A 2016 report by PWC that looked into information security in the oil and gas industry, found that cyber-attacks are still rife, despite a 30% decline in incidences, compared to the previous year. With an average information security budget of $5.4 million, companies are well-equipping themselves for a worst-case scenario.
But is there any truth that company’s data, infrastructure and bottom-line could all be damaged through cyber attacks alone? This blog looks at the truth about cybercrime in the oil and gas industry and what businesses are doing to protect themselves in the future.
The risk we’re facing, together
The PWC’s report highlighted the types of common cyber security breaches that companies have experienced and are experiencing. 42% of survey respondents said they’d suffered from ‘phishing attacks’, the most common type of attack, closely followed by ‘email compromise’ and ‘ransomware’.
It isn’t, however, just the attacks that companies are noticing, that are causing the biggest problem. Speaking after the launch of DNV GL’s Cybersecurity Study, a study that focussed on the operators in the Norwegian Continental Shelf, Petter Myrvang, head of the Security and Information Risk at DNV GL, said:
“Headline cyber security incidents are rare, but a lot of lesser attacks go undetected or unreported as many organisations do not know that someone has broken into their systems. The first line of attack is often the office environment of an oil and gas company, working through to the production network and process control and safety systems.”
The worst-case scenario
In the instances where security is breached, the possible consequences highly depends on the malefactors and their aims. Alexander Polyakov, who authored an article for Forbes about cyber security in the industry, has said that: “competitors or state-backed hackers are interested in revealing sensitive information. Sabotage, on the other hand, is likely to come from hacktivists.”
Whatever the intentions of the criminals, Alexander goes on to explain three possible worst-case scenarios the industry can experience:
Oil Market Fraud
A cybercriminal could upload a malicious program that dynamically changes the oil stock information of a company - potentially wreaking havoc and leading oil prices to change if the criminal artificially inflates the level of stock.
Tank information management solutions can be hacked, potentially changing the critical values. Increasing the filling limit of an oil tank, above its maximum, could result in a catastrophic situation.
Remote plant equipment is at risk of data manipulation, including temperature and pressure measurements. A hacker could implant false data showing that there has been a breakdown in the equipment in a remote facility, leading to wasted time and investment investigating the issue.
Process and privacy are key
With such worst-case scenarios and business damage at stake, it is not a surprise that the industry has already responded by implementing initiatives to drive better security through process and privacy.
PWC’s survey asked respondents about their cyber security operational plans over the next 12 months. 62% said that they already had a single leader in place who is responsible for the cybersecurity process in their company. 48% of respondents said they’re performing security risk assessments internally but only 31% are conducting an inventory on third-party connections.
As for privacy, 39% of respondents said they’re top initiative is to improve privacy internally with training and awareness. Clearly, companies are beginning to take the issue more seriously, but work is required to fully educate and protect companies in the industry.
Support from European policymakers
2017 has seen the completion of a new report by the Energy Expert Cyber Security Platform (EECSP) - a group that gives guidance to the European Commission on infrastructural issues, security of supply, smart grids technologies and nuclear energy.
The report was quick to highlight strategic challenges and specific needs for cyber security in the energy sector in four key areas:
- Management of risks and threats
- Cyber defence
- Cyber resilience
- Capacity and competences to take action.
The report goes on to propose that the European Commission encourage EU energy regions to share information on cyber security, as well as create a cyber response framework for the energy sector - helping businesses prepare for an attack. These actions, although beneficial to the oil and gas industry, are still to be fulfilled by the European Commission.
The future risks of cyber security
The report by EECSP also flagged the role that new digital technologies are playing within the energy sector as a whole. As data on energy production and monitor demand homogenizes, so too will the physical infrastructure, such as electricity grids and gas transport pipelines, heightening the impact that a cyber security breach could have.
Together with a shift towards mobile devices to work from, such as IP-connected process control systems and devices, it is clear to see that cyber security is going to be more important than ever in years to come.
This is a view shared by Trond Winther, head of the Operations Department at DNV GL - Oil & Gas who scrutinised the 1,100 survey responses they compiled on behalf of the Norwegian Government and offshore companies in the region.
“As all oil and gas process plants are now connected to the Internet in some way, protecting vital digital infrastructure against cyber-attacks also ensures safe operations and optimal production regularity”.
Detecting threats, protecting data
Here at Claxton, our IT Manager continues to work with our sister companies in the Acteon Group to detect threats early and protect our vital data. But, as they explain, the group as a whole are also looking to protect clients from cyber-attacks too.
"Acteon are currently in the process of exploring the use of cyber security technologies to help harden the technology estate across the group, which includes Claxton. The specific areas of focus have been around the end user, in particular next generation anti-virus clients and web & email filtering.”
“The aim is to consolidate and centralise our technologies into single cloud technology platforms that can be utilised by the entire group. This will drive internal efficiency and reduce costs, while greatly improving our ability to prevent and detect existing and emerging threats.”
The importance of cyber security
Cyber security will continue to play a big role in the oil and gas industry as criminals become savvier. The industry, however, is responding with solid budgets, educational initiatives and support from European policymakers to ensure security remains high.
The founding of a cyber response framework for the European energy sector will do a lot to protect those in the economic region, but companies should still look out for themselves and ensure their crucial data, and infrastructure is never compromised.
For more insight, analysis and advice on key topics within the oil and gas industry, subscribe to the Claxton Engineering blog and get our articles direct to your inbox, as soon as we publish them. Subscribe for free, today.