Energy cyber priorities for 2025

World Oil staff  

This article highlights the findings of DNV Cyber's (DNV’s) recent, third Energy Cyber Priority report. Research for the report was carried out between September 2024 and January 2025. The research is informed by a survey of 375 energy professionals, along with in-depth interviews with leaders and experts in the field. Survey respondents represent a range of functions within the industry, including those with in-depth knowledge of cybersecurity along with general managers and C-suite executives. 

It is part of a wider survey of 1,185 professionals across critical infrastructure industries, including energy, maritime, manufacturing and healthcare. This report was developed by DNV Cyber in partnership with FT Longitude (a Financial Times company).  

ENERGY INDUSTRY IN A RACE AGAINST INCREASINGLY SOPHISTICATED THREATS 

Even as the energy industry becomes more mature in its cybersecurity posture, DNV says it needs to continue to strengthen and adapt to remain resilient against a growing number of increasingly sophisticated threats. 

Cyber threat actors are intensifying their assault on the global energy industry, says DNV. According to the International Energy Association, the average number of weekly attacks on utilities has more than doubled in the last few years.¹ High-profile attacks have compromised critical energy systems worldwide, while the U.S. National Security Agency (NSA) issued a rare urgent warning to energy operators in 2024, warning them of a rise in pro-Russia hacktivist activity.² 

Adversaries range from state-backed hackers seeking to disable critical infrastructure, to criminal gangs focused on theft and extortion by seizing control of essential operating systems. Unintentional cyber incidents—in which negligence or human error by employees or suppliers has the effect of compromising data or network security—are also increasingly common. 

Against this backdrop, DNV Cyber’s latest research finds energy companies stepping up to the challenge and making progress in defending their organizations. They are expanding investments in cybersecurity, exploring new AI-enabled tools and nurturing a more alert, prepared workforce. 

DNV says energy businesses, including upstream operators, recognize that an increase in cyber risk is an inevitable by-product of digitalization. As digital technologies are instrumental to decarbonization and diversification, cybersecurity needs to be treated as a key enabler of the energy transition. Accordingly, this report argues that energy companies must now redouble their cybersecurity efforts to overcome five principal challenges: 

• Securing their physical infrastructure 
• Overcoming supply chain cyber complexity 
• Enhancing employee vigilance 
• Embedding new skills in the workforce 
• Embracing AI. 

CYBER RISK CONTINUES TO GROW AND SPREAD

Fig. 1. Number of survey respondents concerned about types of threat actors by year, 2022-2024. Chart: DNV.

Cybersecurity is top of mind in the energy industry, says DNV. Approximately 65% of professionals in their research believe their leadership sees it as their organization’s greatest risk. By comparison, when DNV’s research was last conducted in 2023, just 36% described cybersecurity as a top-three business risk. 

Around three in 10 respondents (27%) say their organizations have been infiltrated by cyber attackers at least once within the last 12 months. The growing complexity of the risk is also raising concern among executives, explained DNV, particularly since the threat posed by most adversaries—including organized criminal gangs, foreign powers, malicious insiders and terrorists—is thought to have increased since 2023, Fig. 1.   

"The cybersecurity threat level is as high as it could be,” remarks Nuno Medeiros, Head of Mission Critical and CISO at Portugal’s primary electricity distributor, E-REDES. “This is due to the geopolitical context and sophisticated actors becoming more aware of how critical infrastructure and essential services are increasingly digitized and thus more exposed and prone to vulnerabilities." 

Foreign powers. In 2023, when cyber criminals launched a simultaneous attack on 22 energy companies in Denmark, they compromised large parts of the country’s energy infrastructure.³ The attack – the country’s largest ever cyber incident – appears to have been carried out by hackers linked to Russian intelligence. In this edition of DNV’s research, three-quarters of energy professionals (75%) said that their organizations have increased their focus on cybersecurity because of growing geopolitical tensions over the last year. And 72% are concerned about the potential for attacks directed by foreign powers, up from 62% in 2023. 

In mid-2024, the NSA raised an alert about hacktivists targeting vulnerable North American and European operational technology (OT),⁴ referring to the hardware and software used to operate industrial machinery, equipment and infrastructure.  

Organized crime. Energy professionals also consider organized cyber-criminal gangs to be a significant threat to their businesses. Some eight in 10 (79%) surveyed by DNV are alert to this threat, up from 50% in 2023. 

In the U.S., a ransomware attack in winter 2024 on ENGlobal Corporation, a contractor that works with many energy companies, illustrates the damage such incidents can cause.⁵ The company was forced to take parts of its IT systems offline to respond to the attack. 

Inadvertent players. The third main adversary, as highlighted by 71% of energy professionals, is the unintentional threat actor, representing human error among the workforce. Typically, this is where employees accidentally share sensitive data, using weak passwords or getting duped by phishing campaigns. 

On a more extreme level, it could be an engineer accessing the remote systems of a drilling rig or other critical asset and making changes without realizing he/she had logged into the wrong facility’s platform. Moreover, as energy businesses have complex supply chains and may have connected their digital infrastructure to their service providers for maintenance, they are potentially exposed to unintentional threat actors working for their suppliers and suppliers’ suppliers. 

 DNV says that one saving grace of unintentional threat actors is that they are, by definition, not acting maliciously. But the survey also noted a rise in concern about malicious insiders, up from 51% in 2023 to 62% within a year.   

WIDER AWARENESS OF OT VULNERABILITIES 

As well as becoming more alert to the general cyber threat, energy professionals have become more attuned to the specific risk of cyber incidents on their OT. OT security is essential, since breaches of these networks can directly cause physical safety incidents. 

In this edition of DNV’s research, 71% of respondents acknowledge that their organizations are more vulnerable to OT cyber events than ever before. That figure is up from 64% in 2023. Meanwhile, 57% say the defenses they have in place for their OT systems lag their IT defenses. 

On the positive side, DNV sees awareness of OT cyber risk translating into new investment in OT security. Although the industry remains vulnerable in several critical areas, two in three professionals (67%) say their businesses spent more on OT cybersecurity this year than they did in the year previous. This is more encouraging than in 2023, when 42% of energy professionals believed that their businesses had underinvested in OT cybersecurity. 

Fig. 2. Most professionals see advanced data analytics, AI and machine learning, remote and autonomous operations and the internet of things (IoT) as opportunities for investment in the next three years. Chart: DNV.

ENERGY TRANSITION RESHAPES ATTITUDES TOWARDS CYBER RISK 

The energy industry is on the front line of the battle against climate change, says DNV. So, as operators make efforts to decarbonize the energy mix and their operations, and seek to improve efficiencies, they are forced to embrace digital technologies.   

DNV’s 2024 Energy Industry Insights report found almost nine in 10 industry executives preparing to maintain or increase their focus on decarbonization over the next year. And half said digital technologies are playing an enabling role in their energy transition.  

In our Cyber Priority research, most professionals see advanced data analytics (83%), AI and machine learning (80%), remote and autonomous operations (80%) and the internet of things (IoT) (77%) as opportunities for investment in the next three years, Fig. 2. Each technology can help drive the energy transition, but each potentially broadens a company’s exposure to cyber risk—whether due to increased use of sensitive data, greater dependence on third-party tools and components, or the introduction of connected environments through which hackers can infiltrate from system to system. 

Although digital technologies increase energy companies’ exposure to cyber risk, half (49%) of the energy professionals in DNV’s research believe their organizations should accept this additional risk as a necessary trade-off for innovation.   

For energy businesses, the priority for the years to come is, therefore, less about removing or avoiding risk, by restricting investment in new technologies, and more about getting smarter in how to detect, identify, prepare for, and respond to attacks on their IT and OT systems. The next section examines some of the challenges companies face, as they attempt to do so.  

FIVE CHALLENGES IN THE JOURNEY TO CYBER RESILIENCE 

DNV says energy companies must adopt a mindset that enables them to innovate with digital technologies while managing cyber risks with the same care and attention given to safety risks. Accordingly, there are five challenges that companies must address to achieve the required security posture. 

Challenge 1: Despite awareness of the threat, OT cyber resilience is lagging. DNV calls OT a flashpoint in the battle between the energy sector and cyber adversaries. Connecting physical infrastructure to modern IT architectures and other physical assets creates new vulnerabilities for threat actors to exploit. 

In addition, as OT is increasingly networked, there is the heightened risk that hackers infiltrating one asset can gain access to all the other physical assets in the network.   

The gap between OT and IT cybersecurity is widening. DNV says it is encouraging to see energy companies investing in OT as in IT cybersecurity. However, many professionals acknowledge that they have a long way to go before their OT systems are secure enough. Given the risk of lengthy operational downtime and the extent of safety risks attached to OT, DNV calls this “an urgent issue.” 

The digitalization of OT has increased steadily in recent decades, says DNV, but some companies do not sufficiently understand what the implications of these developments are for their cyber controls and cyber maintenance requirements. It is said that many companies today have to rely on suppliers, because the complexity of the technology exceeds their understanding.  

In this edition of DNV’s research, more than half of energy professionals (57%) said that their IT cybersecurity is more robust than their OT cybersecurity. That is significantly than in 2023 (27%) and 2022 (21%), when they said their OT defences weren’t as strong as their IT defences.  

Concern about OT being weaker than IT may relate to more professionals now having first-hand experience of how difficult it is to upgrade the security of industrial control systems while contending with a more sophisticated adversary, noted DNV. Similarly, they may have successfully made improvements to their IT resilience within the same timeframe, without achieving similar progress for OT. 

Partial preparation leaves businesses vulnerable. Recognizing their potential to cause harm, threat actors are increasing their rate of attack on OT systems. The energy sector recorded three times as many OT and industrial control system cybersecurity incidents as the next most commonly attacked industry, according to a 2023 study by Rockwell Automation. 

Energy companies do not have full confidence in their defenses. In DNV’s research, just four in 10 (39%) energy professionals say their organization is prepared to deal with interrupted asset operations after a cyber incident. 

Challenge 2. Supply chains are increasingly complex and opaque. DNV opines that no energy business operates in isolation. In today’s industry, companies rely on multiple external partners and operate within a global supply network that has been disrupted significantly by geopolitical tensions. 

According to recent forecasts, the supply chain will need to undergo further upheaval in coming years to meet decarbonization objectives. An estimated $1.2 trillion of investment in production is required by 2030 to be on track to achieve net-zero emissions by 2050. In turn, seven in 10 energy professionals researched for DNV’s Energy Industry Insights already believe that supply chain issues are slowing the pace of decarbonization. 

Compromised components. Supply chain complexity also has major implications for cyber resilience. Businesses rely on suppliers worldwide whose systems may be more vulnerable than their own and which may not detect a breach by sophisticated hackers. As such, the procuring company’s systems are also at risk of breach, once they are connected to the supplier’s systems. 

Moreover, energy companies must contend with the risk of procuring components containing software that could have been compromised before delivery.  

Many companies are endeavouring to address these issues by involving cyber teams throughout the development and procurement of new systems, software, equipment, assets and infrastructure. Just over half (53%) of these energy professionals indicate that cybersecurity issues are typically included in their procurement requirements and processes. And 71% say cybersecurity is incorporated in the early phases of new infrastructure projects, up from 69% in 2023. 

A shortfall in trust and transparency. As well as the risk of sophisticated threat actors finding new vulnerabilities to exploit throughout the extended supply chain, DNV’s research highlights a lack of transparency about cyber incidents between vendors and their customers, which potentially undermines trust and collaboration. More than a third (34%) of energy professionals suspect that their organization’s suppliers have been infiltrated by threat actors but that these breaches have not been disclosed for fear of jeopardizing contractual agreements, for example.   

While most energy professionals say that their organization would quickly share details of a breach with their stakeholders, only 56% insist unequivocally that their organization would do this. Almost two in 10 say they either don’t know whether their organization would admit to the breach or would intentionally keep it quiet.   

Challenge 3: Employee vigilance relies on outdated assumptions. DNV says that as opportunists recognize that office workers and operational teams can be tricked, human factor engineering must also play an important role in cybersecurity. As three-quarters (75%) of energy professionals agree that employees are the weakest link in their organizations’ cybersecurity, DNV says that businesses should factor this limitation into the design of their systems. 

In parallel, energy companies must remain dedicated to ensuring their staff understand what constitutes good cybersecurity, the role employees play in developing and maintaining good security posture, and how to manage cyber risk. Indeed, says DNV, generative AI’s increasingly human-sounding tone and capacity for weaving in convincing detail enables cyber criminals to launch much more convincing scams. Two-thirds of respondents (66%) agree that attackers’ use of AI in phishing attacks has made it more difficult to decide whether emails are genuine. 

Training needs to continue evolving, in line with a more sophisticated threat. Energy companies’ efforts to build a stronger cybersecurity posture have led to successes in the last few years. More than eight in 10 (84%) energy professionals agree that they know exactly what to do if they are concerned about a potential cyber threat. This figure has risen from 64% in DNV’s 2022 research. Training has been instrumental in delivering this improvement. 

New approaches required. DNV’s research suggests that energy businesses now need to increase the sophistication of their cybersecurity training. More than three in four professionals (76%) worry that, while their organization’s cybersecurity training offers adequate protection against common cyber threats, it is not advanced enough to prepare employees for more sophisticated attacks.  

The sector is overall stepping up, but there is concern that some senior leaders do not recognize how serious the issue has become. Half (51%) worry that their organizations’ senior management underestimates the speed at which cyber threat is evolving and becoming more sophisticated.   

Challenge 4: Skills gaps threaten compliance readiness. Regulators worldwide are determined to ensure the energy sector is doing its utmost to prevent disruption to energy systems and critical infrastructure. In the EU, the energy industry must contend with a significant amount of new regulation, including the Network and Information Systems Directive 2 (NIS2) (entered into force in January 2023), the EU Cyber Resilience Act (December 2024) and the Network Code on Cybersecurity in Europe (June 2024). In North America, the new NERC CIP standards cover the whole of the US, as well as parts of Canada and Mexico. Regulators in Asia and the Middle East are also tightening their scrutiny. 

Fig. 3. Most energy companies have only prepared “to some extent,” to prevent the theft of sensitive information. Chart: DNV.

Confidence despite a changing landscape. Energy executives are relatively confident that their businesses are ready for tighter oversight of their cybersecurity measures. More than three-quarters (76%) say, for example, that they have a good understanding of all the regulations with which they must comply. 

Such preparedness has not come without a cost, with regulation continuing to rank as the top driver of new cybersecurity funding across the industry. Indeed, one reason why so many energy companies regard cyber as the greatest risk they. In the EU, regulators have powers to fine energy companies up to 2.5% of their global revenues for a breach of the new Cyber Resilience Act. 

Speciality gaps cause concern. Although eight in 10 (78%) energy professionals have taken steps to prepare for heightened regulatory scrutiny, most of that group have only prepared “to some extent.” DNV sees a similar story when it comes to the measures they have introduced to prevent the theft of sensitive information, such as compliance or customer data, Figs. 3 and 4.  Progress is being made, but there is still room for improvement.  

Additionally, if one looks at the business areas that receive the most regulatory scrutiny, organizations frequently lack confidence in the strength of their cybersecurity posture. The supply chain is a particular cause of concern. Just 16% of energy professionals are very confident that their organization can demonstrate full visibility of the supply chain and any vulnerabilities.

Fig. 4. Only a plurality of energy companies have prepared “to a great extent” for heightened regulatory scrutiny. Chart: DNV.

This shortfall is not restricted to the supply chain. Just a third (32%) are very confident in their ability to provide thorough incident response and reporting. And only 35% are very confident about their encryption of sensitive data and access control. 

Challenge 5: The AI cyber arms race. Energy companies are incorporating AI tools into almost every area of their business, and cybersecurity is no exception, says DNV. A quarter of respondents say that AI has already helped their organization to strengthen its cybersecurity. Almost three in 10 (27%) are incorporating the technology into their IT cybersecurity.   

Respondents trust AI to help them keep up with the threat. Cybersecurity professionals understand that neglecting AI will put them at a disadvantage to the threat actors that are also increasingly using these tools. Almost half (47%) fear they will fall behind the adversary unless they harness AI. 

Energy companies also hope AI will give their cyber teams new efficiency and productivity gains. Notably, 47% of energy professionals are enthusiastic about the prospect of freeing up their cybersecurity teams to focus on more value-additive tasks, such as advising on procurement and new product development.   

There will be significant benefits if AI can replace some of the manual and repetitive work that cybersecurity teams must currently perform, says DNV. But human intervention, particularly for more nuanced decision-making, will still be required. Again, OT represents the dividing line here. 

Lack of understanding presents new risk. DNV says that if energy companies are going to make more use of AI in cybersecurity, they must improve their workforce’s understanding of how the technology works.  

Many respondents recognize this imperative. More than three-quarters (77%) concede that their lack of understanding of how AI makes decisions represents a risk in a cybersecurity context. There are also other challenges. Many respondents (70%) worry about integration, particularly with existing industrial systems, plus the possibility of AI tools incorrectly identifying cyber threats (69%) and the quality of their data (61%). 

ACHIEVING THE NEXT STAGE OF CYBERSECURITY MATURITY 

DNV says that to further strengthen their cybersecurity, energy companies should broaden their efforts to secure OT, take a more innovative approach to training, reset and redesign cyber’s relationship with the business, build understanding of AI, and support greater collaboration and transparency in the supply chain. DNV Cyber’s research includes encouraging signs of progress, particularly heightened awareness of the risk at board level, the growing attention being paid to OT cybersecurity, and some of the successes delivered by employee training, all of which provide cause for optimism.   

The question that needs to be asked now is how energy businesses can achieve the next stage of cybersecurity maturity in the context of the threat posed by foreign powers and criminal organizations. As the threat landscape is constantly changing, cyber teams struggle to know for certain that their defenses are a match for the growing sophistication of hackers. 

One thing that is certain is that the threat is not going anywhere, observes DNV. More than four in 10 professionals (42%) expect cyber incidents to increase in the coming months. Among the energy sub-sectors covered in the latest research, apprehension is greatest in oil and gas, where 46% expect a rise in incidents, while heavily connected renewables companies (44%) follow close behind. 

Based on the findings, DNV’s key recommendations include: Broaden efforts to secure OT. Energy companies are increasing their efforts to secure their OT, but this work needs to accelerate, says DNV. The scale and sprawl of assets and infrastructure provide cyber attackers with multiple vulnerabilities and points of entry.  

An important consideration is that threat actors are becoming more sophisticated, year-on-year, whereas physical assets have a lifespan of several decades, and their defenses cannot practically be upgraded on a regular basis. Even the years that it takes to commission and build a new facility is such that cybersecurity considerations in the design may be outdated by the time the asset comes into operation. 

Take a more innovative and consistent approach to training. Covering the basics in employee training is no longer enough, says DNV. The nature of the cybersecurity threat is evolving quickly, and employees need more sophisticated advice and support. But not only is content important; delivery also matters. Energy companies that invest in more creative forms of training will reap the benefits. More proactive interventions, including test exercises and simulations, will help employers and employees alike understand their blind spots. 

Reset and redesign cyber’s relationship with the rest of the business. The shortcomings in the relationship between cybersecurity functions and other business functions in energy organizations is a disappointing finding of DNV’s research. Moving to an approach that emphasizes partnership is crucial, but it will require effort on both sides. Cybersecurity professionals need to work with the rest of the business to enable innovation and transformation, rather than to block new initiatives. Other functions must be ready to get cybersecurity involved at the early stage of projects. 

Although part of the challenge here comes down to what DNV calls “soft skills,” such as persuasiveness and clear communication on the part of cyber professionals, there is also an organizational design aspect to ensure that processes and protocols align with business needs. 

Build understanding of AI to broaden use cases and protect key tools. AI technologies can deliver a double benefit for cybersecurity teams, increasing the sophistication of their risk mitigation and response, and freeing up employees’ time to spend on high-value tasks that deliver the greatest benefits. However, until cybersecurity teams feel more confident that they understand how AI works and how it arrives at decisions, they will not feel comfortable relying on such tools. 

Support greater collaboration and transparency in the supply chain. Collective action and the willingness to share information about near-misses and breaches is required to meet the growing risk of infiltration across the supply chain, says DNV. As noted, a major breach can represent a systemic risk and thus calls for wider transparency between vendors and customers. There is also a potential need for more regulatory intervention, in the case of service providers.  

Finaly, DNV says cyber risk has reached a point at which energy companies should consider cyber attacks to be inevitable, regardless of the preventative measures that they put in place. Businesses will be in a stronger position to manage the cyber risk, if they can build on the positive momentum of recent years by way of a renewed focus on OT security, supply chain resilience and the vigilance of their people. The firm says that as a threat that is constantly evolving, cyber needs consistent, responsive and sustained attention from all levels of an organization. 

REFERENCES 

1. Cybersecurity – is the power system lagging behind? IEA. 
2. Urgent Warning from Multiple Cybersecurity Organizations on Current Threat to OT Systems, NSA. 
3. SektorCERT, The attack against Danish critical infrastructure. 
4. Urgent Warning from Multiple Cybersecurity Organizations on Current Threat to OT Systems, NSA. 
5. Ransomware Attack Disrupts Operations at U.S. Contractor ENGlobal, Infosecurity magazine. 
6. Enedis reduces high-tension electrical grid outage with predictive maintenance, using supervised learning, Best Practice AI. 
7. Synergizing Renewable Resources: HOMER-Based Case Study on Optimization of Hybrid Energy Systems, Vaibhav Tokas; Mayank Kumar. 
8. Energy Industry Insights, Transforming through uncertainty, DNV. 
9. Cybersecurity Incidents in Industrial Operations, Rockwell Automation. 
10. Energy supply chains between transition and disruption, IEA. 
11. Over two-fifths of critical infrastructure organisations have suffered a cyber breach, report finds, The Engineer. 
12. Energy Industry Insights: Working better and faster with data, DNV. 
13. The NIS2 Directive: A high common level of cybersecurity in the EU, European Parliament. 
14. Cyber Resilience Act, EU Commission.
15. https://www.acer.europa.eu/electricity/cybersecurity.
16. Maritime Cyber Priority 2024/25: Managing cyber risk to enable innovation, DNV. 
17. S. pipeline operators face compliance with new cyber security directive after colonial pipeline.