Is Your Company Ready for the Next Big Cyber-Attack?
As robotics, digitization and the Internet of Things (IoT) become more ingrained in oil and gas operations, cyber-attackers continue to provide stark reminders that critical computer infrastructure systems – increasingly linked via wireless networks – are vulnerable to serious breaches. For instance, the recent WannaCry ransomware and Fireball malware attacks together affected hundreds of millions of computer users worldwide. Also, attacks this week affected the world's largest shipping company and a major Russian oil producer.
As WannaCry, Fireball and more recent attacks showed, cyber-criminals are becoming more sophisticated. Moreover, the wireless networks that increasingly undergird oil and gas industrial control systems (ICS) provide tempting access points for hackers. How vigilant are oil and gas companies in regard to protecting their increasingly complex operational infrastructure? According to a recent report from Deloitte, there is room for improvement. In fact, the report's authors contend that oil and gas companies are relative laggards when it comes to implementing ICS cyber-security initiatives.
Rigzone recently caught up with one of the authors, Deloitte Global Energy and Resources Risk Advisory Leader Paul Zonneveld, to discuss how oil and gas players can bolster the security of their control systems. Read on for details.
Rigzone: First off, in regard to cybersecurity, what are some areas in which the oil and gas industry is to be commended for taking a proactive approach in mitigating risks?
Zonneveld: Cyber risk and cyber threat mitigation strategies are now moving up the priority list for boards and senior executives of oil and gas companies, as the number of incidents has increased and vulnerabilities are identified. The oil and gas business is still lagging other sectors but the issue is now being taken more seriously
Rigzone: You've identified four critical cybersecurity risks (see infographic below). Is there a common thread(s) underlying all of these risks? Please elaborate on any common threads and what could be done to bolster defenses on those fundamental fronts.
Zonneveld: The increasing proliferation of remote sensors and IoT devices raises the level of risk and exposure to cyber-attack, both from external “bad actors” and human error within company operations as systems become more complex. Protecting against cyber threat is an ongoing part of business and asset operations, not susceptible to one-off fixes, so the key is awareness of key vulnerabilities and critical system components, leading to robust plans for rapid identification of issues and system recovery. Deloitte’s Secure-Vigilant-Reliant framework focuses cyber planning on making cyber defense as effective as possible.
Rigzone: Through the course of your research, have you identified any factors from within E&P companies, refiners and other oil and gas industry players that have contributed to cybersecurity falling short?
Zonneveld: The oil and gas business is complex with most companies operating a very diverse set of assets with equipment and control systems of different design, different vintage and designed for a different purpose than for cyber protection. In addition, at any one site, there is likely to be a complex ecosystem involving operators, partners, contractors, equipment suppliers and service providers each with different data and operational rights and needs. Add in a strong culture of operational integrity and safety and it becomes challenging to design and implement fit-for-purpose comprehensive cyber risk and recovery protocols.
Rigzone: Are any industries "doing it right" and could serve as a model for the oil and gas industry to bolster its cybersecurity efforts?
Zonneveld: Every industry has its own risk profile, with different threats and controls needed to combat “bad actors.” Financial services is likely the most advanced in implementing programs to combat cyber risk, but of course, this industry attracts the greatest attention from attackers and is often the first to be compromised when new forms of attack are developed. E&P companies are wise to learn from this sector – their experiences and strategies for continuous improvement can help avoid costly mistakes.
Rigzone: Would you like to add any comments?
Zonneveld: The E&P sector is faced with an additional challenge – that industrial control systems have not been designed for security nor have the environments they operate in. There is no quick fix—it will take time and strong leadership to address this risk in order to support of safe and reliable operations.
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.