Managing the risks in the digital age
The digital age has enabled a dramatic change in business operations but this change has brought with it new risks that were previously not of any concern to Oil and Gas companies. Physically remote facilities with little or no connection to the outside world were isolated from the growing risks of cyber-attack that were occurring in other sectors, such as finance.
The cyber-security risk posture has changed dramatically for oil and gas companies and attention is needed if major production or safety incidents are to be avoided.
Why you should be concerned
The Oil and Gas industry has seen a number of major drivers towards increased collaboration and interoperability:
- The demand for increased visibility and sharing of information has seen connection of traditionally isolated facilities to corporate networks.
- The trend towards service-oriented offerings from major plant providers has seen the need to provide remote access to operations critical equipment via the internet.
IT equipment has been interconnected like this for many years, and companies have responded to the increased attacks this brings by introducing new protection mechanisms. However, in the operational world, there a number of key differences which make this more challenging:
- The underlying technology may be so old that it contains many well publicized vulnerabilities that can be exploited by attackers and is incapable of supporting some of the protection mechanisms that would mitigate the associated risks.
- The design of the equipment networks, while meeting its intended purpose, may expose the business to increased risk of attack once connected to the outside world.
- The equipment and networks underpin a 24 x 7 x 365 operation and the opportunity to rectify issues is extremely limited, and the costs very much greater than in a typical IT setting.
The failure of a control or safety system could result in injury and loss of life to personnel and the public, as well as harm to the environment from which recovery may be extremely time consuming, expensive, and difficult. It is not acceptable to rely on independent protection mechanisms to protect against the effects of a cyber-incident.
Reports indicate a ten-fold increase in the number of successful cyber-attacks on infrastructure control systems since 2000. In addition to the factors already noted, there is an increased awareness outside of the industry of the existence of operational technology such as control systems. This awareness is being exploited for a number of reasons:
- Hackers, seeking to prove their capabilities, see what they can disrupt.
- Criminals can levy ransoms on companies in return for access to their own production systems.
- State-funded operations may choose to attack companies involved in significant energy production for another state.
- Environmental activists can disrupt operations they believe are harming the environment.
- Disgruntled insiders can cause significant damage with a combination of their specialist knowledge and unencumbered access to equipment.
What should you do
Oil and Gas companies must assess their cyber-security risk posture and take action to address any issues that leave them exposed. Cyber-security risk management involves people, process and technology.
Companies must assess the competency and awareness of their personnel and the personnel of contractors, vendors and other third parties that have access to their facilities. Training and awareness is a key risk mitigation that helps reduce the likelihood and impact of a cyber-incident.
Oil and Gas companies already produce and maintain extensive operational procedures for everything they do. These rarely consider the risks associated with technology, for example how to correctly handle removable media such as USB drives that may introduce malware into a facility. Not only do oil and gas companies need to review their existing policies and procedures but they will need additional policies and procedures to manage their cyber-security risks.
There are many technology considerations that oil and gas companies should make:
- How to configure networks to improve security.
- How to protect legacy equipment that cannot be upgraded.
- How to monitor and prevent intrusions.
A comprehensive strategy is required to ensure that companies achieve the best return on their investment and do correctly minimize their cyber-security risks.
Evaluating your options
- Take a big-picture approach to cyber-security risk, following a rigorous methodology
- Provide training and awareness to all personnel who have access to operational technology
- Actively manage risks and adapt to changing circumstances
- Consider people, process and technology
- Implement quick tactical solutions that may be costly or may not be the best way to reduce risk
- Assume that existing protection mechanisms will be sufficient to protect against a cyber-incident
- Consider only technology
How E&P consulting can help
E&P consulting can help oil and gas companies with managing their cyber-security risk by:
- Providing a rigorous methodology to assess and manage cyber-security risk
- Providing training and awareness, either in a classroom or online setting
- Identifying technology solutions to suit any circumstance
- Advising on policies and procedures to manage cyber-security risk
The goal for E&P consulting is to ensure that your receive impartial consultancy and professional advice from an organisation that has successfully released the value of such approaches into Oil and Gas organisations.