You are Home   »   News   »   View Article

The best way to mitigate cyber threats

Thursday, May 16, 2019

Richard Holmes, head of cybersecurity services with CGI UK, shares his advice on the best way oil and gas companies can be prepared for the cybersecurity threat today.

As companies focus on digitising every area, from supply chain to the back office to customer interaction, the potential for cyber security breaches grows.

The oil and gas sector is the second-most targeted industry by cyber threats. A recent survey from Siemens found that nearly 70 percent of oil and gas companies have endured security compromises. These breaches have resulted in exposed confidential information and even disrupted operations.

Unlike other industries, there is a broad spectrum of incentives for attackers, and a wide margin of risk for oil and gas companies. In recent years, cyber attacks have increasingly been designed not just to steal or destroy data, or even shut the plant down, but - in rare cases - to trigger explosions or create other dangerous situations, highlighting the sheer power and variety of attacks the oil and gas industry faces when it comes to cyber security.

But recognising cyber security as a risk is one thing: acting on it turns out to be quite another.

Research from CGI found that in 40 percent of utilities firms, the issue of cyber security makes it to the boardroom just twice a year - despite 56 percent of executives believing their IT system security may be compromised within the year.

Like most industries, attackers in the oil and gas sector can be financially motivated - but unlike most industries, attacks can also be motivated by politics, environmental concerns and even espionage between nation states.

Some nation state attacks can have a more disruptive impact on organisations, as it is not instantly known that the attack has occurred and as a result has long term impact. This can be avoided by good monitoring. Unfortunately, this is rarely the case as nearly 50 percent of operational technology attacks go undetected.

Attacks can also result in short term disruption, which has the potential to be very costly and challenging to rectify. Pipelines are especially susceptible to attacks as the pipeline networks are often much older. Historically, hackers were able to shut down the gas pipeline networks by interfering with just a few strategic interconnections. As organisations recognise increased cyber security threats, local utility and gas transmission lines are now designed with improved resilience to mitigate such risk.

From a financial perspective, CGI found that following a severe breach, share prices can fall by an average of 1.8 percent on a permanent basis. Investors in a typical FTSE 100 firm would be worse off by an average of £120 million - in extreme cases, breaches have wiped as much as 15 percent of affected companies' valuations.

But it is the prospect of attackers accessing 'the crown jewels' that is most worrying to oil and gas companies. Theft of geological mapping and reserves have the potential to be very damaging to an organisation and while companies have historically looked after themselves, increased integration has meant that they are sharing more and more data with third parties, further spinning the complex web of where data is stored and who has access to it.

All of this considered, energy companies, including E&Ps, pipeline operators and utilities, spend less than 0.2 percent of their revenue on cyber security. With cybercrime on the rise it is clear that the oil and gas industry has a lot of work to do when it comes considering and managing cyber risk.


But the question remains, how? It is time for organisations to view cyber security as an enabler, allowing individuals and teams to use technology with confidence and encouraging an agile approach. It is important that organisations adopt a holistic approach to mitigating threat, including:

Appropriate governance: The case for introducing robust cyber governance is undeniable and urgent. Only by asking the right questions can senior executives understand what they know and what they do not know, where there is confidence and where there is not, where plans are prepared and where plans rest on hope. Understand and split responsibilities amongst business information systems, security and operational systems that manage and control production.

Know what can be stolen: knowing what data you have and who has access is vital in maintaining a comprehensive cyber security strategy. What are your major assets, and can they be stolen? Ensure due diligence when vetting third party suppliers and contracts. More importantly, conduct regular risk assessments and third-party audits.

Network monitoring: consistent monitoring is vital to ensuring that if there is a breach, it is addressed as quickly and efficiently as possible. This will limit the time data is exposed and minimise the breadth of damage.

Practice incident response: having an incident response plan in place is not sufficient in preparing for the event of an attack. Companies must also carry out trials and exercises to ensure people are aware of their responsibilities and appropriate actions in case of a breach.

Know the legal and regulatory requirements: the birth of GDPR and other legislation means organisations need to know their responsibilities when it comes to managing their data. The consequence of not doing so can result in additional financial damage in the form of fines, and further reputational damage.

Technology is rapidly evolving, and as we move forward, machine learning and data analytics will continue to evolve the sophistication of monitoring and the prevention of potentially damaging breaches.

In addition to this, there was a recent proposal from the Energy Expert Cyber Security Platform (EESCP), suggesting the European commission encourage EU energy regions to share information on cyber security, as well as create a cyber response framework for the energy sector.

Associated Companies
comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition Mar-Apr 2024
Apr 2024

Download latest and back issues


Learn more about supporting Digital Energy Journal