On an industry basis, our survey reveals that energy firms in particular are struggling with cybersecurity, with only 35% saying their organization is well-positioned to take on the threats of tomorrow, compared to 48% of all other industries. Additionally, they are more likely than other industries to take a “wait until technology is tried and tested” approach and point to not prioritizing emerging technology integration as the biggest internal cybersecurity challenge.
Only 22% are satisfied with their non-IT workforce’s adoption of best practices.
“The energy industry has ramped up investment in cybersecurity in recent years. Its status as critical national infrastructure has led to tightening regulatory and compliance pressures to ensure resilience against attacks and failures,” says Clinton Firth, EY Global Cybersecurity Lead, Energy. The pressure to transition to renewable energy is forcing a shift from legacy operational technology toward more distributed networks, including through the Internet of Things (IoT). The cybersecurity technology offerings have improved significantly, helping energy firms efficiently identify vulnerabilities and develop key controls like privileged access management, threat detection and response.
However, the industry has major structural challenges. Oil and gas companies are global, but cybersecurity standards and regulations are localized. Cybersecurity functions often struggle to collaborate effectively with plant managers who control the operational assets, and original equipment manufacturers and legacy operational technology environments are obstacles to change.
“In the last few years, a number of energy companies have been investing similar amounts in cyber to financial services, but they have more fragmented IT environments,” says Alam Hussain, EY EMEIA Cybersecurity Leader. “Energy companies are spider-like. It’s difficult to put in solutions that cover all areas of cyber risk.”