Oil and gas operations run across multiple countries at any given time. This industry typically involves many different nation states, and information technology has provided a convenient platform for data and operational sharing in real time.
However, with the increased connectivity of oil and gas operations- comes the risk of cyber security attacks. Oil and gas companies rely on Operational Technologies (OT) to keep track of performance, identify maintenance issues, and interact with customers or suppliers. Therefore, the threats that can occur against OT systems are widespread. Not only are they capable of affecting oil and gas companies, but they can also affect the public as well.
Understanding and mitigating these risks will help the oil and gas industries maintain safe and effective operations moving forward.
Table of Contents
Operating Technologies and IT: Where The Risks Arise
Oil and gas companies rely on Operating Technologies to power their daily operations. However, OT systems tend to become outdated when compared to the current state of IT infrastructure. Cybersecurity threats can evolve in an instant, and OT systems are not always capable of keeping up. The most recent Ponemon report (2017) revealed that 68% of companies in the oil and gas industry had experienced at least one cybersecurity breach, while 46% of threats tend to remain undetected.
These surprising numbers show that while IT systems may be monitored to protect data, oil and gas companies are still susceptible to risk from their operational systems. Furthermore, the fact that many threats remain undetected shows that the actual number of sophisticated threats could be much more than 68%.
The Unique Challenges That OT Systems Face
Because OT systems are both hardware and software based, they tend to have a longer lifecycle in oil and gas operations. For example, systems such as programmable logic controllers (PLC) and distributed control systems (DCS) can last for between 15-20 years, while enterprise IT systems tend to evolve every 3-5 years.
This disparity in lifecycles is what poses a unique challenge to OT systems as compared to IT infrastructure. Also, the cost and complicated installation process of OT systems make it almost impractical to update these systems regularly.
Risks Caused By The Internet Of Things
The internet of things has made it possible for devices to communicate with each other via the IT environment. Nowadays, many different sensors and cameras are used in the oil and gas industry to collect and transmit data in real time. This data is then used to adjust variables such as temperature, pressure, operational efficiency, and much more.
However, as data oscillates between OT and IT systems, there are many vulnerable points where threats can occur. Securing the IoT environment is a complicated task that affects many different industries- including oil and gas.
What About Your Workforce?
Employees are often used as a vulnerable target for cybersecurity attacks. From phishing scams to ransomware attacks, the credentials of your workers can cause damage when they end up in the wrong hands. In the oil and gas industry, attacks arising from employee mistakes can affect your business financially, legally, and reputation wise.
Critical operational infrastructure may also become affected due to cybersecurity threats. And because oil and gas operations apply across borders, the extent of liability you may end up facing can be quite high.
How Can Risks In The Oil And Gas Industry Be Mitigated?
Now that you’re aware of the main risks affecting oil and gas operations, how can you ensure that you don’t fall victim to cybersecurity threats? Here are four essential steps that can help you secure both your OT and IT systems from attack.
- Start with assessing potential risks
Even before you dive deeply into the specifics of securing your operational systems, start by evaluating the risks your company faces. Have conversations across departments to identify all physical and data assets that may be at risk of external threats.
- Establish a mitigation plan
Once top threats have been identified, the next step is to develop a risk mitigation plan. Most risks affect IT systems such as software, networks, and devices. However, the oil and gas industry also need to pay attention to infrastructure that supports the OT environment. In other words, all potential weak spots that can be used to access the OT network also need to be identified and secured.
- Monitor the OT environment continuously
After all potential risks are mitigated; you also need a plan for continuously monitoring your OT environment. This will ensure that OT and IT systems don’t intersect within an uncontrolled data environment.
As previously mentioned, OT systems tend to evolve at a slower pace than IT infrastructure and keeping a fully shared network may expose both systems to risk. In other words, your company should keep IT infrastructure from easily migrating to OT systems.
The Importance Of Management In Implementing Cybersecurity Oversight
Many oil and gas companies tend to focus on other types of risk highlighted in the media- such as environmental and energy consumption risks. This often results in management teams having people with engineering and finance backgrounds, usually at the expense of IT professionals. Having management personnel with an understanding of cybersecurity threats can help in many ways. For example, oil and gas businesses can better understand how data breaches may cause chemical, engineering, and environmental risks.
The fact that many Boards (of Directors) lack IT professionals is another cybersecurity risk. Simply put, the oil and gas industry should work towards hiring more cybersecurity professionals. Because IT and OT systems now work hand in hand to facilitate industry growth, companies can no longer afford to push data security to the side.
Having someone who’s dedicated responsibility is to monitor and respond to data risks can be of significant benefit to your oil and gas operations. And because coming across experienced and qualified cybersecurity professionals is becoming increasingly difficult; the oil and gas industry should create open communication channels between industry specialists and data security experts.
Author Bio
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.