The scale and impact of cyber-attacks on the oil & gas industries are rising exponentially due to an expanding network of digital platforms which creates a vast attack surface. Without adequate preventative strategies, the energy industry is vulnerable to future threats. A new playbook from the World Economic Forum defines a set of industry guidelines to enable a sustainable, resilient digital future for the energy sector.
An expanded cyber risk and threat landscape
Imagine the impact of a cyber-attack that shuts down a major North American pipeline supplying the east coast of the US during Christmas and New Year’s season. Or criminals gaining access to gas distribution systems during one of the coldest winters in Europe, shutting down the heat to more than 100 million households. Or adversaries penetrating a factory’s computer system causing pressure sensors to malfunction, halting production, and risking a large-scale environmental incident.
Even though these scenarios sound like they come from the latest action movie, the disturbing reality is that it’s not a matter of if any of these situations will come true – it’s when.
Cybersecurity failure, including cyber threats and vulnerabilities, is identified as a top short-term business challenge for most organizations in the World Economic Forum Global Risks Report 2021. As the oil and gas industry’s digital transformation exposes all aspects of its businesses to increased cyber risks, the companies become increasingly more vulnerable to emerging cyber threats. Cybersecurity becomes even more difficult to ensure in an expanding digital threat landscape and complex global industrial environment.
To overcome market pressures, adapt to the energy transition and succeed in this new operating environment, the industry’s future increasingly depends on digitally connected OT to control physical energy assets – such as gas compressors and offshore drilling equipment –with IT applications to optimize data that turns a company’s operations into an interconnected network. Executives, managers and industry stakeholders view the digital transformation of the process to run, manage and collect data from physical energy assets and plant operations as the key enabler to reduce costs, improve efficiency and reduce emissions.
We are living in a time where all digital systems are highly interconnected. As digital platforms connect an ever-expanding virtual network of households, vehicles, offices, factories, energy grids and oil rigs, we witness an increasing number of attack attempts. While cyber-attacks are nothing new, what is different now is the sophistication of these attacks and the scale of their impact, which is directly related to the scale of digital transformation of the energy sector.
“As one of the world’s most sophisticated and complex industries makes a multifaceted transition – from analogue to digital, centralized to distributed and fossil-based to low-carbon – managing cyber risk and preventing cyberthreats are quickly becoming critical to company value chains,” notes the World Economic Forum in their recent whitepaper on cyber resilience for the oil and gas sector.
Better to be proactive than reactive
To address cyber risk across the oil and gas industry, board executives must act to secure industrial operating environments from the increasing threat of cyber-attacks with new policies and processes. Energy companies must balance the competitive advantage of digitizing their industrial operating environment with greater exposure to malicious cyber threats seeking to disrupt operations for financial gain or other nefarious motivations, such as geopolitical conflict or terrorism.
If an organization has the industrial experience in securing a wide variety of physical assets, along with ground-breaking digital platforms, what else can they do to be cyber resilient?
Wars, including this new kind of cyber war, are not won with brilliant military strategists, the best-trained soldiers and most experienced special ops personnel alone. To win, you need secure supply lines, the best intelligence operations, committed allies, and informed and engaged citizens.
Challenges for being cyber resilient
Energy companies should make cybersecurity a core competency of their organization and place it at the center of the future oil and gas business model. However, most oil and gas businesses are not accustomed to thinking of themselves as digital companies and therefore lack the cybersecurity technologies, systems, personnel and protocols to protect industrial operating environments.
In many cases, companies face challenges with internal cyber hygiene as systems are interconnected but the responsibility is siloed or shared across many partners with diverse priorities. Companies also face challenges with aligning IT and OT departments, managing interoperability with proprietary technologies and engaging with trusted third parties so that every connected device is protected. While this approach is necessary to achieve a sector-wide cybersecurity approach, it is difficult to execute.
The six principles of cyber resilience
The World Economic Forum suggests six principles to help boards at oil and gas companies mature their approach to cybersecurity. They are designed to guide board members through the process of cultivating a corporate culture that assesses and manages cyber risk. These sector-specific principles are supplemented by the ten broad cyber-resilience principles developed by the Forum that can be applied to any organization.
Figure 1: World Economic Forum’s Cyber Resilience Principles. Source: World Economic Forum
Besides defining the cyber resilience principles for oil and gas companies, the World Economic Forum provides guidelines on implementing these principles. To implement these principles and fully realize their benefits, cyber resilience must not be an after-thought but must be embedded into an organization’s culture and incorporated into all business’s processes.
The importance of cybersecurity culture
Establishing a diverse, security and safety-first culture is critical not only to building cyber resilience but also to enabling the industry’s digitalization. Running relevant, up to date, and engaging awareness programs builds robust defensive layers. The nature of culture and awareness can help us today, and more importantly, create necessary capabilities for tomorrow.
This isn’t a simple undertaking, but as the old wartime adage goes, “The more you sweat in peace, the less you bleed in war.” We need to do the hard work to build a culture where all the layers are working together, sharing knowledge and information. Oil and gas industries need to transform their security policies from central and poorly scalable to a distributed defensive structure focused on supporting and protecting people, the environment, and assets.
How ITEGRITI can help
Cyber resilience is an essential part of due diligence when conducting business in the oil and gas sector. Both within enterprises and as a sector overall, businesses in the oil and gas industry need to develop their cyber resilience further to protect the safety and reliability of their services. Fostering strong cyber resilience will reduce risk across the oil and gas industry and enable automation and digitization to continue improving efficiencies and enhance reliability in competitive supply chains.
ITEGRITI approaches Critical Infrastructure cybersecurity through our “Reliability Through Cybersecurity ResilienceTM” model. To operate, organizations require the reliability of their information technology systems and IT/OT managed assets. Well-designed cybersecurity programs defend against and withstand most attacks, but these programs should also address demands for business continuity, information protection, and crisis communications. Oil & Gas companies should inventory their technology assets, apply additional protections to their business-critical systems and sensitive information, reduce their attack surface, assess and improve their cyber hygiene, and ensure they have both preventative and detective controls in place that are part of an ongoing internal assessment program as untested controls will atrophy. ITEGRITI designs and implements programs that can help oil & gas companies avoid hacks, detect breaches when they occur, minimize business disruption during a cybersecurity event, and reduce incident recovery time.