1、ENERGY CYBER PRIORITY 2023Closing the gap between awareness and action DNV Energy Cyber Priority 2023 23ABOUT THIS RESEARCHABOUT THIS RESEARCHThis 2023 edition is the second report in the series in which we focus on the energy industry(following our 2022 Energy Cyber Priority report),and it is publi

2、shed alongside our first Maritime Cyber Priority report1.The research draws on a survey of 601 energy professionals along with a number of in-depth interviews with leaders and experts.The report also draws on additional DNV research where relevant to the findings,as indicated in the narrative and fo

3、otnotes.It was developed by DNV in partnership with FT Longitude(a Financial Times company).Fieldwork was conducted between February and March 2023.Survey respondents represent a range of functions within the industry,including those with in-depth knowledge of cyber security along with general manag

4、ers and C-suite executives.This report is published by DNV,the worlds leading resource of independent energy experts and technical advisors.It is part of DNVs Cyber Priority research exploring changing attitudes and approaches to cyber security in key industrial sectors.ACKNOWLEDGEMENTSSURVEY DEMOGR

5、APHICSWe thank our survey respondents from across the energy industry.We would like to thank the following interviewees for their time and insight:Jalal Bouhdada,Global Segment Director,Cyber Security,DNVMuhittin Hasancioglu,independent expert,former CISO at companies including Petronas and ShellTor

6、 Heiberg,Executive Director IT,Skagerak EnergiLars Idland,Chief Information Security Officer,EquinorAdam S.Lee,Vice President and Chief Security Officer,Dominion EnergyPaul Smith,Chief Technology Officer,SCADAfenceFredrik Torp,Chief Security Officer and Vice President Corporate Security&Resilience,V

7、attenfallSwantje Westpfahl,Director,Institute for Security and Safety GmbH601energy professionals surveyed 92countriesrepresented59%support,develop or operate operational technology8in-depth interviews with industry leaders1Maritime Cyber Priority 2023,DNVSector19%16%7%7%6%5%5%35%Electric power,rene

8、wables,grid infrastructure Oil and gas(including green/decarbonized gases)Cyber security,technology&digitalization services/products Academic,think tank,research institute Manufacturer/fabricator Shipping,transport,logistics Regulator,government,trade association,financial/investment company Service

9、s including HSE,engineering,asset manage-ment,inspection,consultancy Annual revenueLess than$50m US50m-$99m US$100m-$499m US$500m-$999m US$1bn-$4.9bn US$5bn or more Dont know/not applicable 25%8%11%7%10%10%31%Region49%6%10%11%24%EuropeNorth AmericaAsia PacificLatin AmericaMiddle East and AfricaSenio

10、rity19%21%33%27%C-suite executive (or equivalent)All other levels and reporting linesC-1(report directly to C-suite)C-2(boss reports directly to C-suite)DNV Energy Cyber Priority 2023 45CONTENTSCONTENTS1 A step change in cyber threat awareness 7 Supporting digital transformation and the energy trans

11、ition 8 The geopolitical fall-out 10 Hacker innovation 102 Progress has been made,but resilience is tough 13 Recognizing the reality of cyber 14 Business risk and board priority 14 Deeper layers of security by design 16 Supply chain vulnerabilities 163 Three core challenges 19 Investment is lagging

12、21 Skills shortages intensify 22 Poor collaboration and the cyber-perception gap 224 High expectations for a new era of regulation 25 Regulation drives investment 26 Energy companies are unprepared for the shift 275 Recommendations 29DNV Energy Cyber Priority 2023 671A STEP CHANGE IN CYBER THREAT AW

13、ARENESSA step change in cyber threat awareness CHAPTER 1DNV Energy Cyber Priority 2023 891 A STEP CHANGE IN CYBER THREAT AWARENESSThe energy industry is acutely aware of the growing cyber threat to IT and OT systems.“One Thursday afternoon,we were suddenly alerted to a potential security vulnerabili

14、ty related to the logging software log4j.We immediately had to go through all of our software,our installations,all of our backup files everything.”This incident,recalled by Tor Heiberg Executive Director IT at Norwegian renewable energy company Skagerak Energi illustrates the everyday cost and chal

15、lenge of cyber security in todays energy industry.“Even though we were not attacked,we had to drop everything and close the vulnerability.It took three full days,including Saturday and Sunday,with all hands on deck,including all of our partners and suppliers.Those hours quickly became extremely expe

16、nsive.”Situations like these are increasingly common in the energy sector,impacting businesses of all sizes,across all geographies.They help explain why cyber security has now become a regular fixture on the boardroom agenda for six in 10 energy professionals in DNVs new research.But awareness of th

17、e risk is not limited to the threat of immediate attack.Our research this year also underlines the growing strategic importance of cyber security to the energy industry.Indeed,nine in 10(89%)energy professionals believe cyber security to be a pre-requisite for the digital transformation initiatives

18、that are making the future of the industry possible.SUPPORTING DIGITAL TRANSFORMATION AND THE ENERGY TRANSITIONEnergy businesses are upgrading and connecting their legacy technology and infrastructure:to improve safety,increase efficiency,and decarbonize the industry through increased electrificatio

19、n,based on a growing share of renewable generation.To give an example of the scale of this activity,DNVs Energy Transition Outlook 20222 a forecast of the worlds energy system up to 2050 predicts that spending on the grid will double from some US$270bn a year today to around US$500bn by the 2030s.An

20、nual investment will reach the trillion-dollar threshold by 2050.A trillion dollars buys a lot of digitally connected infrastructure,and thats just on the grid.Nonetheless,its an investment thats needed if the industry is to reach its net-zero ambitions.Swantje Westpfahl,Director of the Institute fo

21、r Security and Safety GmbH in Germany,believes cyber security must be an integral part of an organizations energy transition strategy.The energy transition relies on smart infrastructure grids,but smart is only good as long it doesnt get hacked.Swantje Westpfahl,Director,Institute for Security and S

22、afety GmbH “Clean energy has created a much larger attack surface because we have new energy generation run by small computers solar parks and wind farms as well as smart meters expanding the grid into houses and cars,”she says.“There is more risk that the whole system can get rocked if theres a suc

23、cessful attack.”2 DNV Energy Transition Outlook 2022DNV Energy Cyber Priority 2023 1011THE GEOPOLITICAL FALL-OUTThe Russian invasion of Ukraine sent shockwaves through an energy sector whose memories of the pre-war cyber-attacks against Ukraines energy supply remain vivid4.As one interviewee for thi

24、s research noted,many executives in power generation and distribution became acutely aware at the time of the invasion that they were relying on the same kind of SCADA systems that the Kyiv plants were using when the cyber-related blackouts took place in the mid-2010s.In our research,almost eight in

25、 ten energy professionals(78%)report that geopolitical uncertainty has made them more aware of the potential vulnerabilities in their operational technology(OT)the systems that manage,monitor,automate,and control industrial operations.Moreover,two-thirds say their focus on cyber has intensified as a

26、 direct result of tensions.The situation is made more complicated because attribution of cyber-attacks is difficult,and the connection between specific incidents and foreign powers is rarely clear-cut.“Cyber-crime groups are increasingly fragmented and many of them have fluid connections to nation s

27、tates,”explains Lars Idland,Chief Information Security Officer at Norwegian energy company Equinor.“There may also be collateral damage when the target was someone else,but an energy company is affected,”he says.The Russian cyber-attack on satellite internet operator ViaSat in spring 20225,for examp

28、le,had the effect of deactivating thousands of wind turbines in Germany when their satellite-dependent monitoring systems were taken offline.Although energy professionals in Europe are the most likely in our survey to be concerned about the impact of hostilities on their organizations,concern is als

29、o heightened in Asia Pacific,amid tensions between China and Taiwan,and in response to long-running bellicosity on the part of North Korea.“From a conflict perspective,critical infrastructure is a clear target,because if an attacker can turn off your power grid,you lose early warning detection capab

30、ilities,”says Paul Smith,the Chief Technology Officer at industrial cybersecurity company SCADAfence.“But then,you also have the largest chip manufacturer on the planet being threatened in Taiwan.If it starts producing malicious chips and pushing them globally,that is a scarier thought than most oth

31、er things.”CYBER-CRIMINAL INNOVATION Our research shows how the profile of cyber-attackers has changed since early 2022.In the immediate aftermath of the Russian invasion,we saw the industry shift into high alert with professionals expressing concern about all potential attackers.In the year since,e

32、nergy executives remain highly attuned to the threat created by the Ukraine war either by politically-driven hacktivists6 or by hostile states but they appear to have become less concerned about longer term adversaries such as criminal gangs and malicious insiders.It would of course be a mistake to

33、play down the threat of these other adversaries,not least because there may be a growing overlap between certain groups,as Skagerak Energis Tor Heiberg explains.“There are still criminal motives behind many cyber-attacks,”he says.“My impression is that these are melting together because the cyber wa

34、r between Russia and Ukraine probably has led to the development of new tools,and these tools are sold on the dark web where they can be utilized by economic criminals,and vice versa.”Innovation on the part of cyber criminals is indeed a persistent challenge,with new methods being shared and adopted

35、 by different adversaries.Fileless malware and living-off-the-land attacks,in which cyber criminals exploit native tools within a companys system to carry out an attack,is a case in point.“We see a rise of malware-less attacks where they use a legitimate account and misuse those instead of creating

36、malware,”says Equinors Lars Idland.More broadly,energy businesses may benefit from broadening how they think about cyber threat actors and the specific methods they use.Fredrik Torp,Chief Security Officer and Vice President Corporate Security&Resilience at Swedens Vattenfall,argues that it may be he

37、lpful,when assessing the threat landscape,to consider threat actors as organisations with specific objectives,who will use any means at their disposal to achieve their goals.“Sabotage,espionage and disinformation are the main goals that the most advanced state actors have in todays geopolitical land

38、scape,”Torp says.“In addition,the advanced cybercrime groups are financially driven,and ransomware is constantly on the rise,which is another significant threat to counter.“But cyber is only one vector that they will exploit to commit these acts,”Torp adds.“As companies are strengthening their cyber

39、 defence,threat actors will increasingly focus on utilizing insiders or direct physical access to circumvent that.To be successful,it helps to have a holistic approach to security risks,where cyber is only one element.”States and hacktivists most concerning threat actors2022before invasion2022after

40、invasion2023HacktivistsForeign powers and State-sponsored actorsMalicious insiders or former insiders(e.g.,employees or partners)Criminal gangsTerrorist groupsVandals or script kiddiesCompetitors65%71%69%62%51%50%49%44%39%63%58%52%51%49%57%53%50%42%41%38%3 Trilemma and Transition,Energy Industry Ins

41、ights 2023,DNV 4 Compromise of a power grid in eastern Ukraine,Council on Foreign Relations 5 Russias Viasat Hack Exposed Satellite Industrys Security Flaws,BloombergCYBER SECURITY AND THE ENERGY TRANSITION In recent DNV research on the overall outlook for the energy industry3,eight in ten(79%)of th

42、e most digitally advanced energy companies say that digital technologies are enabling their energy transition.This is where cyber security comes in.Simply put,the industry cannot reap the benefits of digital transformation without robust cyber security.Its why respondents to the research who conside

43、r their organization to be digitally advanced are noticeably more likely(72%)to believe cyber-attacks are a major threat to their organization than the average(59%).Q:To what extent are you concerned about the potential for the following cyber threat actors to attack your organization?(Data shows mo

44、derate+high concern)A step change in cyber threat awareness CHAPTER 1DNV Energy Cyber Priority 2023 12132PROGRESS HAS BEEN MADE,BUT RESILIENCE IS TOUGHProgress has been made,but resilience is tough CHAPTER 2DNV Energy Cyber Priority 2023 1415Progress has been made,but resilience is tough CHAPTER 22

45、PROGRESS HAS BEEN MADE,BUT RESILIENCE IS TOUGHThe energy industry has woken up to the safety and business risks from cyber threats,but there are signs awareness is yet to translate into sufficient action.BUSINESS RISK AND BOARD PRIORITYThe good news is that our research finds leadership teams in ene

46、rgy organizations paying serious attention to cyber security oversight.More than three in four energy professionals(77%)report that cyber security is treated as a business risk within their organizations.“The level of management attention in the energy industry has changed over the last few years,”s

47、ays Tor Heiberg at Skagerak Energi.“Companies have known for a long time that cyber security is important,but now they also know it is expensive to underestimate the need for cyber defence.There have been incidents that were very costly and make investing in cyber defences and dedicating time to tra

48、ining a more rational argument.”Although leadership teams have been focusing their attention on cyber security in recent years as operational assets become increasingly networked and connected to IT environments the prospect of greater external scrutiny has helped sharpen this focus,espe-cially in l

49、ight of the Ukraine war.“In standard risk assessments in the industry,war was always seen as unlikely,”says Swantje Westpfahl at the Institute for Security and Safety GmbH.“But now that acts of war are targeting the energy industry,the risk assessment has been overhauled.Now classified very likely,m

50、easures for the prevention of cyber-attacks,and for operators of critical infrastructure to comply with related regulatory requirements,will be put into place.”RECOGNIZING THE REALITY OF CYBEREnergy professionals acknowledge that cyber-attacks in the industry are now a question of“when”not“if”.With

51、that in mind,it should perhaps be no surprise that seven in 10 energy professionals(71%)responding to our 2023 survey say they take cyber security as seriously as they do physical health and safety.Any evidence that the industry is ramping up its security posture is to be welcomed,but our view is th

52、at more work is required before energy companies can confidently say they treat cyber as seriously as safety.This is not to play down the progress that firms have made,but to underline the complexity of the threat.“If you walked onto a site in the energy industry without a hard hat,you would be stop

53、ped from working immediately,”says Jalal Bouhdada,Global Segment Director,Cyber Security,at DNV.“On the other hand,if a business identified a vulnerable application,would it be remediated and fixed at the same speed?Despite increasing awareness,the answer is often no.”One of the reasons behind this

54、disconnect could be that leadership teams,although aware of cyber vulnerabilities,may not be fully apprised of the growing difficulty of keeping up with a fast-evolving threat both on a technical and employee-management level.Its an issue that chief information security officers(CISOs)can help addre

55、ss.When I talk to a board,I highlight that we have a risk-based strategy with strong cyber resilience to protect the company,”says Muhittin Hasancioglu,independent expert,former CISO at both Petronas and Shell.“It is impossible to achieve 100%protection against cyber threats and breaches,but we do e

56、verything to enhance cyber risk management and cyber resilience to ensure any breach is to the lowest level of the digital landscape and results in a minimum impact to the company.”As a CISO,my job is talk about the facts,not to give a false sense of security.Muhittin Hasancioglu,independent expert,

57、former CISO at both Petronas and Shell.Cyber is seen as a top business and strategic riskCyber security is a regular topic on the agenda for myorganisations board of directors/senior managementCyber security is treated as abusiness risk in my organizationCyber security is a pre-requisite for digital

58、transformation in todays energy sectorMy organisation takes cyber security as seriously as it takes physical health and safety02040608010060%77%89%71%25%14%13%8%3%15%16%9%AgreeNeutralDisagree6 Energy Cyber Priority 2022,DNV Q:To what extent do you agree or disagree with the following?Percentages ref

59、lect net agreement(i.e.moderately+strongly agree).In DNVs 2022 Cyber Priority study,the majority of respondents told us that they believed a major incident in the energy industry was probable at some scale within the next two years,resulting in disrupted operations(85%),harm to the environment(74%),

60、and loss of life(57%).6 In our analysis,we compared this growing awareness of cyber risk with the change in mindset around safety standards that took place in the late 20th Century.Our view was that energy operators took an inconsistent approach to health and safety until incidents such as Piper Alp

61、ha and Seacrest forced leaders to adopt standard protocols.We warned businesses against taking a similar“wait and see”approach to their cyber security,especially with respect to OT,out of concern that it would take a safety-compromising cyber-attack for energy companies to prioritize and institution

62、alize global security protocols and standards.ENERGY PROFESSIONALS ARE WAKING UP TO THE SCALE OF THE THREATDNV Energy Cyber Priority 2023 1617Progress has been made,but resilience is tough CHAPTER 2DEEPER LAYERS OF SECURITY BY DESIGNOur research finds specific areas where energy busi-nesses are tryi

63、ng to catch up with the threat.Security by design,for example,should be the ambition for all companies the idea that protections are built into assets and networks as they are developed,rather than retrofitted.If the industry is incorporating cyber security into the DNA of its infrastructure,it woul

64、d be a big step towards it routinely treating the discipline as seriously as physical health and safety.Some progress has clearly been made in this regard.More than half of respondents(54%)say,for example,that they consider security at every stage of the lifecycle of their assets and infrastructure.

65、At the same time,around seven in 10(69%)tell us that cyber is a consideration during the early phases of new infrastructure projects.If security teams are involved at these early stages,there are opportunities for them to influence asset and infrastructure planning.Involving cyber security professio

66、nals early in a projects development is,however,no guarantee that security by design is being delivered to a meaningful degree.Paul Smith at SCADAfence argues,for example,that security by design in the industry has not always extended to the underlying software that is baked into modern connected as

67、sets,meaning that assessments do not probe deep enough into the blueprint.“Businesses trust the vendors they buy equipment from explicitly and assume the underlying software dependencies have been secured,”he says.“But you will find a bunch of interdependent packages if you look underneath the hood.

68、We investigated one device where the vendor had disclosed publicly to the National Vulnerability Database(NVD)two open vulnerabilities.When we ran it through a deep software bill of materials(SBOM)analysis,the firmware,it produced results in the range of something like 1,600 issues.”Lars Idland says

69、 Equinor is striving for security by design,especially as the company digitalizes operational technology.He flags,however,that achieving success relies on a serious commitment.“It is a challenge to have capability and capacity in place,”he says.“You have to have people that can be in the projects,su

70、pport the digitalization tasks,and try to secure it when they are developing it.”These frustrations are reflected in our research.The top challenge when companies try to enhance the cyber security of their OT,cited by 38%of respondents,is the lack of in-house cyber security skills.SUPPLY CHAIN VULNE

71、RABILITIESBeyond the walls of the organization,energy professionals are increasingly aware of the cyber risks posed by their suppliers.Recent examples include serious breaches at critical energy infrastructure in the US and Europe,which resulted from the supply-chain attack on software developer 3CX

72、 earlier this year7.Successfully managing this risk represents another test of the maturity of cyber security relative to health and safety.More than half energy professionals(57%)tell us that their organization has good oversight of supply chain vulnerabilities,indicating some confidence in their t

73、hird-party risk management.However,they also identify the need to address supply chain vulnerabilities as one of the top-five challenges in cyber security.The question is whether“good oversight”in this context signals that they are taking effective action,or whether they just have awareness of vulne

74、rabilities.The picture is also less certain if we look across the energy system.Respondents from the oil and gas sector are more likely than power companies to feel that they have good oversight of the supply chain,for example,and also to invest more in OT cyber security.This may be because oil and

75、gas businesses are more likely to have been affected by cyber incidents.More than four in 10(42%)oil and gas professionals said their organization had experienced negative impacts from an IT cyber security breach in our 2022 research,compared with 35%of power industry professionals.There is a risk w

76、hen vendors make assumptions about the coding in their systems and devices and are unaware of the risks these assumptions present to their clients.These gaps create significant challenges of visibility for companies when trying to achieve security by design.With this in mind,extreme caution may be t

77、he only option.Adam S.Lee,Vice President and Chief Security Officer at Dominion Energy which provides power to several key military and intelligence community national assets in the US says this is the approach his organization takes.“We wont use any industrial or robotic systems that have been code

78、d in a hostile nation state or one associated with it,”he says.“We even go as far as excluding vendors that use open-source freeware in their coding.Sometimes they will say their systems or devices are entirely coded in the US,but when you peel it back you realize they are pulling code from internet

79、 hosting services,some of which are developed in hostile countries.”A positive development here in recent times is that the industry has started to introduce new legislation to address the issue,by way of the EU Cyber Resilience Act regulation that aims to create conditions for the develop-ment of s

80、oftware with fewer vulnerabilities and new product lines coming into the market in the form of SBOM,which itemize the different components of software.“SBOM,specifically in the OT world,has been interesting because for a long time the industry gave absolute trust to vendors,”says Paul Smith of SCADA

81、fence.“Companies would assume a new programmable logic controller or human-machine interface operating system or firmware had been quality assured,and engineers would simply run their control narratives on top of it.Some of the bigger vendors are now utilizing SBOM companies as a third-party validat

82、ion check.”Q:To what extent do you agree or disagree with the following?Percentages reflect net agreement(i.e.moderately+strongly agree).Asia-Pacific companies reportedly more likely to take a holistic,lifecycle approach to cyber security My organization is more focused on technical solutions(such a

83、s patching system vulnerabilities)than it is on taking a holistic view of its cyber security(covering people and processes)Cyber security is considered at every stage in the lifecycle of my organizations assets and infrastructure65%54%45%53%47%EuropeTotalAsia PacificAmericasMiddle East and Africa52%

84、48%53%46%44%Q:To what extent do you agree or disagree with the following?Percentages reflect net agreement(i.e.moderately+strongly agree).Oil and gas companies most confident about cyber supply-chain oversightMy organization has good oversight of the cyber security vulnerabilities in our supply chai

85、nCyber security is incorporated in the early phases of new energy infrastructure projects in my company54%57%63%57%Oil and gas(including green/decarbonized gases)TotalElectric power,renewables,grid infrastructure Energy industry services73%69%55%71%7 Hackers behind 3CX breach also breached US critic

86、al infrastructure,CSO8 Software Bill of Materials(SBOM),US Cybersecurity&Infrastructure Security AgencyDNV Energy Cyber Priority 2023 18193THREE CORE CHALLENGES Three core challenges CHAPTER 3DNV Energy Cyber Priority 2023 2021Three core challenges CHAPTER 33 THREE CORE CHALLENGESInvestment,skills s

87、hortage,and poor collaboration remain major challenges.Energy professionals are largely optimistic about the ability of their organizations to protect their business from cyber-attacks and keep up with the evolving threat.When ranking the importance of business risks to their organization,around a t

88、hird(36%)said cyber security was a top three-risk.This places cyber security fourth overall among risks,behind operational and technical,safety,and financial risks.We see a similar picture when energy professionals rank these business risks in two years time,with 34%expecting cyber security will the

89、n be a top-three business risk.With the vectors and technologies used by cyber-attackers becoming steadily more sophisticated,in tandem with the growing connectivity of critical infrastructure,some in the industry may be in for a shock if they dont allocate sufficient resources to mitigate cyber sec

90、urity threats,or at least to keep threat actors at bay.Others will struggle to keep up with the demands that come from compliance with new regulation and with the need to ensure that their net-zero investments in essential technology can withstand attack.In this section,we explore three principal ch

91、allenges that energy businesses can expect to face around IT and OT cyber security as they look to the future.INVESTMENT IS LAGGING Despite board-level awareness of cyber risk,energy professionals are concerned that investment is not flowing at the levels required to address the issue.Less than half

92、 of energy professionals(42%)think their organizations current level of investment is sufficient to ensure the resilience of their operational assets and infrastructure.Just one in five agrees strongly that enough investment is being made.“Its worth asking whether there is indeed a shortage of budge

93、t for cyber security being made available,or whether it is not being used effectively and teams are consequently made to look for additional funds,”notes DNVs Bouhdada.“For other companies,the concern is that,while energy companies accept that cyber security risk is on the increase,they dont think a

94、n attack is something that will happen specifically to them and dont dedicate enough budget.”Today,just one in three(36%)energy professionals are confident their organization has invested enough in OT cyber security,with 59%saying that they are investing more in security this year than they did in t

95、he previous 12-month period.One problem is that despite commitment to cyber security on a corporate level,many energy businesses have subsidiaries that are comfortable investing less in their defences.Dominion takes a different approach to its governance,as Adam S.Lee explains.“Were a top-down enter

96、prise,but a lot of large energy companies have multiple subsidiaries with a great deal of autonomy,”he says.“At Dominion,if I make a convincing case for an OT security standard,it becomes an enterprise-wide policy.At some organizations,subsidiaries make more of their own decisions.”Cyber security th

97、e fourth greatest business risk32%36%10%20%30%40%50%Climate risk Geopolitical risk Market and competitor risk Safety risk Cyber security risk Regulatory risk Financial risk Operational and technical risk Oil and gas professionals are more likely to say their company is investing in OT cyber security

98、Extent to which energy professionals agree their company is investing enough in building the cyber resilience of operational assets and infrastructureEuropeAmericasAsia PacificTotalIndustry servicesOil and gasPowerMiddle East and Africa 39%42%45%37%43%38%52%39%47%Our 2022 Energy Cyber Priority resea

99、rch found that companies that had had a breach were significantly more likely to believe that their organization was not taking cyber as seriously as they should have been,with respect to IT(63%vs.39%)as well as to OT(56%vs.33%),suggesting that lessons may not have been learnt.Last years research al

100、so identified an awareness of heightened cyber security risk,but a failure to invest accordingly.Lessons may not have been learntQ:Rank the following business risks,according to their level of importance to your organization today.Data shows percentage of respondents who selected these risks in the

101、top three.DNV Energy Cyber Priority 2023 2223SKILLS SHORTAGES INTENSIFYIt is not just investment that is lacking from cyber security in todays energy industry.Organizations are also deeply concerned about their ability to recruit and retain the talent they need to protect themselves from cyber secur

102、ity threats.The lack of in-house cyber security skills is regarded as the single most intractable barrier to maturity in the industry.More than a third of energy professionals(38%)pick out this issue.And in some parts of the world,the skills shortages are especially pronounced.In Asia Pacific,for ex

103、ample,48%of energy professionals are concerned about the issue,which is in line with recent studies that found the gap between the current cyber workforce in the region and the number of workers needed to grow by 52%or 2.16 million people in a year9.One of the challenges that companies face is that

104、cyber training,although vital,is very difficult to get right.Fredrik Torp at Vattenfall says that part of the problem in the industry is that standard e-learning modules can be overlong,unengaging and“painful”,rendering them ineffective.“You need to be creative about ways to train the workforce,”he

105、explains.“Weve been trying out simulations as well as microburst training that you get during your normal working day.A message pops up and it takes 15,30 seconds to finish,and then you come away with something new from that.You want people to behave differently,and you need to be able to measure th

106、at you see a change in their behaviour and provide feedback to them.”POOR COLLABORATION AND THE CYBER-PERCEPTION GAPOur research finds that cyber security professionals struggle to communicate and collaborate with operational teams who dont share their level of understanding,as well as with executiv

107、es at the most senior levels of the organization.These difficulties,combined with differ-ences in direct experience of cyber security,is leading to a cyber-perception gap among respondents.Our research suggests,for example,that some senior leaders might not have the full picture of the threat.Talent

108、 and budget are top barriers Lack of in-house cyber security skillsCost of investment in new solutionsInadequate oversight of our vulnerabilitiesInadequate oversight of the vulnerabilities of supply chain partners connected to our environmentsCyber security solutions are not optimized for the energy

109、 sectorDisruption to operations while projects to strengthen cyber security take placeLack of cyber security processes and governance systems in my organizationAs we have never experienced a cyber-attack,it is not something that our employees consider38%32%28%28%24%21%21%20%9 Cybersecurity Workforce

110、 Study 2022,(ISC)2While 73%of respondents at C-suite level believe their organizations pay as much attention to cyber security as they do health and safety,the figure drops to 66%among those closer to operational practice.Meanwhile,77%of C-suite respondents think security is emphasised early on in n

111、ew projects,but just 66%of operational colleagues share this view.Similarly,the C-suite appear more confident that geopolitical uncertainty is translating into heightened cyber vigilance.They are also more likely to think that their business is increasing its focus on cyber in light of geopolitical

112、tensions.Part of the problem is the inability of cyber security professionals to articulate and accurately report security challenges.Adam S.Lee at Dominion explains that shared understanding,based on clear communication,was one of his principal objectives when he started working in his current role

113、.“One of the first things that I did was cultivate a very collaborative relationship with our CIO,”he recalls.“If we have a coalition between his team and my team,were combining the security that we have designed with how we need to build the controls,how we need to manage the risk,and how we commun

114、icate to the board,delivering the metrics that matter.”Three-quarters(76%)of respondents believe that cyber security professionals need to get better at speaking the language of energy operations.Linked to this,76%also say their cyber security and engineering teams must learn to collaborate more eff

115、ectively if the organization is to strengthen the security of its assets and infrastructure.Respondents based in the Asia Pacific region(85%)are particularly concerned.Q:What are the biggest challenges when it comes to enhancing your OT cyber security(select up to three)?The C-suite has a different

116、perspective than employees closer to operations Cyber security is considered at every stage in the lifecycle of my organisations assets and infrastructureCyber security is incorporated in the early phases of new energy infrastructure projects in my companyMy organisation takes cyber security as seri

117、ously as it takes physical health and safetyMy organisations focus on cyber security has increased as a result of growing geopolitical tensions in the last yearGeopolitical uncertainty has made my organization more aware of the potential vulnerabilities in the cyber security of our OT58%44%77%66%73%

118、66%74%67%87%71%C-levelOperational-level Q:To what extent do you agree or disagree with the following?Percentages reflect net agreement(i.e.moderately+strongly agree).Three core challenges CHAPTER 3DNV Energy Cyber Priority 2023 24254HIGH EXPECTATIONS FOR A NEW ERA OF REGULATIONHigh expectations for

119、a new era of regulation CHAPTER 4DNV Energy Cyber Priority 2023 2627High expectations for a new era of regulation CHAPTER 44 HIGH EXPECTATIONS FOR A NEW ERA OF REGULATIONThe energy industry is gearing up for cyber security regulation,in the hope it will unlock investment,but questions remain whether

120、 the industry is prepared for the shift.REGULATION DRIVES INVESTMENTRegulation is the foremost driver of investment in cyber security in todays energy industry.Almost half of respondents(49%)say changing requirements is one of the factors most likely to unlock increased budget at their organizations

121、,making it the most commonly cited factor overall.By contrast,the next most likely catalyst for spending is a cyber incident(or near miss),cited by 38%.As new regulation is looming,we can therefore expect cyber security functions in the energy sector to be in receipt of additional funding.In the EU,

122、for example,organizations providing essential services,including many in the energy sector,face tougher regulation in the form of the revised Directive on Security of Network and Information Systems(NIS2).This directive,agreed by the EU in January 2023,must be transposed into member states national

123、laws by late 2024.Among other measures,NIS2 widens the scope of organizations covered by regulation,increases the standards of required executive oversight and imposes new reporting changes.It also increases the penalties for non-compliance,including provisions for fines of up to 10m or 2%of an orga

124、nizations total worldwide annual turnover.Other jurisdictions are also pursuing higher standards and tougher regulation.In the US,the Department of Energy is continuing to work on the National Cyber-Informed Engineering Strategy10,a bi-partisan plan to raise standards.The Securities and Exchange Com

125、mission,meanwhile,proposes to require public companies to disclose whether their boards have cybersecurity expertise11.In Australia,the Cyber and Infrastructure Security Centre recently called for an overhaul of energy sector practices given its vulnerability to attack12.Further initiatives are like

126、ly around the world.Organizations such as the World Economic Forum continue to push for increased regulation on cyber security in critical industries,particularly in areas such as resilience and reporting on breaches13.The danger of this reactive,regulation-dependent approach to budgeting is that it

127、 is inevitably geared around complying with rules rather than achieving maximum resilience.As the Institute of Safety and Security GmbHs Swantje Westpfahl explains,new directives and standards are limited unless businesses embrace the spirit of regulation.“You can be cyber secure and you will nearly

128、 automatically be compliant,but you can be compliant without having good cyber security this is when you should seek help,”she says,adding that specialist external partners can help businesses reach the required standard.“For some things that were difficult to get into place a few years ago,like DMZ

129、 networks or backup systems,there are startups and great minds everywhere now that can do them for you.Compliance and stronger regulations can help argue for the cause and provide a baseline for best practices.”A related challenge is that lack of investment in cyber security resources in advance of

130、regulatory change will mean that businesses struggle to turn the additional funding into an enhanced security posture when it does become available.“Translating funding into resilience is especially difficult when it comes to developing and recruiting specialist talent,considering the shortage of sk

131、illed professionals within the industry,”says Jalal Bouhdada.When it comes to the talent challenge,this is another area where some believe that government bodies,including regulators,could become more ambitious in their approach to cyber security.“Regulation is a stick that is useful for penalizing

132、people,but first we need to invest in educating the nation,”argues Muhittin Hasancioglu.“If I were in the government,I would enhance the nations cyber awareness and introduce cyber education at ages 11 or 12.These children can then influence other people,and they will also become the future cyber-aw

133、are digital and cyber-security skills pool.Right now,there are three-and-a-half million job vacancies in cyber security worldwide,for which we cant find people.We need to start now.”ENERGY COMPANIES ARE UNPREPARED FOR THE SHIFT In this research,more than half of respondents(59%)expect regulatory aut

134、horities to take tougher action on companies that do not comply with regulation in the coming years.The penalties could be significant.As mentioned above,organizations in the EU face fines of up to 10m or 2%of their annual turnover while those in the US and Australia also face tougher penalties in t

135、he coming years.Creating suitable momentum may require regulators to hold board members more accountable,believes Dominion Energys Adam S.Lee.“Holding executives and boards to account if they havent properly invested in cyber controls is going to be significant,and promulgation of these rules by reg

136、ulators is already underway,”he says.“I also think we will see shareholder legal suits against the CISO or the CSO(Chief Security Officer),if they havent properly made the case to their companys board that suitable safeguards require significant investment.”We can hope that this increased regulatory

137、 attention will have the effect of improving resilience across the energy industry.Professionals expect greater regulatory scrutiny of the supply chain and of incident response,which will help focus attention on the gaps that businesses still have around their OT cyber defences.Today,64%of energy pr

138、ofessionals worry that their organization is more vulnerable to cyber-attacks on their OT networks than at any other point in their history.Furthermore,42%admit that they have not invested enough in their OT cyber security.Regulation will help unlock some of the funding they need to address the bala

139、nce.10 National Cyber-Informed Engineering Strategy,US Department of Energy11 Is your board prepared for new cyber security regulations,Harvard Business Review12 Australias CISC releases risk assessment advisory for critical infrastructure across energy sector,Industrial Cyber13 Why we need global r

140、ules to crack down on cybercrime,World Economic ForumLACK OF NIS2 AWARENESS Despite the threat of stricter regulation,our research indicates that businesses are not moving quickly enough to ensure compliance.Looking at NIS2,as an example,a recent poll of professionals from industrial sectors carried

141、 out by DNV found that more than a third(35%)were not even familiar with NIS2,while(30%)said their company had not started to prepare for the changes.Cyber security investment follows a regulatory pushRegulatory requirementsA cyber incident or near-miss in my organizationA cyber incident or near-mis

142、s impacting another organization in our sectorIncreased focus on cyber security from the leadership in my organizationPressure from customersClearer assessment of our weaknesses and vulnerabilitiesDevelopment of industry-specific solutions24%20%38%49%34%29%26%Q:What factors are most likely to lead t

143、o greater cyber funding in your organization(please select top 3)?DNV Energy Cyber Priority 2023 28295RECOMMENDATIONSRecommendations CHAPTER 5DNV Energy Cyber Priority 2023 30315 RECOMMENDATIONSIn the short term,we advise energy organizations to prioritize the following actions.Step up efforts to en

144、hance cyber securityThe evidence of this research suggests many organiza-tions have not made as much progress as is required,despite awareness of the risk and confidence among senior leaders.The clock is ticking.Tougher regulation exposes energy companies to significant compliance failures.More fund

145、amentally,the risk of attacks in the sector is increasing at a time when dependence on operational technology(OT)is growing fast,and companies must take steps to strengthen their resilience accordingly.Build cyber maturityWe believe that energy professionals should question whether their confidence

146、around their cyber security posture is justifiable.In turn,they should ask how they are measuring the strength of their defences and recovery plans,how they are benchmarking performance,and whether they have identified the improvements they need to make.Once they have outlined systematically the gap

147、s in their defences,they can put plans in place to close them.Equinors Lars Idland says his company approaches cyber security as a continuous process.“This is an ongoing situation,”he says.“Its going from a project phase,where you find and fix things,to a situation where you continuously try to impr

148、ove capabilities over time.It develops alongside the technology.”Improve communication and collaborationMiscommunication is not just a case of cyber teams speaking the“wrong language”when collaborating with operations.Our data suggests that the C-suite is not getting the clarity it needs to assess t

149、he threat and invest appropriately.This should be concerning for all stake-holders employees,shareholders and customers alike.When learning to collaborate with individuals in different parts of the business,it isnt just a matter of understanding different communication styles and workplace cultures,

150、and then exploring these through coaching and work-shops vital though this is.“It comes down to gaining respect,”says Swantje Westpfahl.“You have people from different realms,with different knowledge,so there needs to be an appreciation that what they do is valuable and different from what others do

151、.”Build capacity and unlock resourcesTaking a proactive approach to cyber security can help drive competitive advantage.Organizations at the forefront of defining excellence,meeting new standards and implementing best practice will secure an edge on their less fleet-of-foot competitors.The commercia

152、l benefits of cyber are important to highlight,considering the cost of cyber security.“We have to have acceptance from management and the board that cyber is costly and we need to spend money on it,”says Skagerak Energis Tor Heiberg.The prospect of unlocking commercial advantage is a persuasive argu

153、ment in such budgetary conversations.Prepare for new regulationEnergy firms are waiting for regulation to unlock invest-ment,but this is the wrong way around.They should of course invest to ensure compliance in order to avoid increasingly challenging penalties from regulators,and in recognition that

154、 stronger requirements are on the way but should also aim to go further than what is stipulated.In practice,this means being proactive rather than ticking boxes,focusing on resilience alongside compliance,and looking for new opportunities that may arise from managing cyber security effectively.One w

155、ay to ensure that the business is ready is to strengthen the case that cyber is key to enabling the future of the energy industry,which points to its broader strategic necessity.This may also be important in attracting essential but hard-to-find cyber talent into the industry.Recommendations CHAPTER

156、 5Disclaimer All information is correct to the best of our knowledge.Contributions by external authors do not necessarily reflect the views of the editors and DNV.DNV,April 2023All rights reserved.DNV is an independent assurance and risk management provider,operating in more than 100 countries.Throu

157、gh its broad experience and deep expertise,DNV advances safety and sustainable performance,sets industry standards,and inspires and invents solutions.DNV combines specialist energy industry knowledge with engineering expertise and information system best practice to keep critical infrastructure proj

158、ects and operations confidently cyber secure.We provide many of the sectors most successful and forward-thinking companies with clear and practical advice to uncover their risks,build a powerful force of defence against threats,recover from attacks,and unite stakeholders against security programmes that everyone can believe DNV