To protect the integrity and safety of their business-critical assets, cybersecurity must be a top priority for the oil and gas industry. Although they operate some of the nation’s most critical systems, securing these complex infrastructures can be a huge challenge.
In recent years, the oil and gas industry has undergone a complete digital overhaul. Historically, industrial control systems were completely detached from their traditional IT infrastructure. However, due to rapid digitisation and the growth of mobile technology, almost every machine is now connected to the internet. Although this advancement enables engineers to remotely maintain machines and analyse production data, it also exposes industrial machinery to network vulnerabilities.
While this digital evolution has greatly improved operational efficiency through analytics, big data and the ability to automate sensitive tasks, it also introduces a whole host of cyber-risks that need to be mitigated. Firms are often faced with a dangerous patchwork of old and new technology. Unfortunately, because these legacy systems were built in a previous technological era, they are simply not designed to be resilient against cyber-threats.
The convoluted process of refining oil involves many different industrial control systems and machines. This means there are multiple gateways for hackers to exploit to gain access to their internal network. A successful security breach could bring an oil and gas firm to a complete halt. Last year, Petrofac was hit by a cyber-attack which resulted in the complete shutdown of their servers and critical systems. Because they are completely dependent on digital technology, disrupting these services could result in financial loss, reputational damage and the loss of critical data.
Like in most industries, the most common cause of a breach is human error. Malicious attacks can easily spread by clicking on a phishing link or inserting a rogue memory stick into a corporate device. A recent study into the sector by EY found that ‘78% consider a careless member of staff as the most likely source of an attack’.
Nonetheless, as the oil and gas industry are dependent on these digital technologies to conduct business, they must ensure they are fully protected by robust security controls. If they fail to do so, the consequences of a cyber-breach could be catastrophic. If a bad actor was able to take control of an industrial system, it could easily develop into a national security risk.
How can the oil and gas industry mitigate these threats?
It is important to remain vigilant and stay one step ahead of cyber criminals. All firms need to have advanced controls in place which allow them to effectively protect, detect, respond and recover from cyber-attacks.
Tripwire and the NIS directive
The NIS directive was enforced in the UK in May 2018 and is supported by the National Cyber Security Centre. The NIS regulation provides the legal footing to ensure that UK firms can effectively manage and contain cybersecurity breaches, have a cybersecurity incident response team (CSIRT) and a national NIS competent authority.
By using Tripwire, oil and gas firms can greatly reduce the time it takes to achieve NIS compliance. Tripwire’s built-in templates can be used to automate tasks which will help firms to:
- Identify, assess, understand and prioritise security risks which threaten the security of their business-critical systems and internal network.
- Have an approach to risk assessment which focuses on the possibility of disruption to your essential services. This will help to understand how a cyber-attack may occur and what the associated risks are for your technology ecosystem.
- Create dynamic and detailed security risk assessments which are constantly updated to reflect new threats and network changes.
- Validate the effectiveness of security controls to ensure networks and information systems remain cyber resilient.
- Record dependencies on supporting infrastructure (e.g. power, cooling etc.).
- Understand the importance of crucial data which is essential for the delivery of service. This includes where it is stored and transmitted as well as how data loss, intrusion or modification would impact business operations.
For more information on the NIS Directive please head to the NCSC website: https://www.ncsc.gov.uk/collection/caf/nis-introduction
If you would like to find out more about securing industrial control systems within the oil and gas industry, Tripwire and Equilibrium Security are hosting a webinar on the 12th of November. Please register your interest here: https://tripwire.me/2VWhX5g
About the author: Amelia Frizzell is a Marketing and Projects Executive at Equilibrium Security Services, a specialist Cyber Security company based in central Birmingham, UK. Amelia graduated in 2015 with a degree in English Literature from The University of Chester. Amelia has always had a passion for creative writing, she currently specialises in SEO, blog writing, social media and web content.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc