization has had serious violations over the past five years.

“It is a matter of concern that some energy firms may be using the“ hope for the best ”approach to cybersecurity rather than actively combating emerging cyber threats. This draws clear parallels with the gradual adoption of physical security measures in the energy sector over the past 50 years, ”Solberg said.

DNV recommends that the first step to strengthening protection is to strengthen the supply chain. Cyber ​​priority The survey shows that investments in vulnerability detection should include companies with which they cooperate and in which they purchase.

“Our study identifies“ remote access to OT systems ”among the top three methods of potential cyberattacks on the energy industry. We urge the sector to pay more attention to ensuring that suppliers and equipment suppliers demonstrate adherence to safety best practices at the earliest stages of procurement, ”said Jalal Buhdada, Founder and CEO of Applied Risk., an industrial cybersecurity firm acquired by DNV in 2021.

Balance investment between learning and technology

When their organization is the most persistent in its cybersecurity efforts, more than half (59%) said more on upgrading core IT systems and software than on training (41%) or implementing cybersecurity experiences (25%). . It can be concluded that less attention is paid to developing a workforce capable of understanding and identifying threats as well as detecting and deterring attacks.

Despite emerging threats to cybersecurity, a DNV study shows that less than a third (31%) of energy professionals confidently state that they know exactly what to do when they are concerned about a potential cyber risk or threat to their organization. This finding points to the need for energy companies to invest in employee training to detect criminal attempts to gain access to their systems.

“The company’s workforce is its first line of defense against cyberattacks. Effective workforce training combined with providing the right skills in cybersecurity can do everything to protect critical infrastructure. Our study shows a clear need for companies to carefully evaluate their investment in informing their people about how to detect and respond to incidents in a timely manner, ”Buhdada said.

In the United States, the U.S. Department of Energy (DOE) is working on strengthen the sustainability of the solar industry before the cyber attack. In a speech to the State Department in early February, President Joe Biden announced an “urgent initiative” to improve U.S. capacity, readiness, and resilience in cyberspace. The Solar Energy Association (SEIA) is continuing its efforts to strengthen the resilience of the solar industry against cybersecurity threats. SEIA and the Office of Solar Energy Technology of the Department of Energy (SETO) spent the afternoon a virtual summit on cybersecurity in the industry, with a focus on how these threats should be taken into account from the initial design phase. SunSpec and Sandia’s national labs are leading a Distributed Energy Cybersecurity Working Group (DER) to create an industry standard for cybersecurity from competing entities. Interested companies can join the working group contribute to the development of these critical industry standards and best practices.

Download Cyber ​​priority report here.