Michael Rosskothen - Fotolia
Norway braced for foreign AI cyber attacks on vital petroleum computing
Nordic petrostate is preparing for war and turning the spotlight on vulnerabilities in its critical industries as adversaries look for ways to damage most important oil and gas producer to the EU
Norway is braced for cyber attacks on its vital petroleum industry, after reports by its three national intelligence agencies identified “persistent and serious” threats from attackers working for Russia, China, Iran and other adversaries, made more formidable by artificial intelligence (AI).
With the head of the Norwegian police intelligence service (PST) declaring that Norway was entering an era of the greatest threat to the security of its critical national infrastructure (CNI) since the Second World War, the oil-rich nation’s three main intelligence agencies made a grave assessment of threats and vulnerabilities in the software that runs it.
Norway became more of a target for foreign military cyber operations as Europe became dependent on it for oil and gas, with supplies cut from Russia in retaliation to the Ukraine invasion.
Russia and China have been mapping Norwegian offshore industrial infrastructure, as well as digital infrastructure nationwide, infiltrating networks, supply chains and personnel, and using proxies to do their work. Furthermore, Iran is working through Swedish criminal gangs, planning terrorist attacks and destructive cyber operations. Now backed by foreign military intelligence, would-be assailants are more capable – equipped with AI, they have become more powerful.
This has made Norwegian industry vulnerable. Much of the operational technology (OT) it runs on – control systems embedded into everything from trains, dams, factories, power plants, pipelines, drills and oil rigs – uses old and insecure software, according to Risiko 2026, the annual threat assessment of the National Security Authority (NSM), Norway’s computer security agency.
“Many OT systems are built on technology that was designed without a focus on cyber security,” it said.
These systems are being brought online, exposing vulnerabilities, and foreign military is set on them: embedded software, unpatched, ill-contained, unmonitored and exposed to remote access. Poor personnel and supply chain management makes firms vulnerable to infiltration, too.
AI and data
AI and data have meanwhile become a headline story for Norway’s oil and gas industry, not as a threat or defence, but as a means of raising efficiency. Operational data, integrated with IT, combined with cloud computing and AI, have intensified the digital transformation of old industries. Oil and gas computing is a thriving sector for the Nordic petrostate.
Their warning was amplified by Havtil, the regulator to Norway’s petroleum industry, which accounts for half its exports, in a summary threat assessment it published on 12 February. It found security weaknesses in the petroleum sector like those the NSM had reported for all industry – but weaknesses in OT were not as great as the threat, it said when asked for details.
“Challenges with old OT systems are a factor within the petroleum industry,” said Havtil in a written statement. “[But] the challenge is diminishing, as most systems today are newer and more modern, and maintained with sound cyber security principles. The OT backbone is not old. Older installations are protected.”
Incidents
In 2024, just 1% of cyber incidents in Norway occurred in the petroleum sector, according to Risiko 2025. Attacks on Norwegian oil and gas were unlikely, said cyber incident centre KraftCert, in its annual report last May. The sector had always suffered few attacks, but that might change if geopolitics made Europe more of a target.
Of 21 cyber incidents that Norwegian security firm DNV Cyber tracked in Norway last year, just one was in petroleum, said Anne Wahlstrøm, its head of OT. Most attacks were by criminals, as usual. But a Russia-backed cyber sabotage on the Polish energy grid OT systems in December had tuned Norwegian ears to state threats. DNV had raised concerns. Recent DNV surveys reported increasing attacks on petroleum. Executives were worried about supply chains. A third suspected suppliers of hiding breaches.
The intelligence assessments showed that a heightened, adversarial military threat in Norway had exposed as vulnerabilities those weaknesses that cyber criminals, acting on their own, lacked the resources to exploit, said Sokratis Katsikas, director of the Norwegian Center for Cybersecurity in Critical Sectors at the Norwegian University of Science and Technology.
“The vulnerabilities were always there, but the ability of threat actors to exploit existing vulnerabilities has increased many-fold in the past five years,” he said. “Now most concerns are not about cyber criminals. [They] are hired by states. We are mostly concerned with state-sponsored attackers. They have more resources. The risk is higher.”
Supply chains
Ongoing integration of OT and IT systems was exposing the same vulnerabilities in all industrial sectors, he said. But they were not as extensive in O&G, where old equipment is not as common because technology in the sector develops fast and industry updates it quickly. But the supply chain risk was different, said Katsikas.
“We in the community have only recently started to realise how supply chains can be used to compromise security and introduce vulnerabilities into your organisation,” he said. “There are ways of dealing with that holistically, but a solution is still far away. It is not sector-specific.”
Equinor, Norway’s largest oil producer, used defence-in-depth methods to protect against cyber attacks, a spokeswoman for the state-owned firm said in a written statement, referring to a security methodology developed by the US National Security Agency that includes personnel and supply chains. It also uses Continuous Risk Management, she said, referring to another methodology that contrasts with the periodic reviews that NSM warned critical industries were doing too infrequently.
“Like other major energy companies, we operate a mix of newer and older industrial systems, [but] Equinor maintains strict segregation between IT and OT environments,” she said, adding that it has programmes to strengthen OT security, modernise systems where required, and secure interfaces with IT.
The NSM threat report had pointed out merely that “potential vulnerabilities could arise” when old OT systems were connected to the internet. That was not specific to petroleum.
Recorded incidences in oil and gas remain relatively low, despite being attacked as much as other sectors, said Jo De Vliegher, a partner at cyber consultancy Istari Global, who was praised for his handling of a cyber attack on Norsk Hydro, where he was CIO in 2019.
“The forward-looking risk picture has become more serious,” he said. But the threat was not specific to oil and gas, as had been demonstrated by recent attacks on Norwegian infrastructure. The threat assessments exemplified an attack on Norway’s Bremanger dam last year.
Transformation
The extent of ongoing IT-OT integration in the Norwegian petroleum sector, with operational data being fed to AI, was apparent as the agencies issued their warnings, when Norwegian firms made a stream of announcements about it.
IT-OT firm Cegal migrated 1.6 PB of OT data from assets in the Dutch North Sea. Industrial AI firm Cognite did a deal with US cloud data firm Snowflake. The latter launched an arm dedicated to it. Geoscience data services firm TGS renewed a seismic data contract. Industrial software firm Kongsberg Digital arranged to host its systems on Google Cloud.
AI was a major theme in statements Karl Johnny Hersvik, CEO of AkerBP, Norway’s largest private oil producer, made to financial analysts on 2025 financial results it published the day before Havtil’s threat assessment. Microsoft president Deb Cupp joined him to congratulate AkerBP for its leadership in AI. Days before, NSM had portrayed Microsoft as a national security risk.
Cloud computing was crucial to Norway, but “the market is, however, to a large extent dominated by … particularly American companies such as Amazon, Google and Microsoft”, it said. Such “foreign” cloud services weaken the integrity, availability and confidentiality of data for Norwegian firms that used them, it said, citing a collapse of Amazon and Microsoft cloud services worldwide in October.
War footing
This happened as Norway began making preparations for war, promising plans to make its digital, energy and transport infrastructure able to withstand it, not only to keep its own civil and military institutions running, but so it could host Nato forces as well.
That emerged from a Total Preparedness strategy the prime minister announced in January 2025, telling Norway it was at a turning point in its history, where a long period of peace had come to an end. Norwegians were urged to think constantly, at home and work, about readiness for a national emergency.
Norway has accelerated its cyber preparedness as well, with a law implementing the EU NIS1 Directive in October 2025, requiring businesses to take cyber security precautions; a national website to advise people and businesses on cyber security they largely neglected through ignorance, in December 2025; and a decision to implement the EU Cyber Resilience Act, requiring consumer electronics manufacturers to make their products secure, in January 2026.
Meanwhile, work began last month on turning Norway’s subsea fibre-optic cable networks into an AI-powered sensor system that can detect the threat of physical attacks on its oil and gas infrastructure.
