C-suite dithering is empowering hackers

It is eight years since more than 1,000 energy firms in Europe and the US were hit by malware from Russian hackers Energetic Bear. This should have made the threat of cyberattacks a priority for those running renewable energy firms.

But progress on cybersecurity in the energy industry is too slow, according to a report called ‘The Cyber Priority’ published by DNV last month.

This highlights that dithering in the C-suite is holding back energy companies from taking the right steps to tackle the threat, even if they know the risks.

This is based on a survey of 948 energy professionals carried out in February and March 2022, as well as interviews with energy leaders across the world. It comes in the wake of major cyberattacks on renewable energy firms in 2021, including Invenergy and Vestas, and the attack on Nordex in April 2022 that led the German turbine maker to delay publishing its first-quarter results.

The war in Ukraine has also increased tensions between Russia and the west, which may lead to an increase in the cybersecurity threats facing companies.

Slow to act

The report says that energy executives know the scale of the problem. Three quarters (77%) of respondents believe cybersecurity is a bigger priority than it was two years ago; that the energy industry is set to be hit by a major incident in the next two years; and the the Russian invasion of Ukraine is increasing the threat level. It also says that energy is one of the top three industries at risk.

Respondents also showed an appreciation of the range of business risks. The largest were disruption to services and operations (57%), reputational damage (42%), lost or corrupted data (41%), and financial losses (39%). Many worried about the threats to automated systems, physical infrastructure, and the lives of their employees. Recent attacks on wind companies are instructive.

In addition, 76% of respondents in the C-suite said a cyberattack on their firm could lead to “significant financial losses”. They certainly aren’t ignorant.

There was also an appreciation of the wide range of threats. Hacktivists were identified as the biggest risk (67%), followed by state-backed entities (55%), criminal gangs (53%) and vandals (51%). Those in the C-suite saw the risks differently to respondents with cybersecurity expertise, but appear informed.

Yet the report also highlighted that many companies are adopting a dangerous ‘wait and see’ approach to improving their IT and other operational systems. It is a toxic mix of complacency, confusion and being focused elsewhere.

For example, 60% said their company is more vulnerable to cyberattacks than ever, but only 44% expect to make any improvements in the coming year. One third (35%) said they would only spend time or money on improving defences after being hit by a major cybersecurity incident. Less than one quarter (22%) said their firm had been the victim of a serious breach in the last five years.

This approach is akin to investing in a strong stable door after your horse has already escaped through the rotten old one. The problem is twofold.

First, it is more difficult to invest in improving IT and operational processes at the same time as clearing up from a previous attack; and second, it may lead to suboptimal decisions that prepare you for the last attack, not the next one.

The report also warned that the people at companies making final decisions on cybersecurity tend to lack the expertise to do so, and are more likely to worry that improving business processes to guard against cyberattacks will interrupt business at usual. More worryingly, only one third (31%) said they would know what to do if they were subject to a cyberattack today.

Taking action

This is not an easy problem for companies to fix. Cyberattacks are a threat that keeps evolving and energy companies have more exposure to IT systems than ever before, with the potential vulnerabilities that brings. Cybersecurity threats can be disguised in the complex supply chains of the energy industry.

The crucial steps for companies are to allocate budgets large enough to make a difference; identify vulnerabilities in their systems; and invest both in their IT and also the operational expertise to use it safely. Inaction is not the answer -- even though, for many companies, it still appears the most popular approach.

‍