According to new research on cybersecurity in the energy sector, energy companies are taking cyber threats seriously at the highest levels. Two in three energy professionals (65%) say their leadership views cybersecurity as the greatest current risk to their business.
More than two-thirds of energy professionals (71%) expect their company to increase investment in cybersecurity this year.
Cybersecurity
According to the latest Energy Cyber Priority report from DNV Cyber, energy companies are progressing in cybersecurity. This includes greater awareness at the leadership level, with 78% of energy professionals confident their leaders sufficiently understand cyber risk.
Successes have been delivered by employee training, as more than eight in 10 (84%) say they know exactly what to do if they are concerned about a potential cyber threat.
Operational technology (OT) cybersecurity
Energy transition creates new attack surfaces and as threat actors become more sophisticated
Growing attention is being paid to operational technology (OT) cybersecurity – securing the systems that manage, monitor, and automate physical assets – as two-thirds (67%) expect greater OT security investment in the year ahead.
Challenges remain, however, as the energy transition creates new attack surfaces and as threat actors become more sophisticated.
Digital technologies
Digital technologies are essential to driving and enabling the energy transition, but each potentially broadens an energy company’s exposure to cyber risk, whether due to their increased use of sensitive data, greater dependence on third-party tools and components, or the introduction of connected environments through which hackers can infiltrate from system to system.
“Achieving the energy transition is central to society at large,” says Ditlev Engel, CEO, of Energy Systems at DNV.
Cybersecurity risks
"The whole energy sector – companies and governments alike – are working together on this massive challenge, which is increasingly complex because the technologies underpinning the transition are largely digital and scaling rapidly. With this comes cybersecurity risks."
“Cybersecurity should be a priority for all players in the energy sector to achieve the climate goals and guarantee energy security, as geopolitics make the world more hostile and uncertain.”
Energy transition
75% report that their organisation has increased focus on cybersecurity because of growing geopolitical tensions
The energy transition is making cyber risk unavoidable, and this is reshaping attitudes in the energy industry, as half (49%) of energy professionals believe their organisations should accept additional cyber risk as a necessary trade-off for innovation.
Of the 375 energy professionals surveyed globally for the research, three-quarters (75%) report that their organisation has increased focus on cybersecurity because of growing geopolitical tensions over the last year.
Malicious insider concerns
Some 72% are concerned about the potential for attacks directed by foreign powers, up from 62% in 2023.
Eight in 10 (79%) are concerned about the threat from cyber-criminal gangs, up from 50% in 2023. The research records a rise in concern about malicious insiders, up from 51% in 2023 to 62% this year.
Resilience against cyber attacks
“Even as the energy industry becomes more mature in its cybersecurity posture, it must continue to strengthen and adapt to remain resilient against a growing number of increasingly sophisticated threats."
"From attacks on supply chains, recruitment of malicious insiders, and the use of AI, adversaries are upping their game and the energy industry needs to keep up,” says Auke Huistra, Director of Industrial and OT Cybersecurity at DNV Cyber.
Five principal challenges
DNV Cyber’s new report Energy Cyber Priority 2025: Addressing Evolving Risks, Enabling Transformation argues that energy companies must double their cybersecurity efforts to overcome five principal challenges:
- securing physical infrastructure.
- overcoming complex cybersecurity supply chains.
- enhancing employee vigilance.
- embedding new skills in the workforce.
- embracing AI.
Physical safety incidents
Connecting physical infrastructure to modern IT architectures and other assets creates new vulnerabilities
Connecting physical infrastructure to modern IT architectures and other assets creates new vulnerabilities. Recognising the potential to cause harm, threat actors are increasing their attacks on OT systems, with the potential to directly cause physical safety incidents.
More than two-thirds of energy professionals (71%) acknowledge that their organisations are more vulnerable to OT cyber events than ever before, an increase from 64% in 2023. More than half (57%) admit that their OT defences lag their IT defences.
Supply chains
Supply chains are a major worry for energy companies as threat actors go to suppliers and sub-suppliers to gain access to companies operating large assets.
Around half (53%) of energy professionals indicate that cybersecurity issues are typically included in their procurement requirements and processes. Just 16% are very confident that their organisation can demonstrate full visibility of the supply chain and any vulnerabilities, and more than a third (34%) suspect undisclosed breaches among their suppliers.
Employee vigilance
Employee vigilance continues to rise, but adversaries are constantly changing their approach and targeting employees with more sophisticated tactics. Three-quarters of energy professionals (76%) worry that their organisation’s cybersecurity training is not advanced enough to prepare for more sophisticated attacks.
Skills and knowledge gaps are also an issue, as half (46%) of energy professionals say a lack of skills and talent is making it more challenging for their organisations to secure their organisations.
Generative AI
Generative AI’s increasingly human-sounding tone and capacity for detail enable cybercriminals to launch
Generative AI’s increasingly human-sounding tone and capacity for detail enable cybercriminals to launch more convincing scams. Two-thirds of energy professionals (66%) agree that attackers’ use of AI in phishing attacks has made it more difficult to determine whether emails are genuine.
Cybersecurity professionals understand that neglecting AI will disadvantage them, as almost half (47%) fear they will fall behind adversaries unless they harness AI.
Innovative approach
“To further strengthen their cybersecurity, energy companies should – as a priority – broaden their efforts to secure OT and support greater security and transparency in the supply chain,” says Huistra.
“They should reset and redesign cyber’s relationship with the business, take a more innovative approach to training, and build understanding of AI.”