Energy industry in arms race against complex cyberattack threats

Even as the energy industry becomes more mature in its cybersecurity posture, it needs to continue to strengthen and adapt to remain resilient against a growing number of increasingly sophisticated threats, according to a new report from DNV Cyber. Growing attention is being paid to operational technology (OT) – systems that manage, monitor, and automate physical assets – as two thirds (67%) expect greater investment in the year ahead.

The energy industry is in an arms race against increasingly sophisticated cyberattack threats, the results of a survey showed. The report Energy Cyber Priority 2025: Addressing Evolving Risks, Enabling Transformation indicates companies are taking the matter seriously at the highest levels.

Two in three energy professionals (65%) say their leadership views cybersecurity as the greatest current risk to their business. More than two thirds of energy professionals (71%) expect their company to increase investment in cybersecurity this year. The authors spoke to 375 respondents from more than 50 countries.

Even as the energy industry becomes more mature in its posture, it needs to continue to strengthen and adapt to remain resilient, reads the report from cybersecurity services provider DNV Cyber.

More vulnerable to OT cyberattack risk than ever before

For example, in 2023, when cybercriminals launched a simultaneous attack on 22 energy companies in Denmark, they compromised large parts of the country’s energy infrastructure. The attack – the country’s largest-ever cyber incident – appears to have been carried out by hackers linked to Russian intelligence, the document adds.

The AI boom enables cybercriminals to launch ever more convincing scams

According to the results, 78% of energy professionals are confident their leaders sufficiently understand cyberattack risk. Successes have been delivered by employee training, as 84% say they know exactly what to do in case of a cyber threat. Growing attention is being paid to operational technology (OT) – securing the systems that manage, monitor, and automate physical assets – as 67% expect greater investment in the segment in the year ahead.

More than two thirds of energy professionals (71%) acknowledge that their organizations are more vulnerable to OT cyber events than ever before, an increase from 64% in 2023. More than half (57%) admit that their OT defenses lag their IT defenses.

Digitalization implies greater threats

Digital technologies are essential to drive and enable the energy transition, but each potentially broadens an energy company’s exposure to cyber risk – whether due to increased use of sensitive data, greater dependence on third-party tools and components, or the introduction of connected environments through which hackers can infiltrate from system to system.

“Cybersecurity should be a priority for all players in the energy sector to achieve the climate goals and guarantee energy security, as geopolitics make the world more hostile and uncertain,” says the firm’s energy systems division’s Chief Executive Officer Ditlev Engel.

Hazards from human errors are far from negligible

One of the main adversaries, as highlighted by 71%, is the unintentional actor threat – human error among the workforce. Typically it is a case of employees accidentally sharing sensitive data, using weak passwords or getting duped by phishing campaigns. On a more extreme level, it could extend to an engineer accessing the remote systems of an oil rig or other critical asset and making changes without realizing they had logged into the wrong facility’s platform, the report explains.

If a wind turbine supplier is compromised, it affects all the sites it services

Namely, given the complexity of supply chains, companies that connect their digital infrastructure to their service providers for maintenance are potentially exposed to unintentional threat actors working for their suppliers and the suppliers’ suppliers.

“Europe doesn’t have that many wind turbine providers, so the ones that do exist provide services for multiple energy companies. If one turbine is breached on the operator end, that is manageable. But if a supplier is compromised, that would have consequences for all the sites they service and could therefore affect the whole system,” said Senior Manager for OT Cyber Security Robert Valkama from Fortum.

Three quarters of participants are concerned about the potential for attacks directed by foreign powers, up from 62% in 2023. It compares to 79% pointing to cybercriminal gangs, up from 50% in 2023. The research records a rise from 51% to 62% in cyberattack concerns about malicious insiders.

Generative artificial intelligence’s increasingly human-sounding tone and capacity for detail enables cybercriminals to launch more convincing scams. Two-thirds of energy professionals (66%) agree that attackers’ use of AI in phishing attacks has made it more difficult to determine whether emails are genuine.