Presented by:

Hart Energy E&P

This article appears in the E&P newsletter. Subscribe to the E&P newsletter here.

The widely publicized cyberattack on Colonial Pipeline in April 2021 left many energy companies feeling vulnerable. While cyberattacks are certainly not a new form of rattling companies and twisting their arms to net profits, the Colonial Pipeline attack sent a clear message: It doesn’t matter how big or important the company is; everyone is susceptible to cyber threats.

Recently, the energy industry has become one of the most targeted, and vulnerable members of the sector are scrambling for ways to protect themselves.

It was this fear and need for preparation that led risk management provider DNV to acquire Applied Risk, an industrial cybersecurity specialist, with the goal of combating future cyber threats and defending other vulnerable sectors.

Joining forces

Liv Hovem, DNV, Accelerator
Liv Hovem, CEO of DNV, Accelerator, said the acquisition of Applied Risk was a natural fit due to the companies' shared values and culture. (Source: DNV)

“DNV has developed a new strategy to support our company’s purpose of safeguarding life, property and the environment,” said Liv Hovem, CEO of DNV’s Accelerator. “Our vision is to be a trusted voice in tackling global transformations, and the two biggest transformations affecting our customers are the digital transformation and the energy transition. As industry continues to digitalize, ensuring the security of cyber-physical systems will become an increasingly important topic for our customers. That’s why DNV is making significant investment in helping our customers build a powerful force of defense against cyberattacks.

“We also have the vision of tackling the most important global transformations," she said. "The two biggest transformations are the digital transformation and the energy transition.”

In a Nov. 24 press release, DNV announced the merger as part of an effort to expand its portfolio of services.

“Applied Risk’s experts will join forces with DNV’s cybersecurity specialists, who work with governments, corporations and industrial operators to keep projects and operations secure,” the release stated. “DNV provides real-world cybersecurity expertise to some of the world’s most complex infrastructure projects, helping customers identify their cyber risks, build a powerful force of defense against threats, recover from attacks and win stakeholder trust and support.”

Since the growing number of cyberattacks allows companies like Applied Risk to flourish and DNV had been looking to acquire companies that would make them more accessible, Hovem said, it was a natural fit.

“Applied Risk came up as one of the thought-leaders, well-respected, well-driven companies that we saw we had the same values [and] similar culture with,” she continued. “When we started talking, on both sides we easily acknowledged the fit, and so that’s the reason for [the acquisition].”

Avoiding new attacks

“Cyberattacks generally are becoming more common, complex and creative; we can read that in the papers every day,” Trond Solberg, managing director of cyber security at DNV, told E&P. “The frequency of industrial cyber-attacks will increase in the coming years, with potentially disastrous consequences causing threat to life and the environment.”

According to Solberg, with challenges such as the pandemic, oil and gas producers have been moving their control systems online, allowing them to work remotely. As helpful as this is, however, he said it opens the systems up to new attacks that hadn’t previously been as harmful.

Trond Solberg, DNV, cyber security
According to Trond Solberg, managing director of cybersecurity with DNV, cybersecurity is an investment that will not separate companies from competitors but keep them on par with them. (Source: DNV)

“IT environments have faced information security threats and active attacks for several decades already, while industrial control systems have traditionally been kept in secure silos, physically separated from IT networks. This picture is now changing. When you put your control systems online, you expose it to cyber security threats” he continued. “Industrial control systems are frequently put online now, and that is a tremendous change in the exposure to threats. And their security, to be honest, has not been followed up as it should.”

Solberg said this is something everyone needs to do.

“Everyone needs to have focus on the security of their control systems. It’s no longer something you do for an upside, it is now a necessity to stay competitive,” Solberg added. “Everyone needs to jump on this.”

Next steps

Hovem and Solberg agreed that the company’s approach going forward was to continue protecting their existing customers and grow their customer base as well as possibly delve into developing cybersecurity technologies.

“For now, we have more capacity to deliver for our customers. We can deliver a richer context to our clients because our projects are not usually purely cyber security projects,” Hovem said. “It’s a richer request that clients might have, and the training in detection and prevention, how to set up our barriers, our safety systems, etc., are linked together, so a richer environment in which we deliver cyber security is a benefit. And we will have even more capacity eventually.”