9 minute read 30 Sep 2021

To support transformation, CISOs need to build bridges, embed security-by-design, and get used to the reality of an evolving value model.

Ice breaking ship cutting passage throught sea ice

How oil and gas security leaders can smooth the transformation path

By Raddad Ayoub

EY MENA Oil & Gas Cybersecurity Lead

Risk and cybersecurity professional with a passion for the future of energy. An avid amateur cyclist and rock climber, and always an aspiring super dad.

Contributors
9 minute read 30 Sep 2021

To support transformation, CISOs need to build bridges, embed security-by-design, and get used to the reality of an evolving value model.

In brief
  • The EY Global Information Security Survey 2021 (GISS) highlights the challenges oil and gas CISOs face in a rapidly evolving sector.
  • One in two respondents say they are under more scrutiny than ever before, but many are struggling to gain traction with the board.
  • Digitization and new business models are creating opportunities, while opening the door to unknown risk.

In recent years, oil and gas companies have been reinventing their business models and embracing digitization. In a sector that could see traditional revenue streams decline by as much as 75% by 2050, these developments tell a positive story about resilience, but they also magnify the cyber threat. 

As oil and gas companies unlock new revenue streams, they will gather more data than ever before and engage with an even wider, yet more closely intertwined, ecosystem of partners. “Across the industry, there has been a major push to expand the value chain and, as is common in the sector, visibility, predictability and resiliency are key,” explains Kris Lovejoy, EY Global Consulting Cybersecurity Leader.

“The sector is dealing with an expanding focus on downstream investments, the venture into sustainable hydrogen production, and the push to expand into energy trading. All this while adopting sound ESG principles and infusing digital everywhere across the value chain,” she says. “There are lots of moving parts here. Whenever there is something new, there are unknowns and a larger and more complex ecosystem, where things can go wrong.”

The sector-wide effort to digitize operations, and collect massive amounts of data across a heterogeneous and, at times, hybrid environment, has created additional vulnerabilities in the ecosystem. Centralizing command and control is increasingly requiring access to more systems and data points. In response, there is an accelerating convergence between the various operational and field networks, and the corporate IT environment. A rush to enable remote operations during the COVID-19 pandemic has only made the demand more acute.

GISS survey results

52%

of respondents in the oil and gas sector say they're under more scrutiny than ever before.

It used to be that the only data coming out of an oilfield would be production reports, supply chain data and Health, Safety and Environment (HSE) information. Now, with greater centralized command and control, there is a lot more sensitive operational information propagating across the network.

The EY GISS suggests that changes such as these, which are made yet more complicated by an evolving compliance landscape, are putting new pressure on oil and gas cybersecurity teams. Half of the respondents in this sector (52%) say they are under more scrutiny than ever before.

CISOs should welcome this scrutiny. If their teams can show they are protecting the business through a time of innovation, disruption and technological change, they will deepen their influence and earn recognition as enablers of strategy. Our research does, however, bring attention to three core challenges that must be overcome.

1. The executive team is unfamiliar with a new world of risk

Our analysis of the GISS data suggests there is a cybersecurity knowledge gap among senior leadership teams, which may prevent CISOs from securing the proactive investment required.

Just 29% of oil and gas cybersecurity leaders say the board or executive management committee understands the value of cybersecurity to the business – noticeably lower than in other sectors (see figure 1). Moreover, 6 in 10 warn that the board makes decisions on cybersecurity without having the technical knowledge to understand the threat fully. And oil and gas cybersecurity leaders are also more likely to say that, when they try to make a case for increased funding, the board has trouble understanding why more investment is required.

GISS Oil and Gas graphic 1.jpg

The issue is not a lack of understanding of cybersecurity per se, but uncertainty about the company’s exposure to the new and evolving risks when entering new markets, partnerships and products.

The executive management teams are typically seasoned professionals from the field and have a strong understanding of risks across the traditional value chain, but they are less clear about information security in the context of nontraditional markets. There is a gap in their knowledge when they are entering into new domains, which is compounded by the changes in how the business operates on a digital level. It is very complex. This is not your typical IT operation. We are talking here several orders of magnitude higher.

2. Cybersecurity teams are cut out of planning

Oil and gas businesses are digitizing their operations, despite the challenges this presents from a cybersecurity perspective.

Executives have good reason for worrying about the security of their technology systems. A single security flaw gives hackers an opportunity to bring down a whole network. So it is concerning that many oil and gas companies are investing in technology without ensuring they have built in the appropriate security resilience, with fewer than half (48%) of respondents saying they are brought in at either the planning or design stage of a new business initiative (see figure 2). This is further complicated by the fact that a significant percentage of business expansion relies on large turnkey third-party engineering contracts. The ownership of the risk is at times unclear and lacks accountability.

If you mention remote operations to oil and gas executives, they won’t sleep that night because the risks are so high. But they are aware that many businesses, such as the operators of North Sea rigs, are successfully reducing the number of onsite employees, which has a direct impact on the bottom line. In the end, they digitize because their competitors are doing it.

GISS Oil and Gas graphic 2

More than 6 in 10 (65%) oil and gas respondents admit the business rolls out new technology to timescales that do not allow time for suitable assessment. They also flag that the most challenging aspect of their role is supporting new technology-driven initiatives. 

One explanation for the lack of cybersecurity oversight is that the nature of the technology investments has changed in recent years. Formerly, when the bulk of IT investments were made in a centralized, enterprise setting, it was more straightforward to check that the cybersecurity team was included and providing security by design. As IT merges with OT, spanning a much larger network and ecosystem of partners, it becomes more difficult to ensure governance and oversight.

3. Regulation is still out of sync

More than half of oil and gas cybersecurity leaders (54%) complain about the burden of regulation, flagging that achieving compliance can be the most stressful part of their job.

GISS Oil and Gas graphic 3

There is a good reason why regulation is becoming more time-consuming. Given that oil and gas infrastructure forms part of a country’s critical national assets, and as several countries have suffered high-profile cyber attacks in recent years, governments recognize the need to protect these entities through regulation.

Compared with other sectors, however, regulation on information security in oil and gas is less mature. “The regulations are relatively new, still evolving and out of sync with requirements,” says Clinton Firth, EY Energy Leader for Cybersecurity. “Compliance is putting more stress on a system that is behind in other respects, but will eventually help the industry to move forward. Cyber regulation in the sector is coming into its adolescence.”

Compliance is putting more stress on a system that is behind in other respects, but will eventually help the industry to move forward. Cyber regulation in the sector is coming into its adolescence.
Clinton M. Firth
EY Global Cybersecurity Lead, Energy

It’s true that oil and gas companies are unsure about the value of compliance. Just one in four (27%) respondents believe that compliance drives the right focus and behaviors, compared with 42% more broadly.

The situation will improve over time, as rules become more sophisticated and responsive to the new business models being developed in the sector. Today, however, 6 in 10 (61%) oil and gas respondents believe regulation will only become more fragmented, and therefore time consuming, in the years to come.

How oil and gas CISOs can excel as strategic enablers

CISOs in oil and gas have an opportunity to increase their influence and ensure their operations have the resilience needed to sustain cyber-secure growth. Faced with the challenges of a rapidly changing sector, they need to act decisively.

Become an expert in the new business models

New revenue streams mean a larger and more complicated risk exposure. As outlined above, the board may not have personal experience of the investment levels needed to contain all the elements of this risk. In turn, we can expect them to look to the CISO for insight.

The research suggests, however, that cybersecurity teams may need to enrich their own understanding of new oil and gas business models, and the accompanying technologies, before they can provide guidance to others. Currently, for example, just 27% of respondents believe that senior leadership would describe the cybersecurity team as being “commercially minded.” Cybersecurity professionals in oil and gas are much more likely to be described as protecting the enterprise, responding quickly to crises, and working collaboratively with others. All of these attributes are admirable in themselves but, in today’s sector, they need to be balanced with a deeper understanding of how the threat is changing in parallel with new value creation. 

By broadening their knowledge beyond the established remit of cybersecurity, CISOs will be better placed to articulate the risks to the board or executive management committee and outline what is required to ensure resiliency in a changing commercial environment.

Build stronger relationships outside the traditional sphere of influence

To embed security by design, oil and gas CISOs need to develop stronger relationships with operations teams and with the organization’s equipment owners and strategic partners. By seeing the reality of field operations first hand, cybersecurity teams can anticipate where their interventions might encounter resistance from business partners.

Cybersecurity teams should also recognize that the OT development life cycle is much longer, with less frequent maintenance windows, than that of enterprise IT. OT changes can’t be made at the 11th hour. Network change happens over several weeks, if you’re lucky, and some change can’t happen at all. So oil and gas CISOs must be understanding when they look at security by design and start by saying "How can we work together to layer security around those assets and protest them?"

Approach compliance as a benefit

Our findings indicate that oil and gas CISOs are pessimistic about regulation and the time it takes them to achieve compliance. International oil majors are likely to be the most affected by changes to regulations, as they struggle to comply with regional as well as transnational standards, but changing regulation will impact all.

Cybersecurity leaders are looking into automation, new skills and centralization as ways to make the process more efficient, but the first step is a change in mindset. The sector has no choice but to evolve and protect itself against these new risks and broader threat landscape, as opposed to saying that the requirements are too difficult. Moving away from regulations as a burden, and toward regulation as an essential pillar of evolving sector, will help oil and gas companies overcome the long-term challenges they face and seize new opportunities. Adopting sound HSE principals over the years has become part of the ethos of the sector. Good cybersecurity should be no different.

The oil and gas sector has changed significantly in recent years, but its transformation journey will only increase as the world turns away from fossil fuels and energy companies respond with innovative new strategies for growth. As they do so, the cyber threat will continue to grow, and well-positioned CISOs stand to become ever-more critical to long-term business success.

Summary

The oil and gas sector is evolving fast. CISOs have an opportunity to increase their influence, help their organizations seize the opportunities from digitally driven transformative change and protect them from the associated risks, to maintain the trust of their customers, stakeholders and regulators.

About this article

By Raddad Ayoub

EY MENA Oil & Gas Cybersecurity Lead

Risk and cybersecurity professional with a passion for the future of energy. An avid amateur cyclist and rock climber, and always an aspiring super dad.

Contributors