Energy Industry Lags Behind Financial Services in Cybersecurity Preparednes

The energy sector itself is the second most immature industry with respect to enterprise security programs, said Jim Guinn, who leads IT Security, Privacy and Risk for PwC's energy sector, in an interview with Rigzone. PwC found in its research that the energy sector lags far behind global financial services in cybersecurity preparedness, but is slightly better than the manufacturing sector in this area.

The entire energy industry spectrum, from offshore drilling to midstream to refining, face risks from cyberattackers. Guinn pointed to the growing awareness of malware being found on offshore rigs in media sharing applications or general internet accessibility. It’s not a far leap to say it could negatively impact networks.

The industry is moving towards mobile and cloud computing, but business is moving faster than IT capabilities in the security space, with technologies being deployed and then secured afterwards, Bass told conference attendees.  The PwC survey found that 43 percent of oil and gas respondents report using cloud computing, and 56 percent say the technology has improved their security. However, only 25 percent of survey respondents include provisions for cloud in their security policy.

The fact that oil and gas companies are investing significant capital and trying to quickly establish exploration operations or midstream infrastructure in a basin or play makes companies vulnerable to security incidents due to gaps or blind spots in security.

“When you’re moving at a fast pace, you may or may not have thought everything through in terms of supply chain, asset management and interconnectivity,” Guinn told Rigzone.

The increasing competitive nature of shale plays creates potential exposures for some oil and gas companies, with multiple bad actors looking to harvest data or infrastructure information or trying to damage a brand.

The surface area of attacks also has broadened due to the greater interconnectivity of oil and gas companies with partners, suppliers and customers. The interconnectivity of the entire energy continuum, with partnerships and supply chains, means companies have to worry not only about their own networks, but the networks of other companies connected to them, Bass noted. In some cases, companies are not being directly attacked, but targeted through the SCADA systems and operating systems that belong to joint venture partners or supply vendors who had interconnectivity with the targeted company.