5 minute read 26 Nov 2021

Oil and gas companies can focus on six key areas to stay resilient in the face of evolving cyber threats and digital transformative changes. 

power plant worker

How digital transformation must go in hand with cyber resilience

Authors
Sanjeev Gupta

EY Asia-Pacific Oil & Gas Leader

Energy sector thought leader. Working with clients on transformation, digital journey and navigating uncertainty around changing business models. Loves travel, cricket and tennis. Father of two.

Steve Lam

EY Asean Cybersecurity Leader

Cybersecurity strategist. Trusted boardroom advisor. Early technology adopter. Creative problem-solver. Avid cyclist, reader and collector of mechanical keyboards.

5 minute read 26 Nov 2021
Related topics Energy and resources Oil and gas Cybersecurity Risk Technology leader's agenda GISS
Upvote

Show resources

Oil and gas companies can focus on six key areas to stay resilient in the face of evolving cyber threats and digital transformative changes.

In brief
  • The energy sector is particularly vulnerable to cyber attacks given its legacy asset base and low cyber maturity.
  • With the acceleration of digitalization and increasingly sophisticated cyber criminals, companies should not expect zero cyber risk incidents.
  • Companies should focus on building cyber resilience in several key areas for business continuity.

The energy sector has become one of the most attractive targets for cyber criminals, owing to its legacy asset base and low cyber maturity. Globally, cyber attacks on industrial control systems and operational technology (OT) systems in the energy sector have increased. The sector suffered the fifth-highest losses amounting to US$4.65m in 2021 due to data breaches.1

Digital transformation in the sector, coupled with limited cybersecurity spending, has perhaps exposed the cyber vulnerabilities of oil and gas companies. Recent cyber attacks on a US pipeline and a national oil company (NOC) highlight a growing need for cyber resilience worldwide. 

Oil and gas companies in the Asia-Pacific region have not been spared. In 2019, the IT system of an oil and gas company was attacked and had to be isolated and shut down, resulting in business disruption. A data leak at an NOC in 2018 compromised sensitive personal data of a few thousand customers. These incidents from years ago underline the fact that cyber incidents are not new and yet remain a persistent — if not escalating — threat with the acceleration of digitalization across businesses. 

Struggling to keep pace 

It has been hard to build cyber resilience for multiple reasons. The convergence of IT and OT in the sector has given rise to a complex web of connected technologies, devices and systems. As entire operating systems of oil and gas companies come online and connect seamlessly with the Internet of Things (IoT), their vulnerability increases exponentially. The large-scale adoption of remote working as a result of the pandemic has also shifted entire work ecosystems online, creating more points of potential exposure.

At the same time, infrastructure and systems may be obsolete and not fully fit for purpose. For example, many oil and gas companies still use legacy control systems across their plants. With digitalization, they are also collecting a vast amount of operational and consumer data from sensors and smart devices. Yet data security programs may be inadequate, with some still using time-intensive manual processes and operating cyber controls in organizational silos. This leads to inconsistency in managing cyber risks due to a lack of governance, oversight and accountability.

According to the EY Global Information Security Survey 2021oil and gas companies face budget constraints in cybersecurity. Ninety-seven percent of the organizations in the sector had spent less than 1% of their revenue on cybersecurity initiatives. The management must be convinced of the need to invest in cybersecurity — yet only 39% of chief information security officers (CISOs) and security leaders in the sector surveyed said their boards or executive management committees understood the value of cybersecurity to the business and included it on their board agendas. This knowledge gap at the top must be bridged for cybersecurity to be plugged into strategic decision-making instead of being an afterthought.

As companies struggle to get their act together, cyber threat actors continue to evolve in their sophistication. Where perpetrators have in the past taken a scattergun approach, they are now more targeted, focused and intelligent.

How EY can help

Cybersecurity

We can help evaluate your cybersecurity programs and build the resilience you need to protect your critical energy infrastructure assets.

Read more

Key actions to build cyber resilience

Arguably, no one should be expecting CISOs to be able to prevent all cyber attacks from happening. Companies should instead shift their focus toward building cyber resilience — that is, how can the organization maintain business continuity in the event of a cyber incident? To build cyber resilience, companies should focus on the following areas.

Cyber resilience strategy and governance framework 

It is critical to establish board-level oversight on high-impact risks pertaining to IT, OT, physical security, environment, health and safety and the digital transformation strategy. Alignment between different business units and the enterprise-wide risk management framework is also crucial. Companies should adopt a “waterfall approach” for risk mitigation planning and control, which involves defining clear responsibilities for all risk owners and controllers.

Holistic and integrated enterprise-wide cyber risk management

Companies must identify and mitigate cyber risks across their businesses and operations by providing adequate mandates, funds and resources for cyber resilience programs. They should also conduct thorough analyses of risks and have a clear understanding of perceived values of different assets. 

“Security by design” framework 

Companies should establish a robust mechanism for managing cyber risks by exploring the organization’s risk environment and appetite. They should also evaluate the cascading impact of various residual risks for ongoing activities and new initiatives. Additionally, they need to engage the operations and engineering teams to encompass OT and the legacy technology into the overall cyber framework. This approach will help enable day-to-day resilience as well as proactive, pragmatic and strategic planning that considers risk and security from the outset.

Next-generation cybersecurity technologies 

Companies should conduct an “as-is”’ and “to-be”’ analysis of their cyber environment to measure the effectiveness and efficiency of cybersecurity programs, across both IT and OT. This will act as a guide to identify key systems and operations that need to be upgraded or mitigate risks pertaining to legacy OT by adopting the latest cybersecurity technologies for effective risk management.

Robust incident response and emergency action plan 

Even the most secure framework cannot be expected to result in zero cyber risk incidents. A detailed cybersecurity incident response plan based on established frameworks should be developed. The plan should clearly define the roles and responsibilities for responding to cyber incidents, incident categorization and protocols for information and intelligence sharing. Periodic simulation exercises with realistic scenarios should be conducted to stress test the company’s ability to respond in a crisis. 

Culture and workforce

Fostering a risk-aware culture for effective cooperation among different business units and stakeholders instead of a siloed and fragmented approach to risk management is crucial. Companies should also develop a training and learning framework so that employees are aware of cyber policies and processes and updated on them. 

As digital transformation continues to extend across oil and gas companies and the entire energy ecosystem, new vulnerabilities will enter and threaten an already fast-changing and volatile environment. The only way to keep moving forward with confidence is to invest in building the resilience now.

While companies may not be able to prevent all cyber attacks from happening, they should shift their focus toward building cyber resilience for business continuity even when cyber incidents occur.

Summary

With its legacy asset base and low cyber maturity, the energy sector has been an attractive target for increasingly sophisticated cyber criminals. Companies should shift their focus toward building cyber resilience in several key areas. These include a cyber resilience strategy and governance framework; holistic, integrated enterprise-wide cyber risk management; a “security by design” framework; and next-generation cybersecurity technologies. A robust incident response and emergency action plan and fostering a risk-aware culture are also critical.

About this article

Authors
Sanjeev Gupta

EY Asia-Pacific Oil & Gas Leader

Energy sector thought leader. Working with clients on transformation, digital journey and navigating uncertainty around changing business models. Loves travel, cricket and tennis. Father of two.

Steve Lam

EY Asean Cybersecurity Leader

Cybersecurity strategist. Trusted boardroom advisor. Early technology adopter. Creative problem-solver. Avid cyclist, reader and collector of mechanical keyboards.

Upvote