Cyber attacks against industry are accelerating in frequency and the methods used are increasingly sophisticated and creative. A new survey by DNV shows that the energy sector expects cyber attacks that may endanger life, property and the environment during the next two years.
This report, called The Cyber Priority, describes the cyber-security status in the energy sector and finds, for instance, that four out of five respondents believe that a cyber attack on the industry will lead to shutdowns and damage to energy assets and critical infrastructure. Three out of four respondents expect an attack to lead to harm to the environment, while well over half of respondents believe that lives will be lost.
STRONG GROWTH: “We’re growing rapidly and need more people both locally and internationally. We’ll soon be recruiting worldwide,” says Haakon Knudsen in DNV. Photo: TUM Studio
Cyber attacks against industry are becoming increasingly frequent and dangerous
“We can see a clear professionalization when it comes to cyber attacks. The perpetrators used to be young people doing this for fun in their bedrooms but are now authorities or professional criminals carrying out cyber attacks either for their own gain or on assignments for others,” says Knudsen.
In the worst case, it can cost billions to repair the damage caused by such an attack, but it is not only financial value that is at stake.
“Cyber attacks have started to affect the physical world. Companies have worked on IT security for several decades, but securing operational technology (OT) and data and communication systems that manage, monitor and control operations is a newer and increasingly acute challenge.
“If someone accesses a production facility’s systems, they can stop a company’s production. If things go really wrong, this may lead to accidents and personal injury.
“Examples of other vulnerable control and management systems where attacks may have fatal consequences are those related to nuclear physics, airline engines, cars and drilling rigs operated from land. Basically, everything is inter-connected by copper, fibre or radio waves,” he points out.
Major focus on cyber securityDNV has more than 20 years’ experience of providing cyber-security services and aims to grow considerably by the end of 2025.
“In 2021, we quadrupled our operations from 20 to more than 80 consultants, including by acquiring Dutch company Applied Risk, which is a specialist in industrial cyber security. We are growing rapidly so we need more local and international staff, and are soon recruiting worldwide. Just this week, we recruited employees from Singapore,” says Knudsen.
The goal of DNV as a whole is to grow 45 per cent over the next five years, while cyber security is to grow 10-15 times bigger during the same period. DNV is initially focusing on industrial cyber security, but plans to develop a holistic range of cyber-security services for all DNV customers in time.
“The background to this commitment is DNV’s desire to continue to be relevant in the future in accordance with our mission statement, which is to safeguard life, property and the environment. In addition to understanding the physical reality, we must also understand the digital reality. The digital revolution took place a long time ago and includes security systems that affect critical infrastructure,” says Knudsen.
Power centre for industrial cyber security
The first step in the plan is to build a power centre for industrial cyber security. Last year’s acquisition of Dutch company Applied Risk made this global group of companies the world’s largest player in the field of industrial cyber security.
“DNV has a unique position without any links to other market players and with technical expertise in many sectors.”“We work with everyone from the top management to the engineers on the shop floor. We really live up to our motto: ‘Cyber security for the real world’,” says DNV’s Maria Jinert Johansson. Photo: TUM Studio
So says Maria Jinert Johansson, who has been a consultant and team leader for DNV Cyber Security’s Enterprise Systems for two years. She says her working day consists of providing a lot of technical advice.
“We provide consultancy services, so everyone here is a consultant. That involves a lot of technical advice, but also more at management level. We work with everyone from the top management to the engineers on the shop floor. We really live up to our motto: ‘Cyber security for the real world’.”
She says that DNV employees work a lot with production companies and subcontractors, so that it is important to protect the entire value chain.
“Our work involves securing the entire company, which in practice can mean everything from installing a network correctly to ensuring that the right cyber-security strategy and policy have been implemented. We work among other things with production systems, platforms, ships and suchlike where there are many old systems that have only been connected to the internet in the past 20 years.”
She says that some customers come to them after discovering attacks on their systems.
“On average, it takes 280 days to discover a cyber attack and those who are attacked often do not want to talk openly about it. Globally, we see an increase in cyber attacks by state organs aimed at the energy sector and other critical infrastructure,” she says.
Seeking consultants with relevant domain expertise
To meet market needs, DNV is going to hire a lot of cyber-security experts in the near future.
“When searching for candidates, we look for those who can prove their cyber-security expertise through certification and education. It is especially valuable if they have experience in relevant areas such as the maritime, energy and critical-infrastructure sectors or production companies, and have the ability to put this in context,” says Knudsen.
He says they focus on having a good mix of consultants.
“We hire both very experienced consultants and new graduates. We try to achieve a balance, and have consultants with bachelor’s, master’s and doctoral degrees,” says DNV’s Haakon Knudsen. Photo: TUM Studio
“We hire both very experienced consultants and new graduates. We try to achieve a balance, and have consultants with bachelor’s, master’s and doctoral degrees,” he says.
“We look for those who want to help shape a growing environment and influence a developing professional area, and who rapidly want to be part of projects in a number of industries that are addressing real cyber-security challenges.
“DNV is a very flexible employer and we want to offer a good balance between work and leisure time. Even in the mainly consultant part, we try to take personal considerations into account when it comes to travelling and work relating to different time zones. DNV is big and not everyone is at Høvik, outside Oslo, but we have a kindergarten for our employees’ children there. We also provide an extra holiday week.”
Haakon himself has been employed by DNV twice.
“The only company that could get me to leave my last job was DNV. There is something special about DNV, which is an organization with an objective beyond just making a profit for its owners. The level of expertise and entire feeling of being part of a global organization that really means something to society drew me back again,” he says.
Maria tells us that she received a tip about DNV from a former colleague.
“I had a colleague at my former workplace who joined DNV, and when I was wondering whether to look for a new job this colleague said that DNV would suit me and that I should apply for a job here. That’s two years’ ago, when I was quite new to the consultancy sector and didn’t have a lot of experience. DNV suits me very well because it is a place where you can grow and learn a lot, with a lot of clever, competent employees who share their knowledge.”
According to Maria, the company offers good career opportunities.
“You can change jobs and try new things in DNV. There is also a good opportunity to acquire new domain knowledge and we are making efforts to increase our contact with other business areas. It’s a good way to get to know the company and learn new things,” she says.