Power plant worker

How digital transformation must go in hand with cyber resilience

Oil and gas companies can focus on six key areas to stay resilient in the face of evolving cyber threats and digital transformative changes.

In brief

  • The energy sector is particularly vulnerable to cyber attacks given its legacy asset base and low cyber maturity.
  • With the acceleration of digitalization and increasingly sophisticated cyber criminals, companies should not expect zero cyber risk incidents.
  • Companies should focus on building cyber resilience in several key areas for business continuity.

The energy sector has become one of the most attractive targets for cyber criminals, owing to its legacy asset base and low cyber maturity. Globally, cyber attacks on industrial control systems and operational technology (OT) systems in the energy sector have increased. The sector suffered the fifth-highest losses amounting to US$4.65m in 2021 due to data breaches.1

How EY can Help

  • Cybersecurity

    Cyber threats are evolving and escalating at an alarming rate for mining and metals, and other asset-intensive industries.

    Read more

Digital transformation in the sector, coupled with limited cybersecurity spending, has perhaps exposed the cyber vulnerabilities of oil and gas companies. Recent cyber attacks on a US pipeline and a national oil company (NOC) highlight a growing need for cyber resilience worldwide. 

 

Oil and gas companies in the Asia-Pacific region have not been spared. In 2019, the IT system of an oil and gas company was attacked and had to be isolated and shut down, resulting in business disruption. A data leak at an NOC in 2018 compromised sensitive personal data of a few thousand customers. These incidents from years ago underline the fact that cyber incidents are not new and yet remain a persistent — if not escalating — threat with the acceleration of digitalization across businesses. 

    

Struggling to keep pace 

It has been hard to build cyber resilience for multiple reasons. The convergence of IT and OT in the sector has given rise to a complex web of connected technologies, devices and systems. As entire operating systems of oil and gas companies come online and connect seamlessly with the Internet of Things (IoT), their vulnerability increases exponentially. The large-scale adoption of remote working as a result of the pandemic has also shifted entire work ecosystems online, creating more points of potential exposure.

 

At the same time, infrastructure and systems may be obsolete and not fully fit for purpose. For example, many oil and gas companies still use legacy control systems across their plants. With digitalization, they are also collecting a vast amount of operational and consumer data from sensors and smart devices. Yet data security programs may be inadequate, with some still using time-intensive manual processes and operating cyber controls in organizational silos. This leads to inconsistency in managing cyber risks due to a lack of governance, oversight and accountability.

 

According to the EY Global Information Security Survey 2021, oil and gas companies face budget constraints in cybersecurity. Ninety-seven percent of the organizations in the sector had spent less than 1% of their revenue on cybersecurity initiatives. The management must be convinced of the need to invest in cybersecurity — yet only 39% of chief information security officers (CISOs) and security leaders in the sector surveyed said their boards or executive management committees understood the value of cybersecurity to the business and included it on their board agendas. This knowledge gap at the top must be bridged for cybersecurity to be plugged into strategic decision-making instead of being an afterthought.

 

As companies struggle to get their act together, cyber threat actors continue to evolve in their sophistication. Where perpetrators have in the past taken a scattergun approach, they are now more targeted, focused and intelligent.

Key actions to build cyber resilience

Arguably, no one should be expecting CISOs to be able to prevent all cyber attacks from happening. Companies should instead shift their focus toward building cyber resilience — that is, how can the organization maintain business continuity in the event of a cyber incident? To build cyber resilience, companies should focus on the following areas.

Cyber resilience strategy and governance framework 

It is critical to establish board-level oversight on high-impact risks pertaining to IT, OT, physical security, environment, health and safety and the digital transformation strategy. Alignment between different business units and the enterprise-wide risk management framework is also crucial. Companies should adopt a “waterfall approach” for risk mitigation planning and control, which involves defining clear responsibilities for all risk owners and controllers.

Holistic and integrated enterprise-wide cyber risk management

Companies must identify and mitigate cyber risks across their businesses and operations by providing adequate mandates, funds and resources for cyber resilience programs. They should also conduct thorough analyses of risks and have a clear understanding of perceived values of different assets. 

“Security by design” framework 

Companies should establish a robust mechanism for managing cyber risks by exploring the organization’s risk environment and appetite. They should also evaluate the cascading impact of various residual risks for ongoing activities and new initiatives. Additionally, they need to engage the operations and engineering teams to encompass OT and the legacy technology into the overall cyber framework. This approach will help enable day-to-day resilience as well as proactive, pragmatic and strategic planning that considers risk and security from the outset.

Next-generation cybersecurity technologies 

Companies should conduct an “as-is”’ and “to-be”’ analysis of their cyber environment to measure the effectiveness and efficiency of cybersecurity programs, across both IT and OT. This will act as a guide to identify key systems and operations that need to be upgraded or mitigate risks pertaining to legacy OT by adopting the latest cybersecurity technologies for effective risk management.

Robust incident response and emergency action plan 

Even the most secure framework cannot be expected to result in zero cyber risk incidents. A detailed cybersecurity incident response plan based on established frameworks should be developed. The plan should clearly define the roles and responsibilities for responding to cyber incidents, incident categorization and protocols for information and intelligence sharing. Periodic simulation exercises with realistic scenarios should be conducted to stress test the company’s ability to respond in a crisis. 

Culture and workforce

Fostering a risk-aware culture for effective cooperation among different business units and stakeholders instead of a siloed and fragmented approach to risk management is crucial. Companies should also develop a training and learning framework so that employees are aware of cyber policies and processes and updated on them. 

As digital transformation continues to extend across oil and gas companies and the entire energy ecosystem, new vulnerabilities will enter and threaten an already fast-changing and volatile environment. The only way to keep moving forward with confidence is to invest in building the resilience now.

 

While companies may not be able to prevent all cyber attacks from happening, they should shift their focus toward building cyber resilience for business continuity even when cyber incidents occur.


Summary

With its legacy asset base and low cyber maturity, the energy sector has been an attractive target for increasingly sophisticated cyber criminals. Companies should shift their focus toward building cyber resilience in several key areas. These include a cyber resilience strategy and governance framework; holistic, integrated enterprise-wide cyber risk management; a “security by design” framework; and next-generation cybersecurity technologies. A robust incident response and emergency action plan and fostering a risk-aware culture are also critical.

About this article

Photographic portrait of Sanjeev Gupta
Sanjeev Gupta
EY Asia-Pacific Oil & Gas Leader
Thought leader working with stakeholders in the energy sector. Passionate about client’s journey toward improved capital efficiency, transformation and digitalization.
Related topics
Energy and resources
Oil and gas
Cybersecurity
Risk
Technology leader's agenda

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.