More than half of energy industry executives expect a cyberattack to result in loss of life, claims a new study which warns that the power and fossil sectors alike could be sleepwalking towards another Piper Alpha or Deepwater Horizon disaster – this time as a result of compromised IT systems.
While people working in the industry fear the worst, many companies in the power, renewables and hydrocarbon sectors are taking a “hope for the best” approach to cybersecurity rather than actively confronting the issue, claimed the Cyber Priority report by global energy technology specialist DNV.
The study – which comes soon after several German wind power groups were hit by cyberattacks many are linking to Russia’s invasion of Ukraine and sector giant Vestas was targeted by blackmailers – found 57% of energy professionals expect an incident to cause loss of life, while 85% foresee operational shutdown and 84% damage to critical infrastructure.
While the DNV report says two thirds of respondents reported “major changes” to strategies and systems following the spate of incidents, there was also a warning of widespread complacency.
The biggest threat could now come not directly to the IT systems of companies themselves, but to the operational technology (OT) that links and controls an increasingly interconnected energy system, it warned.
Trond Solberg, managing director, Cyber Security at DNV said: “As OT becomes more networked and connected to IT systems, attackers can access and control systems operating critical infrastructure such as power grids, wind farms, pipelines and refineries.
“Our research finds the energy industry is waking up to the OT security threat, but swifter action must be taken to combat it. Less than half (47%) of energy professionals believe their OT security is as robust as their IT security,” Solberg added.
DNV also contrasted the gap between a sharp focus on physical safety and a laxer approach to cybersecurity in some companies.
“It took tragic events such as the Piper Alpha incident in 1988 and the Macondo [Deepwater Horizon] disaster in 2010 for the industry to prioritise and institutionalise global safety protocols, and for tighter regulation to come into place. Our research gives a strong signal that the industry needs to make urgent investments to ensure that cyber security does not become the cause of future damage to life, property and the environment,” claimed Solberg.
Along with compatriot Nordex, German wind OEM Enercon felt the impact of a cyberattack when a satellite system aiding remote service of thousands of its turbines was hit just as Russia began its invasion of Ukraine.
The manufacturer set up a special task force that concluded the business was an innocent bystander rather than the main target.
“Neither we nor the security authorities believe that Enercon or its customers were direct targets of this attack,” Stephan Menzel, head of Enercon global after sales and member of the ‘SAT Failure’ crisis team, told the company’s in-house magazine Windblatt.
“The assumption is that the attackers wanted to disable satellite communications in Ukraine. We and countless other users were collateral damage, as it were, of this attack.”
