DNV published The Cyber Priority report, “The State of Cyber Security in the Energy Sector”. I believe the oil, gas, and chemical (not electric) industries are leading most industries addressing control system cyber security. The report states the research draws on a survey of 948 energy professionals and a series of in-depth interviews with industry leaders and security experts. The report states that 64% of the respondents develop, operate, or support operational technology (OT).
However, only 35% of the cyber security experts working with OT agreed that a cyber-attack on their organization could lead to injuries or deaths and only 43% agreed that a cyber-attack on their organization could lead to significant damage to the environment. Additionally, only 32% of the respondents felt that failure of automation systems, and only 24% felt that physical safety incidents, injuries, and deaths were the top concerns for their organization. The report concludes that although executives anticipate a serious incident in the global industry, they are less likely to believe that their own organization will be affected by the most extreme, life-threatening consequences of a breach. The results of this study do not represent the conclusions of most control system/safety experts. Who were these “experts” and how can the results from this report be so misleading?
Why didn’t the authors take a stronger stand about the inappropriate results? If these survey results are indicative of the value of OT cyber security training to date, it isn’t working. For the industry’s sake, I hope there is some other way to understand or explain these results.