Accounting for ~ 50% of the world’s energy consumption, there is a lot that distinguishes the Oil & Gas industry (O&G) from other sectors. But when it comes to information security, it is like any other convergence of operational and informational data: increasingly exposed to cyber-attacks.
The O&G’s upstream, midstream, and downstream lifecycles are complex and have plenty of opportunities for threat actors to cause harm. Three main cyber security concerns for the O&G industry are stemming from digital transformations and organizations should recognize and approach them diligently:
1- Remote access communication combined with lack of security awareness
The possibility of working remotely has had a hugely positive impact on the safety and work conditions of O&G employees. But ironically, it also attracts entirely new dangers: if employees can access and monitor equipment remotely, so can hackers through those same means.
That’s why working remotely needs to be matched with stricter cyber security standards and an increased awareness of cyber threats. But there seems to be a general disregard for this fact: a Deloitte report revealed that even during years when almost three-quarters of American O&G companies suffered a cyber incident, cybersecurity still wasn’t a major concern within the industry.
Failing to recognize the importance of cybersecurity gives attackers the first-move advantage. 43% of significant cyber breaches affecting O&G in 2018 originated from a lack of end-user awareness exploited via phishing. Cybersecurity training and awareness, regardless of seniority or area of specialization of employees, needs to be reinforced throughout the enterprise.
2- On- and off-shore connections
The O&G industry requires onshore and offshore facilities to collaborate, prompting the connection between rigs, refineries, and headquarters via open communication – and exposing production equipment to network-related vulnerabilities.
Threat actors target such networks to acquire data relating to field plants, IIoT, and reservoir information. And when primary threat actors are nation states and corporate espionage groups that are very advanced in what they do… it becomes extremely challenging to safeguard from them.
But while not every risk can be mitigated, it’s important to know what they are and what type of controls are in place to focus on improving efforts. Conducting a maturity assessment is, therefore, paramount. Cyber security programs have to be broader, encompassing ‘security’ concerns just as much as ‘vigilance’ and ‘resilience’ oriented efforts.
While risk appetite and maturity levels vary, there are a few pillars for cyber risk transformation in an ICS environment that every O&G company should have in place, such as those listed by Deloitte in a comprehensive 2017 report.
3- Vulnerable software, outdated systems, and lack of cybersecurity budget
Having been around since the 19th century, the O&G industry has of course evolved and refined its processes through time. However, old machinery and outdated systems are still the norm globally. And that can be a problem.
Although cyber threats are now being taken into consideration by developers, outdated systems may not be equipped to handle newer issues. Many installations on the Norwegian continental shelf, for example, are designed to have a lifetime of 15-20 years, and a number of these have already been made to operate for longer. This means that a lot of the equipment and software in use today is outdated and not well adapted to current digital vulnerabilities.
The O&G industry must adapt to the demands of digitization, but keeping up with cybersecurity requires a dedicated budget -something the industry seems to fall short of.
Energy companies spend less than 0.2% of their revenue on cybersecurity, which is 3 times less than financial providers and banks. This might be a reverberation of the 2015-2016 oil price crisis, when cost cuts left cybersecurity out of the priority list. But meanwhile, hackers were becoming increasingly inventive and bolder. Projects to strengthen networks and systems against cyber-attacks didn’t receive the necessary attention or funding then -and still don’t today. It’s time to catch up.
#
Written by Paula Magal for CS4CA USA – the leading Cyber Security Summit dedicated to America’s Critical Industries.
