The oil and gas industry is highly sensitive and any interference with its smooth operations may result in tremendous economic losses. As such, the management of the industry must comply with security requirements to ensure that they are safeguarded from cybersecurity threats.
Regulatory and Compliance Issues Related to the Oil and Gas Industry
Security Status of Oil and Gas Industry
The Department of Energy 2018 multi-layer plan shows that the Nation-state actors have increasingly targeted the energy industry infrastructure. A report by the Director of National Intelligence released in 2015 showed that cybercrime activities are working towards gaining remote control of industrial control grids.
The report by the Director of National Intelligence showed that energy and utility industries use approximately $27.62 million every year to protect themselves from cybercrime activities. The Ponemon Institute released a report titled “The State of Cybersecurity in the Oil and Gas Industry: The United States” in February 2017. The findings included:
- 35% of the participants said that the operational technology environment is cyber-ready
- 68% of the individuals admitted to carrying out operations with a minimum of one security compromise
- 59% reported that operations technology was higher risk than information technology
- 67% of the participants said that industrial control systems risk significantly rose over the past few years
- 61% believe that the industrial control systems protection and security was ineffective
- 65% of these individuals believe that negligence from the insiders present the largest security threat
- 15% believed that criminal insiders presented risks that reduced the value of advanced monitoring
- 41% monitor all their infrastructure regularly
- 46% of cyber-attacks on operational technology went undetected
- 68% of the participants believe that security analytics play a significant role in achieving a stronger security posture
What are the Exploits and Security Breaches that Threaten the Oil and Gas Industry?
While digitizing the energy sector is necessary for efficiency, it exposes the industry to cyber-attacks. The industry uses the Internet of Things to connect the smart gas, water, and transportation which further exposes the systems to criminals. At the same time, the industry’s supervisory control and data acquisition (SCADA) may have outdated systems and insecure software which encourage cyber-attacks.
In most cases, the attack on the operational technology environment goes undetected which may disrupt operations leading to economic losses. Also, minimal knowledge and lack of awareness among employees lead to incomplete infrastructure security tasks. This trickles down to the failure of the industry to invest in security infrastructure thus compromising its security systems. The data that’s highly at risk include the product information as well as exploratory information.
How Digitizing the Oil and Gas Industry to Increases Security Risks
Digitizing the processes in the industry exposes them to numerous security threats. While updating their operational technology to align with the Internet of Things is crucial, the industry mostly uses an insecure legacy system.
Also, digitization increases the vendors in the supply chain which further increases the risks. The introduction of the SCADA system allowed the oil companies to monitor operational technologies using a sensor. However, the SCADA system was not designed to incorporate information technology networks. As such, when the companies integrate the IT networks, they are subjected to more security threats due to lack of necessary features to protect against external intrusions.
Security Challenges with Connecting Operational Technology and Information Technology
These connections increase the number of vendors consequently posing a security risk to the company. The complexities of ransomware and the cybersecurity gaps make the connection of the industrial Internet of Things to Industrial Control Systems relatively challenging. This was clear in 2017 when WananCry attacked numerous systems. The Nation-state actors are keen to control global politics through fear but the rise of technology makes the oil and gas sector highly critical. The connection of IIoT to IT create a primary loophole in the cybersecurity protection systems.
How to Effectively Secure the IIoT and IT Environment Connection in the Energy Sector
The initial step in securing the oil and gas industry involves engaging a risk mitigation strategy. The high number of vendors complicates the security systems. As such, all the parties involved should understand the vulnerabilities and risks that should be resolved to stabilize the energy sector. Here are a few suggestions to secure the IIoT, IoT, Information, and Operational data:
- Make a list of:
- Information assets
- Applications and systems linked to IT system
- Define all the risks to IT environment-software, networks, vendors, devices, and systems
- Review Service Legal Agreements to guarantee supply chain security
- Develop controls to protect your networks, systems, and application
- Monitor IT environment for effectiveness
How Technology Simplifies Security-First Compliance for the Energy Sector
Technology apps help in continuous monitoring of the effectiveness of applications and networks without having to handle bulk information. It helps in mapping controls to NIST and ISO 27001 which would be cumbersome if done manually.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.