Energy is one of the top three industries reporting cyberattacks, and it faces specific challenges. Companies in the sector have been tackling IT security for several decades. But securing operational technology (OT)—the computing and communications systems that manage, monitor, and control industrial operations—has become a more recent and increasingly urgent challenge for the sector. As OT becomes more networked and connected to IT systems, cyber criminals can more easily access control systems operating critical infrastructure.
The Cyber Priority, a study of 940 energy industry professionals published by DNV in May 2022, revealed that the sector’s executives anticipate life, property, and environment-compromising cyberattacks on the sector within the next two years.
Companies across the industry are waking up to the more common, complex, and creative cybersecurity risks that the sector now faces. Two-thirds (67%) of energy professionals acknowledge that the shock of recent cyberattacks on the sector—such as the shutdown-inducing breach of the U.S. Colonial Pipeline company in April 2021—has driven their company to make major changes to their security strategy and systems. And three-quarters (74%) believe that cybersecurity is a significantly higher priority for their organization today than it was two years ago.
Revealing Supply Chain Cyber Vulnerability
While many companies are increasing investment in identifying where they are vulnerable to attack, as well as putting the people, process, and technology measures in place to defend their environments, DNV’s research revealed that blind spots are appearing when it comes to companies’ oversight of cybersecurity in their supply chains.
Just 28% of energy professionals working within OT say their company is making the cybersecurity of their supply chain a high priority for investment. This contrasts with the 45% of OT-operating respondents who say expenditure in IT system upgrades is a high investment priority. At the same time, just 12% of those in OT-operating companies rank vendor and supplier oversight among their core areas of maturity. The percentage is little more (13%) for all companies in the sector, and much less (8%) in the oil and gas sector.
Energy companies can have complete oversight of their own vulnerabilities and have all the right measures in place to manage the risk, but that will make no difference if there are undiscovered vulnerabilities in their supply chain. The danger is that suppliers and equipment manufacturers lack the people, processes, or technologies to make their products and services secure. As a result, energy operators could be unaware of the vulnerabilities to which they are exposed.
Companies need to invest in the security of their suppliers. The security of technology platforms can be undermined if there are vulnerabilities elsewhere in the supply chain and cybersecurity has not been factored adequately into contracts with suppliers and subcontractors.
The widely reported vulnerability for the popular Java programming language is a prominent example of risk originating in a supply chain. First disclosed in December 2021, this vulnerability was discovered in a tool used in cloud servers and enterprise software globally and was present in both IT and OT. Hackers could exploit it without needing authentication or special access privileges to servers.
Companies in many sectors scrambled to install official patches and use alternative workarounds for the Log4Shell issue and to safeguard their IT/OT environments. But it is likely that many were far slower to ensure the security of their equipment vendors and system suppliers.
The Challenge of Identifying Cyber Risk in Complex Supply Chains
It can be extremely difficult for companies with complex supply chains to assess with any certainty the cyber vulnerabilities of equipment made, sold, and installed by third-party vendors. The challenge is often a lack of transparency on cybersecurity.
Achieving transparency can be hard as many suppliers and manufacturers of equipment integrated within OT systems simply lack the people, processes, and technologies to demonstrate the cybersecurity of their products and services.
Smaller vendors’ systems used to be standalone. Now, they are increasingly connected within IT/OT systems connected internally and externally, and whose elements are sourced from large and fragmented supply chains. The complexity and connectivity pose a cybersecurity challenge for energy operators and engineering, procurement, and construction (EPC) contractors contractually bound to exercise oversight of cyber risk.
Supply Chain Audits and Vendor Security Requirements
Many energy companies apply standards and recommended practices to help ensure cybersecurity in implementing OT/IT systems individually and in combination. For example, DNV’s Recommended Practice DNV-RP-G108 “Cyber security in the oil and gas industry based on IEC 62443” provides best practice on how to apply the IEC international standard to the oil and gas industry.
However, companies’ assessment of cyber risks will be inaccurate if the equipment and software vendors themselves lack a complete picture of the cyber vulnerabilities of what they are supplying. Accurate cyber risk assessment is needed to write adequate cybersecurity requirements into contracts with suppliers and subcontractors.
The cybersecurity concerns raised by DNV’s findings on supply chain visibility highlights the need for supply chain audits and vendor security requirements. For energy companies, getting a comprehensive picture of internal and external risk therefore includes assessing cybersecurity service vendors and cyber risk from other vendors of products and services. Vendors also need to assess their own cyber security risks to their customers.
Assessing Cybersecurity Services and Other Vendors
Cybersecurity legislation and industry standards struggle to keep up with the pace of cyber threat evolution. Regulations and best practice can change rapidly across and within geographical boundaries, jurisdictions, and even industries. This shifting landscape and lack of common regulations and standards makes it challenging for businesses to buy the right cyber-secure products and solutions.
Because it is hard to assess capabilities and commitments on a like-for-like basis, energy industries need internal or external experts who can anticipate and keep up with what is happening. Closing off cyber vulnerabilities that arise through the gap between OT and IT requires cybersecurity leaders with a holistic understanding of IT, engineering, and HSEQ (health, safety, environment, and quality) in the organization and specific industry.
Some of the same issues apply when assessing other types of vendor. DNV has acquired deep knowledge of these through its long record of providing domain-specific cybersecurity verification services for third-party suppliers’ components in energy infrastructure. This has involved simulating cyberattacks on industrial ICS and IT to assess for vulnerabilities that could give hackers unauthorized and potentially malicious access to control system networks.
This insight has identified key questions for energy businesses: How can you trust the cybersecurity provisions of another company operating infrastructure, equipment, and systems for you? How can you be sure that the cyber risks of components are acceptable? For example, how can you validate vendors’ claims using recognized standards and recommended practices? What is the overall cyber risk exposure of the OT/IT? Is this risk acceptable, and have you or your contractors/vendors done everything possible to mitigate it?
Assessing Vendors’ Own Cybersecurity Risks to Customers
Vendors must protect both themselves and their customers. For example, they need to know what cybersecurity measures they must comply with when tendering for or working to contract.
Vendors should know if they can comply with the terms and conditions agreed with customers, whether they are doing so, and if not, what they are doing about it. Otherwise, a vendor could be exposed to unlimited liabilities. Ask too what your approach to cybersecurity as a vendor says to existing and potential customers. What does it say about your cyber vulnerabilities and your trustworthiness on other security issues such as data or commercially sensitive documents?
Concerns raised in DNV’s research over cybersecurity in the supply chain serves as a reminder that vendors and customers need to assess cyber vulnerabilities iteratively, rather than periodically, to ensure resilience against new and emerging cyberattack vectors.
Trond Solberg is Managing Director of Cybersecurity at DNV, an independent risk management and quality assurance provider.