Oil and gas firms have formidable cybersecurity risks and privacy concerns. Their importance to the global economy overall make them a prime target for hackers and other malicious actors.
Moreover, the design of drilling facilities has become enormously complex, with industrial controls and Internet-enabled systems intersecting. That gives rise to many more possible attack points that must be secured and monitored at all times.
Oil and gas facilities are governed by numerous national security regulations because they qualify as critical infrastructure.
Under the Pipeline Security Guidelines, developed and managed by the Transportation Security Guidelines, oil & gas concerns must inventory their operating technologies (defined as systems that control and monitor physical equipment). All cyber-enabled “OT” are deemed critical infrastructure by the Department of Homeland Security, and therefore should implement the NIST Cybersecurity Framework for Critical Infrastructure.
As employers, oil and gas companies also have all the usual regulatory obligations around personal data (HIPAA, Gramm-Leach-Bliley, GDPR); plus security risks for corporate financial and operational data not related to pipeline operations (intellectual property, for example).
Both the pipeline industry guidelines and the NIST critical infrastructure guidance include steps such as risk assessment, response planning, mitigation, training, and protective technology to keep critical assets as far away from threat as possible.
For security officers building a compliance strategy, those obligations translate into several practical steps that a compliance management system will need to deliver. Among them:
Inventory all the systems that control physical assets, and their connectivity to the rest of the IT infrastructure
Assess the starting security posture of their own systems and any third parties they use
Identify security gaps they must fill to meet regulatory requirements
Establish mitigation steps that might be necessary, and assign them to control owners
Monitor usage of IT services to see whether new third parties are on the network
Conduct any news risk assessments might be necessary as new regulations emerge.
Click on one of the tabs to learn more about ZenGRC's compliance, risk or reporting features.
As a cloud-based solution, ZenGRC deploys simply and quickly (six to eight weeks) even across a large enterprise. It provides a unified platform to manage controls across multiple frameworks, and a dashboard to let CISOs monitor key performance indicators for compliance and IT security efforts.Learn More