It is a classic catch-22. Internet-enabled devices are playing a key role in the clean energy transition. Think of the millions of smart thermostats and battery energy storage systems already installed in homes and businesses around the globe. However, each such device connected to the internet is another node in a rapidly expanding ‘attack surface’ susceptible to disruption. Energy cybersecurity should be a growing priority.
Incumbent fossil energy infrastructure is vulnerable, too. Oil and gas companies increasingly rely on digital operational technologies (OT) to monitor and control pipelines and other assets. The increased digitalisation of the sector poses a significant security threat – a threat crystallised by the May 2021 ransomware attack on the Colonial Pipeline that briefly shut down the flow of nearly half the liquid transportation fuel used on the US East Coast.
Not long ago, an “air gap” existed between OT that control equipment and energy companies’ IT networks. No longer. “The increasingly interconnected nature of today’s industry provides greater scope for attack, especially to critical OT that was previously protected by the air gap separating OT from IT systems,” the consultancy DNV said in a report published in May 2022.
“The digitalization wave in the oil and gas industry is creating new access points in industrial networks for hackers to exploit,” analysts from GlobalData, Energy Monitor’s parent company, warn in a recent report. “As technology develops, from mobile to the cloud to IoT [internet of things], the level of complexity needed for organizations to maintain a cyber-aware stance also increases.”
Experts caution that energy companies and governments are failing to put in place systems and standards commensurate with the growing threat. Energy cybersecurity is not yet enough of a priority.
“Oil and gas companies are realizing the benefits of integrating technologies into workflows, with the pandemic undoubtedly playing an instrumental role in boosting the momentum of the industry’s digitalization,” GlobalData analyst Francesca Gregory said in a statement. “However, the wider industry is largely underprepared to handle its risks.”
“The United States is unprepared to secure this energy transition,” is the blunt verdict delivered by a task force convened by the Atlantic Council’s Global Energy Center in a report published last month.
In the US, the task is complicated by the fact that much of the country’s energy infrastructure is in private hands. “The private sector must maintain cyber hygiene, and must address supply chain security for physical devices and software used in critical infrastructure,” writes the Atlantic Council task force.
The cyber threat extends well beyond the US. DNV surveyed 948 energy industry professionals in 98 countries for its recent cybersecurity report, with 84% of respondents believing a cyberattack is likely to cause physical damage to energy assets, and 57% anticipating loss of life, within the next two years. Just four in ten respondents said their organisation is prepared for an attack on its OT system.
Respondents recognise the scale of the threat, but that awareness does not necessarily translate into a call to action at the companies they work for. “Although executives anticipate a serious incident in the global industry, they are less likely to believe that their own organization will be affected by the most extreme, life-threatening consequences of a breach,” states the DNV report.
“We are concerned when we hear that some energy firms may still be taking a ‘hope for the best’ position on cyber security. The lessons of the past, relating to safety protocols, make this plain. It will be a tragedy if it takes a series of catastrophic but preventable attacks on control systems – resulting in a less safe operating environment across the industry – for them to rethink this approach,” Trond Solberg, DNV’s managing director for cybersecurity, said in the report.
The Colonial Pipeline ransomware attack was a wake-up call for the energy industry. The attack “spurred an increase in cybersecurity spending”, which will now reach $10bn by 2025, according to GlobalData. However, the increased spending alone is not sufficient to safeguard against cyber threats. Companies must inculcate a culture of vigilance and hire the right people, and governments must be ready to step in to help protect private companies from breaches.
“Despite the increase in cybersecurity spending, the industry is still not taking cybersecurity seriously enough,” conclude analysts at GlobalData. The company’s recent cybersecurity report “found that only 20% of the largest oil and gas companies by market cap had a chief information security officer on the board. This suggests that, while companies have made room for cybersecurity in their budgets, cybersecurity is absent from companies’ central strategy.” Energy cybersecurity is not yet a strategic priority.
The Atlantic Council report urges the US federal government to develop guidelines for product and supply chain security, to “conduct robust penetration testing and proactive measures beyond what is commercially available”, and to improve information sharing and coordination between federal agencies and the private sector to protect critical infrastructure.
“The interconnected relationship between government and the private sector is a defining feature of both the challenges and solutions to securing the energy sector’s vastly expanding attack surface,” writes the Atlantic Council task force.