We hear the headlines every day: “cyberattacks continue to grow each year in number and sophistication.” We also often hear that the costs of detecting and defending against cyberattacks continue to swell, yet pale in comparison to the costs of recovering from a cyberattack. Despite universal warnings about the dangers of cyberattacks, the response and attention to cybersecurity still differs from sector to sector.
The oil and gas industry, for example, is a sector that historically has not been cybersecurity focused. The oversupply and subsequent downturn in price per barrel has left many companies struggling to stay afloat, and cybersecurity spending continues to be a low priority in 2017 for many oil companies.
This is a potentially devastating mistake. A recent study by Boston Consulting Group found that none of the oil and gas companies surveyed have undergone a comprehensive audit of their value chain, which includes corporate, upstream, midstream, and downstream operations.
The scope of activities within the oil and gas industry’s value chain creates many potential points of entry for attack. It also leaves the industry prone to multiple types of attacks. These include attacks on the industry’s physical infrastructure (such as cutting fiber-optic cables), the disabling of critical systems (through denial-of-service attacks, for instance), and the theft or corruption of information or the prevention of its dissemination.Boston Consulting Group Study
As you can see, given today’s threat landscape, oil and gas is in a precarious position. Adding cybersecurity to this industry is an onerous challenge but achievable if the industry, as a whole, makes a cultural shift towards ingraining cybersecurity into the DNA of the operations of the organization. The first start in this process is recognizing that cybersecurity is paramount to the health and safety of all personnel and the local environments where operations are conducted.
Adding Security to Health, Safety and Environment (HSE)
One of the main challenges within the oil and gas industry is the need for companies to track cybersecurity incidents as Health, Safety and Environment incidents.
Currently, oil and gas companies track incidents, or near misses, that could impact the health and safety of personnel or of the local environment. Cybersecurity incidents and near-misses should likewise be tracked and escalated as HSE events. Additionally, the implementation of this strategy within a larger Enterprise Vulnerability Management (EVM) program can further bolster the integrity of an organization.
By implementing cybersecurity in HSE and a larger EVM program, oil and gas companies can provide greater resources and attention towards the three top IT security issues facing this sector:
- The need for more employee cybersecurity training and awareness testing
The use of mobile technology is huge in oil and gas, particularly in upstream where constant exploration requires constant travel. This need for cyber-awareness equates to the need for organizations to instill the policies and procedures that not only protect mobile computing devices but also portable storage.
- Insufficient cybersecurity process and technology within operations and maintenance
Attention to cybersecurity needs to be at the core of an EVM program. The insufficient separation of enterprise networks and plant networks, of data networks between onshore and offshore facilities, and a total lack of effective vulnerability management software have the industry at a clear disadvantage.
- No focus on cybersecurity with vendors and third-party suppliers
This gap is more than a simple lack of physical cybersecurity personnel at data centers and facilities. It extends to a cultural need for vendors within the oil and gas supply chain to treat cybersecurity as HSE. Attackers can simply attack a comparatively weaker link within the supply chain in order to gain a foothold in the larger organization.
A heightened attention in this area would help update outdated and aging control systems in facilities and provide a view of data that extends beyond the corporate network and into critical vendor networks.
Enterprise vulnerability management
Adding urgency to the need to instill EVM within oil and gas companies are the new technologies on the horizon that will impact this sector in the coming years. Most of these technologies focus on producing cost-effective operational synergies and moving operations to a more digital framework. In short, the data will only grow in size, creating an even larger footprint for attack.
The increase in data will increase the vulnerabilities. It therefore becomes pivotal for oil and gas networks to have a solution like Tenable SecurityCenter Continuous View® (SecurityCenter CV™) which consolidates and evaluates all vulnerability data across an organization and, if properly configured, the entire supply chain.
By prioritizing security risks and providing a clear view of an organization’s security posture, SecurityCenter CV can boost cybersecurity efforts. SecurityCenter CV also offers pre-built, highly customizable dashboards and reports to help oil and gas organizations quantify the effectiveness of their security program. For example, the Qualitative Risk Analysis dashboard can provide a detailed view of an organization’s security posture with CVSS as a base line for analysis.
To learn more about how SecurityCenter CV can help better protect your organization, please visit Tenable Network Security.