BLOG: What Oil, Gas Needs in Cybersecurity Hires
A little over a week ago, I sat and listened to leaders from prominent oil and gas companies discuss what they were doing – and could be doing better – to combat cybersecurity threats within the Operational Technology (OT) environment at their organizations.
A February report by the Ponemon Institute, based on results from a survey of almost 400 U.S. individuals responsible for managing cyber risks in the OT environment, stated that 68 percent of respondents said their organization experienced at least one cyber compromise and 61 percent said their organization’s industrial control systems protection and security is not adequate.
So, what to do?
It’s not like the oil and gas industry is unaware of its cybersecurity challenges. Attacks are becoming more frequent and can be quite costly for companies.
Just one-third of respondents believe there is full alignment between OT and IT with respect to cybersecurity operations. Sixty percent said they do not have enough staff; 45 percent said they have the internal expertise to manage cyber threats in the OT environment.
“The need [for cybersecurity professionals] is tremendous, given the recent board level focus given to cyber risk,” Susan Peterson Sturm, director, cyber product marketing and strategy, for Honeywell Process Solutions, told Rigzone. “Recruitment is a very big deal with several of the majors naming a designated cybersecurity engineer that is part of the plant staff.”
With respect to cyber readiness, 41 percent of respondents said their organizations are in the early to middle stage of maturity, meaning many OT cybersecurity program activities haven’t been planned or deployed, or they have been planned and defined but only partially deployed, the report said.
Similarly, Sturm said one of the challenges with oil and gas recruitment is that defined job structures and career paths for industrial cybersecurity resources haven’t been created.
“This is problematic because treating these roles like engineering resources will not allow businesses to make competitive offers. The pay scale for cyber industrial resources, for example, is significantly higher than a typical instrumentation and controls technician,” Sturm said.
She said another challenge is that industrial security roles are often scoped way too broadly.
“By way of comparison, it would be like asking for a doctor who can perform as a pediatrician, do brain surgery, HIPAA compliance and post op care,” she said. “Individuals that can do all these things well are very rare and this does not reflect the realities of the marketplace.”
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.