Solidifying cyber safety and embracing compliance across the offshore and energy industries

By Auke Huistra, Industrial & OT Cyber Security Director, DNV Cyber.

  • 6 months ago Posted in

In recent decades, significant attention has been placed by the global energy and maritime sectors on bolstering the security of their information technology (IT) networks. As well as addressing that ever-evolving threat, these industries must also grapple with considerable security challenges as they connect their operational technology (OT) - the systems responsible for managing, monitoring, and controlling physical assets like sensors, switches, valves, and safety and navigation systems - with these IT networks. 

Generally, OT security tends to lag behind IT security several years, largely because many OT systems were originally developed without cyber security considerations in mind. However, the increasing interconnectivity of OT systems with IT networks and the internet underscores the pressing need to address these security gaps.

As these developments continue to progress and throw up new challenges, cyber-attacks on OT are increasingly a matter of ‘when’, not ‘if’. As the urgency of the risk grows at pace, the sector has important work to do to expand its focus and ensure it is prepared for such incidents. Recent DNV reports explore the cyber challenges faced by both of these industries at length.

The cyber horizon in the maritime industry

Research by DNV, The Maritime Cyber Priority: Staying secure in an era of connectivity report, surveyed 800 maritime industry professionals worldwide and revealed an almost universal expectation among the industry that cyber-attacks will disrupt shipping operations in the coming years. 

Three-quarters (76%) believe a cyber incident is likely to force the closure of a strategic waterway in the next one to two years, with potentially similar consequences as the 2021 Suez Canal blockage, holding up some $10bn worth of cargo daily.  

  

Positively, three-quarters (75%) of those surveyed believe OT security is now a much higher priority for their organisation than it was just two years ago. On the other hand, just 40% believe their company has invested enough money in their OT cyber defences to date, and only a third (33%) are confident their organisation’s current OT cyber security is as strong as its IT security. 

Given the industry expects serious outcomes from maritime-targeted cyber-attacks in the near future, the sector must continue to treat OT security with increasing importance. 

Safety and security for the energy sector

In DNV’s Energy Cyber Priority 2023: Closing the gap between awareness and action report, the 600 energy experts surveyed shared similar sentiments to that of their maritime counterparts. Recent attacks on the industry and ongoing geopolitical tensions explain why six in 10 of these respondents reported that cyber security is now a regular fixture on the boardroom agenda. Seven in 10 (71%) also said that their organisation takes cyber security as seriously as they do physical health and safety, showcasing the understanding of how these types of attacks can impact on operations across energy infrastructure and the scale of the threat.

However, understanding the cyber risk is not enough. Security by design is key to catching up with the cyber threat and with only 54% of respondents stating that they consider security at every stage of the lifecycle of their assets and infrastructure, this is an area which has room for development.

In addition to this, DNV’s research also found that less than half of energy professionals (42%) think their organisation’s current level of investment is sufficient to ensure the resilience of their operational assets and infrastructure. This highlights a lack of meaningful support for the securing of OT systems, with just one in three (36%) energy professionals reported as confident that their organisation has invested enough in OT cyber security.

 

Tighter regulation inbound  

Across both the energy and maritime sectors, industry bodies are seeking to encourage businesses to improve their security posture. The International Maritime Organization 

(IMO) has published its Guidelines on Maritime Cyber Risk Management, making it practically mandatory for ship owners and managers to apply cyber risk management to ships from 2021 onwards.  

The International Association of Classification Societies (IACS) has also adopted new universal requirements for cyber security. The requirements will make verification of cyber security aligned to recognised International Electrotechnical Commission (IEC) standards part of the mandatory verification scope for new vessels contracted from July 2024. As a classification society, DNV already has more than 250 projects ongoing or finalised with its corresponding cyber secure class notation and type approval aligned with the IACS rules.  

The European Union (EU) is also introducing more stringent regulations in the critical infrastructure (e.g. the energy sector) with the NIS2 Directive, which broadens the scope of previous directives to incorporate more industries and companies within them. The energy industry belongs to the sectors of high criticality (essential services) with stricter requirements for risk management regarding their operations and risk landscape. From October 17, 2024, companies operating in EU member states must comply with the stricter security measures that will come in place in the country-specific laws that are based on NIS2, such as introducing incident and crisis management procedures and increasing supply chain security, or be faced with heavy fines.

The next step

Organisations across the energy and maritime sectors should take the following actions to address their cyber security: 

Treat cyber security as an enabler. 

The industries have set themselves clear strategic priorities around digital transformation to enable both commercial advantage and decarbonisation. Cyber security leaders must be part of these wider strategic conversations from day one. Consider investing in cyber security as an investment in confidence, competitiveness, compliance, and innovation, not just a cost of business. 

Treat cyber risks like safety risks. 

Industry leaders have long asserted that work is never so important it cannot be carried out safely. For decades, employees have been encouraged to stop work and blow the whistle if they believe safety protocols are being neglected. A similar mantra should be adopted for cyber security. If security procedures and systems are not set up according to standards and requirements, they could be potentially vulnerable and, in turn, expose physical systems to being targeted and breached. This can lead to severe damage to equipment, people, or the environment – or, in the worst-case scenario, to all three.   

Clarify responsibilities. 

To professionalise their approach, businesses should seek to clarify cyber roles and responsibilities across the enterprise while enabling business and system owners to manage the risk from a multidisciplinary team. 

Champion insight-sharing across the industry. 

Sharing cyber security experiences – the good, the bad and the ugly – with peers and other relevant stakeholders will be key to improving cyber security. In an increasingly connected world, where an attack on one organisation or asset gives rise to contagion risk, this is in everyone’s interest: only through collaboration will industries create standards and best practices around cyber security that are fit for purpose. 

Reframe regulation as the baseline instead of the goal. 

Meeting the minimum requirements set out by industry regulations, such as those by the IMO and NIS2, doesn’t guarantee security. After all, regulations tend to come into being at a much slower pace than the hacking methods used by cybercriminals. Rather than treating them as the end goal, industries should use regulations as a foundation on which to further improve and adapt to the changing threat landscape. 

Rethink how to manage supply chain vulnerabilities. 

Including cyber security in the procurement and development processes for new technologies is much more efficient than carrying out risk assessments at a later stage. Suppliers may also be able to help address energy and maritime organisations’ limitations in technical cyber knowledge, turning supply chain risk into an advantage.  Asset owners should have an assurance process in place to ensure that the supply chain is and remains secure. 

Adopt more effective training

Many energy and maritime businesses lack critical cyber security awareness and knowledge across their workforce. Despite the practical challenges of training and education – especially around industry-specific challenges like offshore working – organisations must remedy this. 

Although cyber security is a growing safety risk to industries that are embracing a more interconnected approach to the relationship between IT and OT – the latter perhaps even the most substantial risk – it does provide the opportunity for innovation and improved efficiencies. 

As we pursue greener, safer, and more efficient operations across the energy and maritime sectors, this digital transformation depends on securing these assets and educating staff to cope with the changing environment and to show the right behaviours. The key to this future is investment and preparation through both time and money, therefore unlocking opportunities for both industries without compromising safety and security.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.