“Only 50% of oil and gas companies have a robust information security strategy in place.”
In my previous blog, I wrote about how transition to the Digital Oilfield is exposing companies to the potentially serious risk of cyber attacks - putting production, reputation, and ultimately profits at risk. There's no doubt that as attacks become more insidious, the potential consequences proliferate, with the cost of future breaches impacting infrastructure, safety, intellectual property, lost revenues, and even the broader economy.
But of course, it's not just the energy industry that's in the cross hairs of hackers and cyber criminals. The pervasive threat of cyber attacks has been brought into sharp focus in recent months by the heavily publicised Sony Pictures data breach. Although interestingly, Sony Pictures only ransk as the 33rd largest breach in 20141. The largest? eBay, with over 150 million records compromised2.
THE ENERGY SECTOR'S VULNERABILITY TO CYBERCRIME
Security threats are expected to grow even further in the future. In the past four years alone, the financial impact of cybercrime has increased by nearly 78% and the time it takes to resolve a cyber attack has more than doubled.3 Across all industries and geographies, it’s been estimated that cybercrime costs some $400 billion in lost time and assets.4
According to Ponemon, companies in energy and utilities recorded average annual costs due to cybercrimes of $19.78 million, second only to firms in the defence industry. An ABI Research study predicted that globally, cyber attacks against oil and gas infrastructure will cost companies $1.87 billion by 2018.
The energy sector’s diverse and interconnected systems are also increasing vulnerability to cybercrime with newer technologies such as those controlling drilling rigs and cloud-based services being subject to probes or attacks. So too are once-isolated plant control systems that are now integrated with corporate networks or vendors. Even private smartphones and devices used by company employees potentially open up a business’s network to an increasing number of threats and malicious behavior. Such threats can target data at rest on the device and can be easily introduced through online web surfing (96% of all mobile devices don’t have encryption protection5).
In short, wherever there’s digitally enabled technology or an intelligent device – even a simple device that controls a valve on the pipeline – there’s a risk of it being used as a portal and taken over without authorisation.6 Cyber criminals are targeting the entire spectrum of potentially valuable data: data at rest, data in transit, and data in use.
Whatever the access point or motivation, high downtime costs and attack frequency rates necessitate strong cyber security protocols. When you consider that 96% of successful breaches could be avoided if organisations put simple or intermediate controls in place7, it really is time for the industry to collectively take action.
A COMMON FRAMEWORK TO IMPROVE CYBER SECURITY IN THE ENERGY SECTOR
In February 2013, The NIST Framework for Improving Critical Infrastructure Cybersecurity was created as the result of a US Executive Order, in response to the growing security, economy, public safety and health risks caused by cyber security threats.
Our Oil & Gas industry report features a best practice cyber security strategy that’s consistent with the NIST Framework and based on global security standards. The strategy is built around the following 4 process pillars which, when executed concurrently and continuously, serve to mitigate the risk of cyber attack.
There’s also a detailed checklist within the report to help you assess your company’s current cyber security posture, define your company’s target state, identify and prioritise opportunities for improvement, assess progress, and communicate the risk to stakeholders.
1. Know your critical assets – identify your organisation’s business objectives and high-value assets, then conduct risk assessments to find any vulnerabilities.
2. Protect your IT, radio network and OT environments – Establish defences to block intruders before they reach your critical business assets, and educate your employees to recognise and avoid phishing attacks.
3. Detect potential threats before they occur – Use the right tools to gain a comprehensive view of your security environment and monitor potential threats both externally and internally.
4. Respond and recover – With the speed and intelligence of many of today’s cyber attacks, cyber breaches may still occur, even in the most secure infrastructure. Having a contingency plan in place can help you respond immediately if a breach should occur.
If, after referring to the checklist in the report, you find your operations are vulnerable to attack – then we can provide a full onsite cyber assessment service. Details of how to arrange your assessment can be found towards the back of the report.
If you’d like to join the conversation about protecting oil and gas operations from cyber threats, we’d be delighted to welcome you to the Motorola Solutions Community EMEA LinkedIn Group.
Tunde is on LinkedIn at https://www.linkedin.com/pub/olatunde-williams/5/282/67a
Tunde Williams’ previous oil and gas industry blogs include: Protection against cyber attacks in the Digital Oilfield and Improving worker safety in the Digital Oilfield
1 http://www.idigitaltimes.com/10-largest-data-breaches-2014-sony-hack-not-one-th em-403219