Norway braced for overseas AI cyber assaults on important petroleum computing
Norway is braced for cyber assaults on its important petroleum trade, after stories by its three nationwide intelligence businesses recognized “persistent and severe” threats from attackers working for Russia, China, Iran and different adversaries, made extra formidable by synthetic intelligence (AI).
With the top of the Norwegian police intelligence service (PST) declaring that Norway was getting into an period of the best risk to the safety of its essential nationwide infrastructure (CNI) because the Second World Conflict, the oil-rich nation’s three primary intelligence businesses made a grave evaluation of threats and vulnerabilities within the software program that runs it.
Norway grew to become extra of a goal for overseas army cyber operations as Europe grew to become depending on it for oil and gasoline, with provides minimize from Russia in retaliation to the Ukraine invasion.
Russia and China have been mapping Norwegian offshore industrial infrastructure, in addition to digital infrastructure nationwide, infiltrating networks, provide chains and personnel, and utilizing proxies to do their work. Moreover, Iran is working by Swedish prison gangs, planning terrorist assaults and harmful cyber operations. Now backed by overseas army intelligence, would-be assailants are extra succesful – outfitted with AI, they’ve turn into extra highly effective.
This has made Norwegian trade susceptible. A lot of the operational know-how (OT) it runs on – management programs embedded into all the things from trains, dams, factories, energy vegetation, pipelines, drills and oil rigs – makes use of outdated and insecure software program, in keeping with Risiko 2026, the annual risk evaluation of the Nationwide Safety Authority (NSM), Norway’s pc safety company.
“Many OT programs are constructed on know-how that was designed with no deal with cyber safety,” it mentioned.
These programs are being introduced on-line, exposing vulnerabilities, and overseas army is about on them: embedded software program, unpatched, ill-contained, unmonitored and uncovered to distant entry. Poor personnel and provide chain administration makes companies susceptible to infiltration, too.
AI and knowledge
AI and knowledge have in the meantime turn into a headline story for Norway’s oil and gasoline trade, not as a risk or defence, however as a way of elevating effectivity. Operational knowledge, built-in with IT, mixed with cloud computing and AI, have intensified the digital transformation of outdated industries. Oil and gasoline computing is a thriving sector for the Nordic petrostate.
Their warning was amplified by Havtil, the regulator to Norway’s petroleum trade, which accounts for half its exports, in a abstract risk evaluation it printed on 12 February. It discovered safety weaknesses within the petroleum sector like these the NSM had reported for all trade – however weaknesses in OT weren’t as nice because the risk, it mentioned when requested for particulars.
“Challenges with outdated OT programs are an element inside the petroleum trade,” mentioned Havtil in a written assertion. “[But] the problem is diminishing, as most programs immediately are newer and extra trendy, and maintained with sound cyber safety ideas. The OT spine shouldn’t be outdated. Older installations are protected.”
Incidents
In 2024, simply 1% of cyber incidents in Norway occurred within the petroleum sector, in keeping with Risiko 2025. Assaults on Norwegian oil and gasoline had been unlikely, mentioned cyber incident centre KraftCert, in its annual report final Could. The sector had at all times suffered few assaults, however that may change if geopolitics made Europe extra of a goal.
Of 21 cyber incidents that Norwegian safety agency DNV Cyber tracked in Norway final 12 months, only one was in petroleum, mentioned Anne Wahlstrøm, its head of OT. Most assaults had been by criminals, as regular. However a Russia-backed cyber sabotage on the Polish vitality grid OT programs in December had tuned Norwegian ears to state threats. DNV had raised considerations. Current DNV surveys reported growing assaults on petroleum. Executives had been nervous about provide chains. A 3rd suspected suppliers of hiding breaches.
The intelligence assessments confirmed {that a} heightened, adversarial army risk in Norway had uncovered as vulnerabilities these weaknesses that cyber criminals, appearing on their very own, lacked the sources to take advantage of, mentioned Sokratis Katsikas, director of the Norwegian Middle for Cybersecurity in Vital Sectors on the Norwegian College of Science and Expertise.
“The vulnerabilities had been at all times there, however the potential of risk actors to take advantage of current vulnerabilities has elevated many-fold up to now 5 years,” he mentioned. “Now most considerations usually are not about cyber criminals. [They] are employed by states. We’re largely involved with state-sponsored attackers. They’ve extra sources. The chance is greater.”
Provide chains
Ongoing integration of OT and IT programs was exposing the identical vulnerabilities in all industrial sectors, he mentioned. However they weren’t as in depth in O&G, the place outdated gear shouldn’t be as widespread as a result of know-how within the sector develops quick and trade updates it shortly. However the provide chain threat was completely different, mentioned Katsikas.
“We locally have solely just lately began to grasp how provide chains can be utilized to compromise safety and introduce vulnerabilities into your organisation,” he mentioned. “There are methods of coping with that holistically, however an answer remains to be distant. It’s not sector-specific.”
Equinor, Norway’s largest oil producer, used defence-in-depth strategies to guard towards cyber assaults, a spokeswoman for the state-owned agency mentioned in a written assertion, referring to a safety methodology developed by the US Nationwide Safety Company that features personnel and provide chains. It additionally makes use of Steady Danger Administration, she mentioned, referring to a different methodology that contrasts with the periodic opinions that NSM warned essential industries had been doing too occasionally.
“Like different main vitality corporations, we function a mixture of newer and older industrial programs, [but] Equinor maintains strict segregation between IT and OT environments,” she mentioned, including that it has programmes to strengthen OT safety, modernise programs the place required, and safe interfaces with IT.
The NSM risk report had identified merely that “potential vulnerabilities may come up” when outdated OT programs had been linked to the web. That was not particular to petroleum.
Recorded incidences in oil and gasoline stay comparatively low, regardless of being attacked as a lot as different sectors, mentioned Jo De Vliegher, a accomplice at cyber consultancy Istari International, who was praised for his dealing with of a cyber assault on Norsk Hydro, the place he was CIO in 2019.
“The forward-looking threat image has turn into extra severe,” he mentioned. However the risk was not particular to grease and gasoline, as had been demonstrated by latest assaults on Norwegian infrastructure. The risk assessments exemplified an assault on Norway’s Bremanger dam final 12 months.
Transformation
The extent of ongoing IT-OT integration within the Norwegian petroleum sector, with operational knowledge being fed to AI, was obvious because the businesses issued their warnings, when Norwegian companies made a stream of bulletins about it.
IT-OT agency Cegal migrated 1.6 PB of OT knowledge from property within the Dutch North Sea. Industrial AI agency Cognite did a deal with US cloud knowledge agency Snowflake. The latter launched an arm devoted to it. Geoscience knowledge providers agency TGS renewed a seismic knowledge contract. Industrial software program agency Kongsberg Digital organized to host its programs on Google Cloud.
AI was a significant theme in statements Karl Johnny Hersvik, CEO of AkerBP, Norway’s largest personal oil producer, made to monetary analysts on 2025 monetary outcomes it printed the day earlier than Havtil’s risk evaluation. Microsoft president Deb Cupp joined him to congratulate AkerBP for its management in AI. Days earlier than, NSM had portrayed Microsoft as a nationwide safety threat.
Cloud computing was essential to Norway, however “the market is, nevertheless, to a big extent dominated by … significantly American corporations similar to Amazon, Google and Microsoft”, it mentioned. Such “overseas” cloud providers weaken the integrity, availability and confidentiality of knowledge for Norwegian companies that used them, it mentioned, citing a collapse of Amazon and Microsoft cloud providers worldwide in October.
Conflict footing
This occurred as Norway started making preparations for warfare, promising plans to make its digital, vitality and transport infrastructure in a position to stand up to it, not solely to maintain its personal civil and army establishments operating, however so it may host Nato forces as effectively.
That emerged from a Whole Preparedness technique the prime minister introduced in January 2025, telling Norway it was at a turning level in its historical past, the place an extended interval of peace had come to an finish. Norwegians had been urged to assume continuously, at residence and work, about readiness for a nationwide emergency.
Norway has accelerated its cyber preparedness as effectively, with a regulation implementing the EU NIS1 Directive in October 2025, requiring companies to take cyber safety precautions; a nationwide web site to advise individuals and companies on cyber safety they largely uncared for by ignorance, in December 2025; and a resolution to implement the EU Cyber Resilience Act, requiring client electronics producers to make their merchandise safe, in January 2026.
In the meantime, work started final month on turning Norway’s subsea fibre-optic cable networks into an AI-powered sensor system that may detect the specter of bodily assaults on its oil and gasoline infrastructure.
