Regulatory & Compliance Issues in the Oil and Gas Industry
What is the security status of the oil and gas industry?According to the Department of Energy 2018 multiyear plan, Nation-state actors increasingly target the energy industry infrastructure. According to a 2015 Director of National Intelligence report, cybercriminals were working to find ways to remotely access industrial control grids. The focused cyber attacks on critical utilities include probes, data theft, and new malware. According to the Department of Energy, the 2015 average annual cost of cybercrime to the energy and utility industries was $27.62 million. In February 2017, the Ponemon Institute released The State of Cybersecurity in the OIl & Gas Industry: United States. The key findings, based on 377 individuals responsible for security in the oil and gas industry, included:
- 35% rated operational technogloy environment as cyber ready.
- 68% had operations with at least one security compromise.
- 59% felt operations technology was at greater risk than information technology.
- 67% believe industrial control systems risks increased over the past few years.
- 61% felt their industrial control systems protection and security was inadequate
- 65% felt insider negligence posed the largest security threat.
- 15% felt malicious or criminal insiders posed a risk minimizing the importance of advanced monitoring.
- 41% continually monitor all infrastructure.
- 46% of operational technology cyber attacks remain undetected.
- 68% felt security analytics helped achieved a stronger security posture.
What exploits and security breaches threaten the oil and gas industry?New trends in digitizing the energy sector also increase the likelihood of cyberattacks. For example, the industry increasingly connects smart gas, water, and transportation using the Internet of Things (IoT). Simultaneously, the oil and gas industry supervisory control and data acquisition (SCADA) systems use outdated, insecure software. Attacks to the operational technology environment remain undetected thus disrupting operations for longer periods of time. Lack of awareness directly correlates to the infrastructure security tasks remaining incomplete. Organizations lacking awareness leads to a vicious cycle of non-investment in infrastructure security. Overall, the data most at risk seemed to be exploratory information and production information.
How digitization of the oil and gas industry increases security risksFrom an IT security standpoint, increased digitization is a primary reason that most oil and gas companies are at risk. Although they need to update operating technology to integrate with IoT, many use insecure legacy systems. The movement to digitize also increased the number of vendors integrated into the supply chain, increasing the risks. Integrated into operations in the 1960’s, supervisory control and data acquisitions systems (SCADA) enabled the oil and gas industry to efficiently manage process production. The SCADA systems enable companies to control and monitor their operational technologies by using sensors to collect and transmit data. SCADA systems remain embedded in the oil and gas industry due to historical use. However, SCADA systems which work well to enable operational technologies were not intended to connect to information technology networks. Thus, they often do not incorporate the needed security features to protect against external intrusions.
What are the security problems with connecting operational technology and information technology?The primary security issue arising out of these connections lies in the number of vendors used to enable business solutions. The increasing sophistication of ransomware combined with the cybersecurity gaps make the Industrial Internet of Things (IIoT) and its connection to Industrial Control Systems (ICS) problematic. As evidenced by 2017’s WananCry and the continued evolution of ransomware through 2018, malicious actors will likely focus on industrial ransomware attacks. Nation-state actors look to control global politics through fear while the rise in daily technology use makes the energy sector more critical overall. For example, as more individuals and businesses use smart home technology to control heat, the oil and gas sector becomes a greater target. While traditional IoT remains a security issue, even more risks face IIoT. Media outlets increasingly put pressure on smart home technology but do not incorporate the same level of responsibility for IIoT, likely because they do not know it exists. Therefore, as IIoT technologies connect the operational industrial network to the IT landscape, they create a weak point in the cybersecurity protections, effectively a backdoor for hackers.
How to secure effectively secure the IIoT and IT environment connection within the oil and gas industryThe first step to better securing the oil and gas industry comes from engaging in a risk mitigation strategy. Increased vendors and technology use add to the complexity of securing the operational and information technology environment. Understanding the vulnerabilities and risks allows oil and gas companies to begin the process of risk mitigation. IIoT vendors who enable information sharing across and between the operational and information technology environments access critical data and systems. Their vulnerabilities and risks translate directly to the oil and gas sector’s stability. Some suggestions to help secure the IIoT, IoT, operational and information data landscapes, however, include:
- Create a list of information assets
- Create a list of all applications and systems that connect to your IT network
- Create a list of all vendors
- Define risks to the IT environment, including software, systems, networks, devices, and vendors.
- Review Service Level Agreements to maintain supply chain security
- Establish controls that protect systems, networks, and applications to mitigate risks.
- Continuously monitor the IT environment to ensure ongoing control effectiveness
How ZenGRC Eases Security-First Compliance for the Oil and Gas IndustriesTaking a security-first approach to compliance enables the oil and gas industries to better protect their operational and information technology environments. However, documenting continuous monitoring efforts remains a pain point. After establishing controls to mitigate threats to the data environment, companies need to map those controls across the various frameworks and regulations. For example, mapping controls to both NIST and ISO 27001 becomes time-consuming if done manually.
ZenGRC’s System-of-Record makes collecting audit information easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes. For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework. ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors. GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring. For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.