The survey results of the 2022 DNV energy cyber security report are grossly misleading

DNV published The Cyber Priority report, “The State of Cyber Security in the Energy Sector”. I believe the oil, gas, and chemical (not electric) industries are leading most industries addressing control system cyber security. The report states the research draws on a survey of 948 energy professionals and a series of in-depth interviews with industry leaders and security experts. The report states that 64% of the respondents develop, operate, or support operational technology (OT).

However, only 35% of the cyber security experts working with OT agreed that a cyber-attack on their organization could lead to injuries or deaths and only 43% agreed that a cyber-attack on their organization could lead to significant damage to the environment. Additionally, only 32% of the respondents felt that failure of automation systems, and only 24% felt that physical safety incidents, injuries, and deaths were the top concerns for their organization. The report concludes that although executives anticipate a serious incident in the global industry, they are less likely to believe that their own organization will be affected by the most extreme, life-threatening consequences of a breach. The results of this study do not represent the conclusions of most control system/safety experts. Who were these “experts” and how can the results from this report be so misleading?

Why didn’t the authors take a stronger stand about the inappropriate results? If these survey results are indicative of the value of OT cyber security training to date, it isn’t working. For the industry’s sake, I hope there is some other way to understand or explain these results.

Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss weighs in on cybersecurity, science and technology, security emerging threats and more.