Energy companies boost investment in cyber arms race to manage industry's "greatest risk"

Energy companies are taking cyber threats seriously at the highest levels, as two in three energy professionals (65%) say their leadership views cybersecurity as the greatest current risk to their business, according to new research on the state of cybersecurity in the energy sector. More than two-thirds of energy professionals (71%) expect their company to increase investment in cybersecurity this year.

According to the latest Energy Cyber Priority report from DNV Cyber, energy companies are making progress in cybersecurity. This includes greater awareness at the leadership level, with 78% of energy professionals confident their leaders sufficiently understand cyber risk. Successes have been delivered by employee training, as more than eight in 10 (84%) say they know exactly what to do if they are concerned about a potential cyber threat. Growing attention is being paid to operational technology (OT) cybersecurity—securing the systems that manage, monitor, and automate physical assets—as two-thirds (67%) expect greater OT security investment in the year ahead. Challenges remain, however, as the energy transition creates new attack surfaces and as threat actors become more sophisticated.

Digital technologies are essential to drive and enable the energy transition, but each potentially broadens an energy company’s exposure to cyber risk—whether due to their increased use of sensitive data, greater dependence on third-party tools and components, or the introduction of connected environments through which hackers can infiltrate from system to system.

“Achieving the energy transition is central to society at large. The whole energy sector—companies and governments alike—is working together on this massive challenge, which is increasingly complex because the technologies underpinning the transition are largely digital and scaling rapidly. With this comes cybersecurity risks,” says Ditlev Engel, CEO, Energy Systems at DNV. “Cybersecurity should be a priority for all players in the energy sector to achieve the climate goals and guarantee energy security, as geopolitics make the world more hostile and uncertain.”

The energy transition is making cyber risk unavoidable, and this is reshaping attitudes in the energy industry, as half (49%) of energy professionals believe their organizations should accept additional cyber risk as a necessary trade-off for innovation.

Of the 375 energy professionals surveyed globally for the research, three-quarters (75%) report that their organization has increased focus on cybersecurity because of growing geopolitical tensions over the last year. Some 72% are concerned about the potential for attacks directed by foreign powers, up from 62% in 2023. Eight in 10 (79%) are concerned about the threat from cybercriminal gangs, up from 50% in 2023. The research records a rise in concern about malicious insiders, up from 51% in 2023 to 62% this year.

“Even as the energy industry becomes more mature in its cybersecurity posture, it must continue to strengthen and adapt to remain resilient against a growing number of increasingly sophisticated threats. From attacks on supply chains, recruitment of malicious insiders, and the use of AI, adversaries are upping their game, and the energy industry needs to keep up,” says Auke Huistra, Director of Industrial and OT Cybersecurity at DNV Cyber.

DNV Cyber’s new report, Energy Cyber Priority 2025: Addressing Evolving Risks, Enabling Transformation, argues that energy companies must double their cybersecurity efforts to overcome five principal challenges: 

• securing physical infrastructure

• overcoming complex cybersecurity supply chains

• enhancing employee vigilance

• embedding new skills in the workforce

• embracing AI.

Connecting physical infrastructure to modern IT architectures and other assets creates new vulnerabilities. Recognizing the potential to cause harm, threat actors are increasing their attacks on OT systems, with the potential to directly cause physical safety incidents. More than two-thirds of energy professionals (71%) acknowledge that their organizations are more vulnerable to OT cyber events than ever before, an increase from 64% in 2023. More than half (57%) admit that their OT defenses lag their IT defenses.

Supply chains are a major worry for energy companies as threat actors go to suppliers and sub-suppliers to gain access to companies operating large assets. Around half (53%) of energy professionals indicate that cybersecurity issues are typically included in their procurement requirements and processes. Just 16% are very confident that their organization can demonstrate full visibility of the supply chain and any vulnerabilities, and more than a third (34%) suspect undisclosed breaches among their suppliers.

Employee vigilance continues to rise, but adversaries are constantly changing their approach and targeting employees with more sophisticated tactics. Three quarters of energy professionals (76%) worry that their organization’s cybersecurity training is not advanced enough to prepare for more sophisticated attacks. Skills and knowledge gaps are also an issue, as half (46%) of energy professionals say a lack of skills and talent is making it more challenging for their organizations to secure their organizations.

Generative AI’s increasingly human-sounding tone and capacity for detail enable cybercriminals to launch more convincing scams. Two-thirds of energy professionals (66%) agree that attackers’ use of AI in phishing attacks has made it more difficult to determine whether emails are genuine. Cybersecurity professionals understand that neglecting AI will put them at a disadvantage, as almost half (47%) fear they will fall behind adversaries unless they harness AI.

“To further strengthen their cybersecurity, energy companies should— as a priority—broaden their efforts to secure OT and support greater security and transparency in the supply chain,” says Huistra. “They should reset and redesign cyber’s relationship with the business, take a more innovative approach to training, and build understanding of AI.” 

Download a free copy of the report here.