More energy company boards are becoming increasingly aware of the ever-growing cybersecurity threats that their infrastructures face, but are they doing enough now to thwart potential attacks?

The results of a DNV survey of energy professionals around the world, released in the “Energy Cyber Priority 2023” report, serve as a wakeup call for the entire industry. As it undergoes digital transformation to improve safety, increase efficiency and decarbonize through increased electrification with the aid of renewables, the vast majority (89%) of energy professionals responding to DNV’s survey believe cybersecurity to be a prerequisite.

Seven in 10 respondents say they take cybersecurity as seriously as they do physical health and safety, but DNV believes that more work is required before energy companies can confidently say they treat cyber as seriously as safety.

“If you walked onto a site in the energy industry without a hard hat, you would be stopped from working immediately,” said Jalal Bouhdada, DNV’s global segment director for cybersecurity. “On the other hand, if a business identified a vulnerable application, would it be remediated and fixed at the same speed? Despite increasing awareness, the answer is often ‘no.’”

Despite board-level awareness of cyber risk, energy professionals are concerned that investment is not flowing at the levels required to address the issue. Less than half of energy professionals (42%) think their organization’s current level of investment is sufficient to ensure the resilience of their operational assets and infrastructure. Just one in five agrees strongly that enough investment is being made.

“It’s worth asking whether there is indeed a shortage of budget for cybersecurity being made available, or whether it is not being used effectively and teams are consequently made to look for additional funds,” Bouhdada said. “For other companies, the concern is that, while energy companies accept that cybersecurity risk is on the increase, they don’t think an attack is something that will happen specifically to them and don’t dedicate enough budget.”

Today, just one in three (36%) energy professionals are confident their organization has invested enough in operational technology for cybersecurity, with 59% saying that they are investing more in security this year than they did in the previous 12-month period.

Will increased regulation be the key to boosting investments at energy companies? Almost half of respondents (49%) said changing requirements is one of the factors most likely to unlock increased budget at their organizations, making it the most cited factor overall.

In the United States, the Department of Energy is continuing to work on the National Cyber-Informed Engineering Strategy, a bipartisan plan to raise standards. The Securities and Exchange Commission, meanwhile, proposes to require public companies to disclose whether their boards have cybersecurity expertise.