DNV published their May 2022 Cyber Priority report, “The State of Cyber Security in the Energy Sector” (https://brandcentral.dnv.com/fr/gallery/10651/others/71df599ee2594699a6b6970dc82e6566/71df599ee2594699a6b6970dc82e6566_low.pdf). The Cyber Priority draws on insight from the following individuals: Jalal Bouhdada, Founder and Chief Executive Officer, Applied Risk, Shaun Gregory, Executive Vice President and Chief Technology Officer, Woodside Energy, Stian Nordby, Operations Manager – Digital Services & Innovation Center, TechnipFMC, Margrete Raaum, Chief Executive Officer, KraftCERT, Andre Ristaino, Managing Director of Automation Standards, International Society of Automation, Leo Simonovich, Vice President and Global Head of Industrial Security and Digital Security, Siemens Energy, and Trond Solberg, Managing Director, Cyber Security, DNV. According to the report, the research draws on a survey of 948 energy professionals and a series of in-depth interviews with industry leaders and security experts. It was developed and created by DNV and Longitude (a Financial Times company). Fieldwork was conducted between February and March 2022. Respondents were based across Europe, the Americas, the Middle East and Africa, and Asia Pacific. They included publicly listed companies and privately held firms, spanning energy industry services, power transmission and supply, renewables, and oil and gas. I believe the process industries that include oil, gas, and chemicals (not electric) are leading most industries addressing control system cyber security. The report states that 64% of the respondents develop, operate or support operational technology (OT). So, how can the results from this report be so misleading?
The report defines operational technologies (OT) as the computing and communication systems used to manage, monitor, and control industrial operations. There is a category called “cyber security expert working with OT”. I don’t think there is much confusion that the cyber security personnel responsible for the networks are OT. However, the control system engineers, the instrument engineers and technicians, the electrical engineers and technicians, the safety engineers, and the maintenance engineers and technicians are often not considered to be involved with OT by themselves or others. How many of these individuals were part of this report? From the results, it doesn’t appear that many of these people were surveyed even though the report said that 64% of the respondents were OT.
The report is focused on cyber-attacks rather than cyber incidents that can include malfunctions (unintentional events). This is important because a sophisticated attacker can make a cyber-attack appear to be an equipment malfunction (see Stuxnet and Triton). Additionally, most cyber events in the energy industry (as well as other sectors) that cause physical impacts are unintentional, or at least start that way.
The report has a table that recorded the agreement to these two statements:
A cyber-attack on my organization could lead to injuries or deaths:
- 30% -all correspondents operating with OT
- 35% cyber security experts working with OT
- 29% C-suite respondents working with OT
A cyber-attack on my organization could lead to significant damage to the environment
- 34% all correspondents operating with OT
- 43% cyber security experts working with OT
- 29% C-suite respondents working with OT
Who are these “cyber security experts working with OT” who don’t feel a cyber-attack could lead to injuries or environmental impacts?
The table “Cyber-attack consequences that respondents see as top concern for their organization” is truly enlightening. The results were:
Disruption of services/operations 57%
Reputational damage 42%
Lost or corrupted data 41%
Financial losses (including theft, lost opportunities, etc.) 39%
Failure of automation systems 32%
Loss of control of physical assets 30%
Intellectual property theft 29%
Customer data theft 27%
Damage to equipment, machines, buildings, vehicles, or infrastructure 27%
Physical safety incidents, injuries, and deaths 24%
Losses via extortion or ransom 19%
Environmental damage or contamination 16%
Asked to specify the cyber-attack consequences that respondents see as a top concern for their organization, they point first to disrupted services and operations (57%), reputational damage (42%), data breach (41%), and a corresponding hit to profits (39%). These aren't operational or safety issues. In comparison, just 32%, 27%, 24% and 16% of respondents, respectively, describe loss of automation systems, equipment damage, loss-of-life, and environmental catastrophe as top concerns. How is it possible that more than 75% of the respondents felt that loss-of-life and environmental damage from a cyber-attack weren't top concerns for their organizations? These results are inexplicable to anyone responsible for reliable and safe facility operations. The report concludes that although executives anticipate a serious incident in the global industry, they are less likely to believe that their own organization will be affected by the most extreme, life-threatening consequences of a breach.
My database has identified more than 200 control system cyber incidents in the process industries including injuries and deaths, destruction of facilities, and significant environmental damage. Given the Texas City and Buncefield control system cyber incidents as well as the Stuxnet and Triton attacks, how can so few respondents acknowledge the concerns that control system cyber incidents can cause injuries or lead to equipment damage and environmental releases? To me, the only logical answer is that most people still view cyber-attacks as just impacting IT and OT networks, not damaging facility equipment or injuring people.
The report drew parallels between the oil and gas industry’s adoption of physical safety protocols in the 20th Century and the state of cyber security in today’s energy sector. The report stated: “To end on a note of optimism, we would note that, when the industry focused on solving the safety challenge, it made extraordinary progress. Within a relatively short period of time – implemented global standards, improved its ways of working and use of technology, and embedded a safety-first mindset across the entire workforce. The report authors believe that a similar transformation is not only achievable in the field of cyber security but will also be essential for the industry to meet its longer-term challenges around energy transition and digitalization.” I am not as optimistic as more than 75% of the respondents felt that loss-of-life from cyber attacks were not top concerns for their organizations. Additionally, there is no cyber security in the process sensors, actuators, analyzers, valve positioners, etc. These are the devices that can blow up facilities or cause major environmental damage, yet they are not being addressed ( https://www.controlglobal.com/blogs/unfettered/critical-infrastructure-cyber-security-is-broken-process-sensors-continue-to-be-ignored/). There is on-going work in ISA84.09 (process safety and cyber security) addressing those issues but that information obviously did not make its way into this report. Issues such as separation of Basic Process Control Systems (BPCS) and Safety Instrumented Systems (SIS) did not appear to be addressed as there is still significant pushback to prevent the mix of control and safety for economic reasons.
The report concludes that “our research finds some organizations making real progress toward cyber resilience, protecting their crown jewels while keeping pace with the threat. More worryingly, we also see a proportion of respondents waiting for a major incident to happen before investing in essential improvements to their defenses.” Given the failure to address key control system issues and the grossly inappropriate responses to the questions the study posed, I am not comfortable with the progress made by the process industry (or any other industry for that matter) even though I believe the major players in the process industry are leading most other industries on control system cyber security.
Conclusions
The results of this study do not represent the conclusions of most control system/process safety experts. There were either very few “cyber security experts working with OT” participating in the survey or far too many people calling themselves “cyber security expert working with OT” that are dangerously clueless when it comes to control system cyber security and process safety. In either case, the results are questionable to say the least. The organizers responsible for selecting the survey respondents should have been capable of selecting the right people. Obviously, they weren’t. As a result, the authors should have taken a strong stand about the inadequacy of the survey results. If these results are indicative of the value of OT cyber security training to date, it isn’t working. For the industry’s sake, I hope there is some other way to understand or explain these results.
Joe Weiss
