Understanding the Types of Risk in the Oil & Gas IndustryPublished February 28, 2019 by Karen Walsh • 4 min read
Defined as critical infrastructure, the oil & gas industry increasingly faces cybersecurity risks as nation-state cybercriminals attempt to undermine other countries. The integration of information technology (IT) systems into operational technologies (OT) creates a unique threat to the oil and gas industry that places both the companies and the public at risk.
Biggest Risks Facing Oil & Gas Companies
What risk do Operational Technologies pose?
The oil and gas industry suffers from outdated operational technology that makes securing it difficult. The most recent industry report from Ponemon, now theoretically outdated because it released in 2017, indicated that
- 59% felt operations technology was at higher risk than information technology.
- 68% had operations with at least one security compromise.
- 46% of operational technology cyber attacks remain undetected.
These numbers indicate a variety of problems endemic in the industry. First, monitoring IT environments protects data, but it does not keep gas companies from the risks inherent in their operations. Second, while more than 2/3 of companies found at least one compromise, nearly half of compromises remained undetected which means that the number far exceeds that already frightening 68%.
What risks are unique to OT?
Whether as a software or hardware, OT monitors or controls physical processes. However, OT is costly and deeply integrated into a company’s infrastructure.
The industrial controllers, such as programmable logic controllers (PLC), distributed control systems (DCS), and supervisory control and data acquisition (SCADA) systems, come with a longer lifecycle. While enterprise IT comes with a lifetime of last three to five years, OT often comes with a fifteen to twenty year lifetime.
In cybersecurity, IT risks can change at the blink of an eye making the controls outdated. Often, enterprises replace these frequently to keep them as secure as possible. However, with the longer expected lifespan of OT, which directly correlates to the costs incurred, these types of updates are not possible.
Therefore, the primary unique risk for OT comes from how gas companies and others use them and intend to use them.
What risks arise from the Internet of Things?
To monitor OT, more companies within the oil and gas industry rely on the Internet of Things (IoT) to gather data. These sensors, cameras, and embedded analytics systems connect the OT environment with the IT environment.
For example, a natural gas company may need to monitor pressure in the OT environment. The IoT monitors the SCADA system’s ability to control the pressure. Then the IoT informs business leadership or external parties who need to provide oversight.
However, enterprise IT networks that interact with OT networks can lead to cyber risk. Most companies struggle with securing their data environments, and those in the oil and gas industry are no different. Thus, anywhere that the IT networks interact with the OT networks as a result of increased IoT use can lead to a security issue.
Where do workforce members increase cyber risk?
While all industries suffer from employee cyber awareness issues, the oil and gas industry’s importance to economic and social stability means that a single careless employee can undermine the entire country.
While this can sound dramatic, a successful social engineering attack against a traditional enterprise leads to financial, reputation, and compliance costs. However, for a member of the oil and gas industry, a successful social engineering attack can dismantle the critical infrastructure.
An employee idly clicking through to a website in a phishing email enables access to their user ID and password. With this information, a cybercriminal can gain access to all networks, including segregated or secured ones, upon which the employee is authorized. Thus, even segregating the IT and OT networks may not be enough protection is a cybercriminal can obtain the login information.
Why the oil and gas industry needs to engage more cybersecurity professionals
All sectors face a shortage of information security professionals. However, while traditional enterprise IT security remains a continually moving target, it lacks much of the criticality and complexity as security within the oil and gas industry. The overlap between OT and IT means that the industry needs security professionals who can navigate both environments.
As a niche within a niche, cybersecurity professionals with critical infrastructure experience are limited within an already limited hiring pool. Thus, if oil and gas companies can find someone to manage their unique risks, they need to find a way to optimize the staff’s time. If they need to hire two different people to coordinate across the differing environments, then the companies need to find a way to ease communications.
How to engage the Board of Directors for incorporating cyber risk oversight
News outlets and the public often focus on the environmental risk that the oil and gas industry poses. Thus, many companies choose their Board of Directors based on engineering and financial expertise. Although they understand the importance of cybersecurity, they may struggle to quantify the way cybersecurity risks impact the chemical, environmental, and industrial engineering risks that lead to financial loss.
Thus, the risk management process and the Board’s program oversight lead to another overarching risk within the oil and gas industry.
How to mitigate the cybersecurity risks in the oil and gas industry
Mitigating the cybersecurity risks plaguing the oil and gas industry begins the same way other risk management programs start – with conversations.
These interdepartmental conversations need to determine the physical assets and data assets that pose a risk. Enterprise risk mitigation traditionally focuses on software, network architecture, and devices required for business operations. The oil and gas industry, however, adds a second layer of network infrastructure to support monitoring the OT environment. Thus, locating all the points of network risk becomes more complicated.
Looking to mitigate these risks, companies employing a security first approach still face complex issues. In many cases, the oil and gas companies need to segregate their OT networks and keep the IT infrastructure data from migrating to the OT infrastructure. To ensure this, they need to engage in vendor risk management processes and procedures as well as enforce their patch management processes.
Finally, as critical infrastructure, companies also must align controls with increasingly burdensome regulatory requirements and industry standards.
How ZenGRC Enables Risk Management for the Oil and Gas Industry
Oil and gas companies struggle to maintain effective risk management programs, needing an efficient workflow tool to coordinate communication and task management across internal and external stakeholders.
ZenGRC enables companies to prioritize tasks, from alerts to vendor reviews, so that everyone knows what to do and when to do it. This eases the burden of records retention and audit preparation.
With our workflow tagging, a cybersecurity professional in the oil and gas industry can assign roles and tasks to the responsible individuals, enabling stronger review over the activities involved in cyber risk management.
Finally, with our audit trail capabilities, companies can document corrective actions and response activities to prove that they maintained cybersecurity by continuously monitoring the myriad of threat vectors.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.