The biggest cyber threats to the energy sector

The conflict in Ukraine and the race to acquire new technology are the most significant cyber threats to the Norwegian energy industry. DNV's security expert, Boye Tranum, warns about the security threats posed by cyber warfare and long value chains.

- Those who aim to gain digital access to the systems used in the Norwegian energy industry work with a long-term perspective. They are just as familiar with the systems used in Norwegian energy production as the companies themselves. They look for the easiest ways in. One way is to try to obtain login information by sending phishing emails to all employees in the company. Another is to access the core systems through backdoors that may be present in solutions from subcontractors or technicians, begins Boye Tranum, Director of Cyber Security Services at DNV.

Those seeking digital access to the systems of actors in the Norwegian energy industry are equally knowledgeable about the systems used as the companies themselves.

Boye Tranum, DNV 

The Stuxnet virus is a prime example of the cyber threats facing the energy sector. This worm was specifically developed to target Supervisory Control and Data Acquisition (SCADA) systems, which are used to control and monitor industrial processes. The virus was first discovered in 2010 after it affected the Iranian nuclear program and reportedly destroyed about 20 percent of Iran's uranium centrifuges.

SCADA falls under the umbrella term of operational technology (OT) and is used to manage, control, and monitor industrial processes. Stuxnet reprogrammed the Iranian uranium centrifuges to disable their cooling systems, leading to overheating and subsequent crashes. Subsequent intelligence suggests that Israel and the United States were behind the virus, which was programmed to self-delete on June 24, 2012. The worm exploited so-called zero-day vulnerabilities—known security flaws in software and systems that have not yet been patched.

It can explode an oil platform

- What happens if a virus causes a power generator on an oil platform to go haywire? Boye Tranum asks and answers himself,  - After a while, sparks will fly. If, at the same time, one manages to create a gas leak by opening some valves, an explosion occurs. This puts the oil platform out of operation for a very long time. This is just one of the many ways to neutralize an oil platform.

Boye Tranum is one of Norway's leading experts in cybersecurity in the energy industry. He has assisted businesses in improving their security measures for many years, particularly in the field of cybersecurity. He has also led several independent preparedness assessments for oil and gas operators. In addition, he has worked on cybersecurity for the Petroleum Safety Authority Norway and has co-authored various cybersecurity reports for DNV, including "Cyber Priority 2023."

Increasing digital threats

Norwegian businesses are increasingly facing digital security threats. It is challenging to assess one's security status, determine protection against attacks, and enhance digital security levels. The energy sector, comprising power producers, utility companies, and oil and gas companies, is particularly vulnerable. Numerous actors, including criminal networks and nations, aim to steal technology. Moreover, the energy sector is responsible for critical parts of the country's infrastructure, making it an attractive target for cyberattacks.

Countries such as Russia, China, North Korea, and Iran are among those warned against by the Norwegian National Security Authority (NSM). Russia has engaged in activities against the energy and defense sectors for years. Today, Russia concentrates its cyber activities on Ukraine. NSM warns of cyber activities linked to economic gain, espionage, and sabotage.

Boye Tranum warns against long value chains and highlights that many suppliers are typically involved in various projects. He emphasizes that undetected vulnerabilities along the supply chain can completely undermine a company's internal cybersecurity efforts.

In the final phase of a project, when everything is being integrated, and production is about to commence, there is a particularly high susceptibility to security incidents. "At that point, there is very little control over what is happening. It can be easy to introduce malware," says Tranum, adding:

Small and medium-sized businesses are also susceptible to hacker attacks. Some of them provide small and specialized systems that can serve as a backdoor into the main systems controlling critical components.

Boye Tranum, DNV 

Difference between "safety" and "security"

Tranum also highlights the difference between safety culture and security culture:

"In the energy sector, there is a good safety culture, but I am unsure whether the security culture is equally strong." He cites an example from North Sea oil platforms, which are designed based on safety principles. There are two valves for redundancy and to prevent leaks, but both valves are controlled by the same system and the same computer.

"A significant number of security mechanisms in the energy sector are controlled by IT that can be compromised. Thus, external parties can take control of security barriers. This is a serious design flaw."

DNV's security director also points out the difference between IT (information technology) and OT (operational technology, systems that control machinery and installations). While updating IT with the latest security software is relatively straightforward and low-risk, implementing the latest security patches for OT is complex and often costly.

"To update an OT solution, you must shut down the system and stop production. Updating OT requires much more effort and expense. Therefore, there is a significant gap between each update," Tranum explains.

Subjected to ransomware attack

DNV itself was hacked in January 2023. The ransomware attack locked the servers of ShipManager, a fleet management system. Around 70 customers with a total of approximately 1,000 ships were affected.

- It is not embarrassing to be hacked. It happens to many. The important thing is to have systems in place to handle being hacked, to have backups, and the ability to restore the systems quickly, says Tranum.

Tranum offers the following security advice to businesses in the energy sector:

- Establish a persistent security culture with rules and procedures for everything that can affect security. When a technician needs to enter and upgrade a system, they should not have unrestricted access. There must be rules for how it should be done. You cannot just unlock the door and let the person in, concludes Boye Tranum, Director of Cyber Security Services at DNV.