Digital and the IIoT have changed the threat landscape
The IIoT and digital revolution offer great benefits to the oil and gas industry. However, they can increase exposure to new types of cybersecurity risks that require immediate attention.
Our Global Information Security Survey (GISS) revealed that 57% of respondents in the oil and gas industry have had a recent significant cybersecurity incident. In a similar vein, a World Energy Council report published in September 2016 cited cybersecurity as a top issue for the energy industry, particularly in North America and Europe, where the infrastructure is most mature.
OT environments have traditionally focused on ensuring high availability at the expense of confidentiality and integrity, and they are now very exposed to cybersecurity risks as a result of digitization and modernization, including connectivity to the internet. It is no longer practical or cost effective to maintain separate IT and OT environments. Indeed, to realize the maximum benefit from digitization and smart engineering, combining these environments is increasingly a necessity. These changes are being accelerated by the advent of new technologies such as IIoT and big data analytics.
Operational safety and quality are cyber-dependent
The convergence of the IT and OT environments has created new cyber-physical risks.
As the US National Institute of Standards and Technology (NIST) says, “Cyber-Physical Systems or ‘smart’ systems are co-engineered interacting networks of physical and computational components. These systems will provide the foundation of our critical infrastructure, form the basis of emerging and future smart services, and improve our quality of life in many areas.”
New risks are being created where network connected endpoint devices such as unmanned vehicles[EM1] , smart sensors, handheld engineer terminals and industrial routing equipment are being produced and deployed without a cybersecurity baseline implementation and are open to remote compromise.
As more and more devices are connected, the potential for infiltration rises exponentially.
Today, cyber-physical risks are not being effectively identified, tracked or monitored — so how can such risks be appropriately mitigated? This, combined with the rate of new technology deployment and digitization of operational processes, means there is reason to act now. If cyber-physical systems are compromised, they could lead to a hazardous event, which could result in loss of critical national infrastructure services to the public or, worse, loss of life due to safety failings.
Examples have already been seen with unmanned vehicles (such as drones and and driverless vehicles). Such attacks in the oil and gas industry can potentially go beyond damage to control systems, devices, equipment and the network. They can also pose risks to the entire supply chain and disrupt regional sector operations. This is the essence of cyber-physical risk.
Enabling safe and reliable digital operations
Aligning an organization’s digital strategy to address cyber-physical risks is necessary to appropriately protect operational assets and processes. An aligned digital and cyber strategy can enable digital transformation by:
- Reducing operational and safety risk, through the management and monitoring of new technology and cyber-physical risks
- Enhancing the digital agenda, through the creation of a safe and managed cyber environment where new technologies and processes can be introduced
- Unlocking technology innovation by clearly understanding the IT, OT and IIoT asset landscape and the threats and risks that could affect their operational uptime and integrity
- Creating resilient technology platforms for field site and corporate networks that can predict potential attacks and outages before they occur
Oil and gas companies are in various stages of their digital transformation journeys, with many in the early stages. Understanding the current cyber-physical risk landscape and the threats that the IIoT and new technologies bring is critical for planning the long-term success of reliable and resilient sector operations. A clear understanding of the benefits to taking a proactive approach to security now, to avoid major vulnerabilities at a later stage, is critical. Such an approach would also mitigate the risks of digital transformation projects being delayed or experiencing major problems once launched.
Two smart ways to invest in cybersecurity
1. Benchmark with similar companies on security spending.
2. Justify security spending by showing how much value is protected or even created out of ensuring cyber-resilient industrial operations.
The more value we create out of connected cyber-physical systems, the more attention we should give to protecting them.
The top three things to do now
In order to reduce safety and reliability risks to operations, consider the following:
1. Before implementing new “connected” field technologies, ask your vendors to prove their product cybersecurity baseline
Devices today are being deployed with inherent security flaws. Ensuring a security baseline is in place before deployment will protect operations against endpoint IIoT threats and potential safety, reputational and economic impacts.
2. Acknowledge the cyber-physical risk domain, and include it in your operational risk registers now
Your risk footprint grows with every new connected field technology you implement, which can affect the safety and reliability of operations and staff. Our client interaction has revealed that many companies were unaware that cyber penetration testing was necessary, which is especially critical given the deeper connectivity between OT and IT systems. The lack of public reporting of cyber-attacks in the industry is yet another factor complicating the understanding of the size and true nature of various types of risks.
3. Align cybersecurity to your digital strategy for operations
The more you digitize, the more your cyber-risk footprint grows. Ensuring cyber is an active part of the digital design process will enable more technology to be implemented without adding additional operational risk. The US Department of Homeland Security says that oil and gas is the most attacked industrial sector.