By Shaun Reardon
![]() |
Companies in industrial sectors such as energy, maritime and manufacturing have been tackling IT security challenges such as the Colonial Pipeline attack for several decades. But securing operational technology (OT) ― the computing and communications systems used to manage, monitor and control industrial operations ― is a more recent and increasingly urgent issue.
As OT becomes more networked and connected to IT systems, attackers can more easily access control systems operating critical infrastructure.
Realizing the consequences that DarkSide's ransomware attack could have on the safety of operations, the Colonial Pipeline Company shut down the largest fuel pipeline in the U.S. It caused a brief shortage of gasoline and other petroleum products on the country's east coast.
The emerging threat of more common, complex and creative cyberattacks is one facing all sectors with industrial operations. It is now possible for attackers ― which include foreign powers, terrorists, competitors and criminal gangs ― to disrupt energy supply in a power grid, access a ship's navigation system, destroy a windfarm and disable the safety systems in pipelines.
For example, a large cruise vessel had to be towed into port after losing the availability of several important OT systems in 2019. This happened in the heavily trafficked Singapore port area as a ransomware attack penetrated through the vessel's IT network to the loading and stability systems.
Risks to OT security are now emerging to the extent where industrial sectors including manufacturing, energy and transportation appear among the top 10 most attacked industries in 2021, according to IBM X-Force.
Companies with industrial operations are waking up to the threat. A study of 940 energy industry professionals, published by DNV in May, found that more than four-fifths believe a cyberattack on the industry is likely to cause operational shutdowns (85 percent) and damage to energy assets and critical infrastructure (84 percent) within the next two years. Three quarters (74 percent) expect an attack to harm the environment, while more than half (57 percent) anticipate it will cause loss of life.
The key risk is safety. Industrial fail-safe mechanisms designed for an offline world may have unknown vulnerabilities that could see them undermined if they are not protected against cyberattacks.
DNV's report, titled "The Cyber Priority," revealed that while some energy organizations are making real progress toward cyber resilience, preventative action is lagging the growing threat.
There is still a strong signal that the energy industry and other industrial sectors need to make urgent investments to ensure that cybersecurity incidents do not become the cause of future safety incidents.
Six in 10 C-suite level energy executives acknowledge, for example, that their organization is more vulnerable to attack than ever before, but far fewer (44 percent) expect to make urgent improvements in the next few years to prevent an attack. And more than a third (35 percent) say their business would need to be impacted by a major incident before it would spend any more time or money on its defenses.
It is concerning to find that some energy firms may be taking a "hope for the best" approach to cybersecurity rather than actively addressing the threat.
This draws parallels to trends in the industry's physical safety practices, where it took tragic incidents, such as the 1988 Piper Alpha oil platform explosion in the North Sea and the 2010 Deepwater Horizon oil spill in the Gulf of Mexico, for the sector to prioritize and institutionalize safety protocols, standards and regulations. There is no reason why a similar transformation cannot be achieved in the field of cybersecurity.
The challenge with managing these industrial cybersecurity risks is that there are not enough best practices available to guide operators, suppliers, manufacturers and regulatory authorities in building an effective force of defense.
We are already seeing industrial players come together to develop technical best practices, such as the IEC 62443 standards for cybersecurity in operational technology in automation and control systems, and DNV's Recommended Practices (RP) for its applications in the energy and maritime industries.
Describing 45 risk-reducing measures ― covering people, processes and technology ― our DNV-RP-0575 provides guidance to companies operating, managing and securing existing power grid substations. For ships and mobile offshore units in operation, DNV's RP-0496 gives guidance on cybersecurity management.
In parallel with collaboration to develop best practices, progress is also being made to tighten standards and regulatory oversight in specific industrial sectors. For example, the International Maritime Organization introduced a new cyber risk management code providing a framework for cyber resilience last year. And the International Association of Classification Societies (IACS) will oblige shipyards to build cybersecurity barriers into their systems and vessels from Jan. 1, 2024.
But as industrial sectors emerge among the top targets for cyberattacks, they now need to go further in taking collective and proactive action against the threats. Never has it been more important for companies and authorities to come together to share knowledge, create best practices and develop new standards in the fight against industrial cybercrime.
Shaun Reardon is customer success director of Cyber Security, DNV, an independent assurance and risk management provider operating in more than 100 countries.