Oslo, 22 January, 2025 – Energy companies are taking cyber threats seriously at the highest levels, as two in three energy professionals (65%) say their leadership views cybersecurity as the greatest current risk to their business, according to new research on the state of cybersecurity in the energy sector. More than two thirds of energy professionals (71%) expect their company to increase investment in cybersecurity this year.
According to the latest Energy Cyber Priority report from DNV Cyber, energy companies are making progress in cybersecurity. This includes greater awareness at leadership level, with 78% of energy professionals confident their leaders sufficiently understand cyber risk. Successes have been delivered by employee training, as more than eight in 10 (84%) say they know exactly what to do if they are concerned about a potential cyber threat. Growing attention is being paid to operational technology (OT) cybersecurity – securing the systems that manage, monitor, and automate physical assets – as two thirds (67%) expect greater OT security investment in the year ahead. Challenges remain, however, as the energy transition creates new attack surfaces and as threat actors become more sophisticated.
Digital technologies are essential to drive and enable the energy transition, but each potentially broadens an energy company’s exposure to cyber risk – whether due to their increased use of sensitive data, greater dependence on third-party tools and components, or the introduction of connected environments through which hackers can infiltrate from system to system.
“Achieving the energy transition is central to society at large. The whole energy sector – companies and governments alike – are working together on this massive challenge, which is increasingly complex because the technologies underpinning the transition are largely digital and scaling rapidly. With this comes cybersecurity risks,” says Ditlev Engel, CEO, Energy Systems at DNV. “Cybersecurity should be a priority for all players in the energy sector to achieve the climate goals and guarantee energy security, as geopolitics make the world more hostile and uncertain.”
The energy transition is making cyber risk unavoidable, and this is reshaping attitudes in the energy industry, as half (49%) of energy professionals believe their organizations should accept additional cyber risk as a necessary trade-off for innovation.
Of the 375 energy professionals surveyed globally for the research, three-quarters (75%) report that their organization has increased focus on cybersecurity because of growing geopolitical tensions over the last year. Some 72% are concerned about the potential for attacks directed by foreign powers, up from 62% in 2023. Eight in 10 (79%) are concerned about the threat from cyber-criminal gangs, up from 50% in 2023. The research records a rise in concern about malicious insiders, up from 51% in 2023 to 62% this year.
“Even as the energy industry becomes more mature in its cybersecurity posture, it must continue to strengthen and adapt to remain resilient against a growing number of increasingly sophisticated threats. From attacks on supply chains, recruitment of malicious insiders, and the use of AI, adversaries are upping their game and the energy industry needs to keep up,” says Auke Huistra, Director of Industrial and OT Cybersecurity at DNV Cyber.
DNV Cyber’s new report Energy Cyber Priority 2025: Addressing Evolving Risks, Enabling Transformation argues that energy companies must double their cybersecurity efforts to overcome five principal challenges:
- securing physical infrastructure
- overcoming complex cybersecurity supply chains
- enhancing employee vigilance
- embedding new skills in the workforce
- embracing AI.
Connecting physical infrastructure to modern IT architectures and other assets creates new vulnerabilities. Recognizing the potential to cause harm, threat actors are increasing their attacks on OT systems, with the potential to directly cause physical safety incidents. More than two thirds of energy professionals (71%) acknowledge that their organizations are more vulnerable to OT cyber events than ever before, an increase from 64% in 2023. More than half (57%) admit that their OT defences lag their IT defences.
Supply chains are a major worry for energy companies as threat actors go to suppliers and sub-suppliers to gain access to companies operating large assets. Around half (53%) of energy professionals indicate that cybersecurity issues are typically included in their procurement requirements and processes. Just 16% are very confident that their organization can demonstrate full visibility of the supply chain and any vulnerabilities, and more than a third (34%) suspect undisclosed breaches among their suppliers.
Employee vigilance continues to rise, but adversaries are constantly changing their approach and targeting employees with more sophisticated tactics. Three quarters of energy professionals (76%) worry that their organization’s cybersecurity training is not advanced enough to prepare for more sophisticated attacks. Skills and knowledge gaps are also an issue, as half (46%) of energy professionals say a lack of skills and talent is making it more challenging for their organizations to secure their organizations.
Generative AI’s increasingly human-sounding tone and capacity for detail enables cyber criminals to launch more convincing scams. Two-thirds of energy professionals (66%) agree that attackers’ use of AI in phishing attacks has made it more difficult to determine whether emails are genuine. Cybersecurity professionals understand that neglecting AI will put them at a disadvantage, as almost half (47%) fear they will fall behind adversaries unless they harness AI.
“To further strengthen their cybersecurity, energy companies should – as a priority – broaden their efforts to secure OT and support greater security and transparency in the supply chain,” says Huistra. “They should reset and redesign cyber’s relationship with the business, take a more innovative approach to training, and build understanding of AI.”
Cyber Priority
DNV Cyber’s Cyber Priority research explores the changing attitudes and approaches to cybersecurity in key industrial sectors. The latest edition of the research for 2024/25 draws on a cross-sector survey of more than 1,150 professionals and interviews with industry leaders. Research was conducted between September 2024 and January 2025.
The report Energy Cyber Priority 2025: Addressing Evolving Risks, Enabling Transformation explores the views of 375 energy professionals who responded to the survey, complemented by in-depth interviews and analysis from DNV Cyber experts and industry leaders, including from E-REDES, Siemens Energy, Fortified Technologies, and Fortum.
The report Maritime Cyber Priority 2024/25: Managing Cyber Risk to Enable Innovation explores the views of almost 500 maritime professionals who responded to the survey, complemented by in-depth interviews and analysis from industry leaders and DNV Cyber experts.
For media enquiries, please contact:
Christian Parker
Brand and Communications Manager, Cybersecurity and digital health
christian.parker@dnv.com
+47 93 03 29 25
Neil Slater
Head of Media Relations, Energy Systems DNV
+44 (0) 7876 578 353
About DNV Cyber
DNV Cyber is a leading cybersecurity services provider. We empower businesses with complex needs to become safer and more resilient with tailored solutions. Our global team of more than 500 experts brings over 30 years of IT and operational technology security experience to your business, helping you breathe easier and perform better.
We identify, prioritize, and communicate risk, guide you through regulations, and align your cybersecurity with your business goals. We bring you technology and threat insight, help you to secure cyber investments, and implement cost-effective security control measures. We detect and respond to threats, ensuring continuous improvement and quick recovery.
We ask questions and listen, speaking your industry’s language. We collaborate and share insights, setting industry standards and delivering best practice. We safeguard your critical, enabling your business to thrive.
DNV Cyber was formed by merging Nixu, Applied Risk and DNV in 2024.
About DNV
DNV is an independent assurance and risk management provider, operating in more than 100 countries, with the purpose of safeguarding life, property, and the environment. As a trusted voice for many of the world’s most successful organizations, we help seize opportunities and tackle the risks arising from global transformations. We use our broad experience and deep expertise to advance safety and sustainable performance, set industry standards, and inspire and invent solutions.
In the energy industry
DNV provides assurance to the entire energy value chain through its advisory, monitoring, verification, and certification services. As the world’s leading resource of independent energy experts and technical advisors, the assurance provider helps industries and governments to navigate the many complex, interrelated transitions taking place globally and regionally, in the energy industry. DNV is committed to realizing the goals of the Paris Agreement, and supports customers to transition faster to a deeply decarbonized energy system.
Learn more at: www.dnv.com/cyber/
