The growing value of business data, the vulnerability of networked systems, and the importance of fuel infrastructure have made oil and gas companies major targets for malicious hackers. Already, the industry has been the victim of several high-profile attacks. The Colonial Pipeline hack compromised the business’s networks, shut down its operations, and deprived the East Coast of a pipeline that supplies nearly half the region’s fuel.
Oil and gas companies need to invest in cybersecurity and quickly. Otherwise, some of the nation’s most important infrastructure could be left wide open to future attacks.
Cyber Threats Facing the Oil and Gas Industry
Significant changes to oil and gas systems have made companies much more vulnerable to cyberattacks over the past few years. Ongoing digitization in the industry and a transition away from centralized systems to distributed management strategies have made managing cyber risks essential for oil and gas.
Many businesses rely on weak cybersecurity strategies such as air-gapped systems, which are computers that are not connected to the Internet. In some cases, systems that were erroneously assumed to be air-gapped became easy targets for attacks.
While these strategies have never provided a strong defense against attacks, they may make companies especially vulnerable as time goes on. Legacy systems that were never intended to be easily accessible are now connected to the internet for visibility and maintenance purposes, closing the IT-OT gap for the industry.
Internet-connected systems and smart devices, which are increasingly common in heavy industry, help oil and gas companies to gather real-time data on field operations, improve maintenance, and increase vehicle fleet visibility. They also further increase the attack surface of company networks.
These systems may also store an immense amount of information about oil and gas apparatuses. A predictive maintenance tool that uses data from IoT sensors may include details such as the type of metal plating a machine uses to correctly predict machine wear, corrosion resistance, and conductivity.
All this information could be available to attackers who successfully breach a company’s cyber defenses.
Investment in smart technology and digitization are also accelerating, meaning that difficulties in securing these systems are likely to become harder to manage. Effective cybersecurity for oil and gas will be increasingly necessary as a result.
The Growing Cybersecurity Talent Gap May Create Additional Problems
Waiting to invest in cybersecurity could create challenges soon. There is a major shortage of cybersecurity professionals, and industry leaders believe the labor gap isn’t likely to shrink any time soon. The shortage is on track to worsen over the next few years, partly because many other sectors across the economy are struggling with their own new cybersecurity challenges.
If oil and gas businesses do not act now, they’ll only become less likely to hire the professional talent needed to develop strong cybersecurity policies and in-house security tools.
What Poor Cybersecurity Could Mean for the Industry
We already have a sense of what dangers the industry faces — and the potential consequences when hackers succeed.
The Colonial Pipeline carries 2.5 million barrels every day – around 45% of the East Coast’s gasoline, diesel, and jet fuel. After a ransomware attack targeting the company, the pipeline was offline for six days. Normal operations did not fully resume until another three days had passed.
As a result, the average national cost for gasoline rose to the highest point in six years, with prices rising between six and 19 cents per gallon. The company paid 75 bitcoin, approximately $4.4 million at the time, in ransom to the hackers.
Future attacks could have a similarly devastating impact — raising gas prices, threatening fuel supply, and significantly disrupting normal operations.
How the Industry Can Develop Cyber-Resilience
Each business in the oil and gas industry faces unique risks and will need to adopt some business-specific cybersecurity policies as a result. However, some commonalities will allow companies to take some of the same steps to strengthen their cyber defenses.
These principles and best practices will be essential for oil and gas companies wanting to modernize their cyber defenses and prepare for future threats.
1. Company-wide Cybersecurity Strategies
Effective cyber defenses require complete company buy-in. As IT and OT become more tightly linked and digital transformation connects business systems, siloing cybersecurity operations becomes risky.
Business governance models should facilitate business-wide collaboration that reduces the risk of isolating the cybersecurity team. Regular reviews of company structure and governance regarding security can help managers, owners, and company board members determine if their approach is working well.
2. Adopt Security as a Design Principle
Oil and gas systems should be designed with cybersecurity in mind. Security experts should be involved in new projects from the very beginning to ensure potential risks are considered at every step of the process.
All departments should be aware of potential threats and understand their own responsibilities regarding cyber-risk management.
3. Support for Business Cybersecurity Operations
A holistic risk-management approach should ensure cyber-resilience programs have the necessary resources, funding, access, and oversight to operate effectively. Standardized documentation and risk assessment processes will help businesses ensure cybersecurity operations are reported in a way that makes them easier to fund and sustain.
4. Collaboration and Information Sharing
Industry-wide collaboration, especially internationally, will become essential. Sharing threat information, discussing best practices, and collaborating with business partners will help oil and gas companies develop more effective cyber defenses.
Participating in conversations, becoming willing to collaborate with cyber professionals from other businesses, and working toward industry standards on policies will help the industry better prepare for threats.
The use of risk frameworks like the NIST Cybersecurity Framework or the ISO 27000 standard for information security could be an effective starting point.
Preparing Oil and Gas for Coming Cybersecurity Threats
The oil and gas industry faces mounting threats from cybercriminals. The cost of a successful breach is high, so businesses should act fast to develop effective security practices. A company-wide approach that encourages security as a design principle and facilitates collaboration will help businesses identify new threats and build secure systems.
About the Author: Emily Newton is the Editor-in-Chief of Revolutionized, an online magazine celebrating innovations in industry, science and technology.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.