Spurred in part by geopolitical, regulatory and hacktivist concerns, companies are spending more on cybersecurity this year than in the past, according to a new DNV report.
Cybersecurity has moved from being largely a technology risk to a business risk, particularly in the energy sector, prompting companies to increase investments. Even so, there is a disconnect between the perception of investment level—and sense that money is being spent on the right things—depending on the role of the respondent surveyed for DNV’s “Energy Cyber Priority 2023: Closing the Gap between Awareness and Action.”
Jalal Bouhdada, DNV’s global segment director for cyber security, told Hart Energy prior to the report’s release that the level of innovation in the energy sector has brought many opportunities, but also created cyber risk.
“The industry can definitely battle those bad guys and ensure that our infrastructure and critical infrastructure will remain safe and reliable for the future,” he said.
The recipe for cyber-resilience calls for understanding risk, communications and collaboration, he said.
Withstanding an attack starts with getting the basics right, he said.
“You cannot protect what you don’t know. That’s the first thing. Understand your risk profile. Understand your weaknesses, and prioritize what matters most,” he said.
With clear visibility about assets and their associated risks, he said, companies can set up cybersecurity programs that mitigate those risks. And training for breaches can help companies respond quickly should an attack be successful, he added.
“It's really about how you respond to this type of incident. You have the capacity, you have the support, you have also the speed and the training and the readiness to be able to restore your operation and keep your business up and running,” Bouhdada said.
Companies have shifted their view of cyber threats, he added. Cyberattacks can harm people, assets and the environment, causing financial repercussions.
“There is a sense of urgency from companies as this topic becomes a business risk and not necessarily just a technology risk,” he said. “The boards and senior management are becoming more nervous about this, and they are seeing that, ‘Hey if we don't do anything, then we can be the next victim.’”
Survey says
In the report, 77% of respondents agreed that their organization treated cybersecurity as a business risk.
For DNV’s second annual Energy Cyber Priority report, respondents reported higher geopolitical and hacktivist concerns this year than they had before Russia invaded Ukraine in February 2022. Before the invasion, 65% surveyed were concerned about attacks from hacktivists and 57% were wary of malicious foreign powers and state-sponsored actors.
Following the invasion, hacktivism concerns rose to 71% and state-sponsored fears were up to 63%. Those concerns subsided slightly in 2023, with 69% reporting being concerned about hacktivists and 62% about foreign attacks.
But C-suite and operations level respondents had a slight disconnect in how they viewed their organizations cybersecurity response: 74% of C-suite and 67% of operations employees reported that their company’s focus on cybersecurity had increased due to growing geopolitical tensions in the past year. In the C-suite, 87% thought geopolitical uncertainty had made their organization’s more aware about potential cybersecurity vulnerabilities for their OT systems, compared to 71% at the operations level.
DNV said that 59% of energy professionals surveyed said their organization is investing more in cybersecurity in 2023 compared with last year.
“We are seeing really that there is a transition from knowledge, or being aware of the issue, to moving into action,” Bouhdada said.
At the same time, there is concern that the money is not being spent efficiently, he said.
He said some respondents did not believe the investment was enough, while a portion did not think resources were being wisely allocated. This indicates there may be “a lack of efficiency in how those budgets and resources are used,” he said.
According to the report, 49% of respondents thought their companies would devote more funding to cybersecurity to meet changing regulatory requirements. Another 38% thought an incident or near-miss within the organization would prompt funding, while 34% thought an incident or near-miss that affected another organization in the sector would fuel further funding.
Respondents were nearly even on whether leadership or customer pressure would lead to great funding, with 29% seeing internal impetus leading to more spending and roughly a quarter saying customer interests would.
Less than a quarter — 24% — told the survey that a clearer assessment of weaknesses and vulnerabilities would lead to additional funding. Such assessments are commonly considered one of the most important steps in cyber defense.
The where matters
The report also indicated that the location of an organization influenced the approach toward cybersecurity. At 64%, Asia-Pacific companies were more likely to respond that cybersecurity was considered at every stage of the lifecycle of the organization's assets and infrastructure. That compares with European companies at 52%, the Americas, 48%, or those in the Middle East and Africa at 45%.
“The risk profile and appreciation for, and also the culture for cybersecurity is not the same in different regions,” Bouhdada said, noting some regions are compliance and regulations driven while others are based more on risk.
No matter what drives an organization’s approach to cybersecurity, Bouhdada said security should be addressed holistically and for the long term.
“Cybersecurity is really a continuous effort,” he said. “There is always the need for more investments and funding, because this ecosystem is becoming more complex and the sophistication of attack is increasing.”
Recommended Reading
Minerals Market Growing But Needs More Scale, Consolidation
2024-05-15 - The market value of public minerals and royalties companies has doubled since 2019—but the sector needs to grow even larger to attract generalist investors into the fray, experts say.
ONEOK CEO: ‘Huge Competitive Advantage’ to Upping Permian NGL Capacity
2024-03-27 - ONEOK is getting deeper into refined products and adding new crude pipelines through an $18.8 billion acquisition of Magellan Midstream. But the Tulsa company aims to capitalize on NGL output growth with expansion projects in the Permian and Rockies.
Sitio Royalties Dives Deeper in D-J with $150MM Acquisition
2024-02-29 - Sitio Royalties is deepening its roots in the D-J Basin with a $150 million acquisition—citing regulatory certainty over future development activity in Colorado.
Elk Range Royalties Makes Entry in Appalachia with Three-state Deal
2024-03-28 - NGP-backed Elk Range Royalties signed its first deal for mineral and royalty interests in Appalachia, including locations in Pennsylvania, Ohio and West Virginia.
Daugherty: Diamondback Scales Up Amid Consolidation Super Cycle
2024-03-11 - It’s time for the strongest among the services sector to follow Diamondback's lead: find fortifying prey and hunt.