Cyber Attack Resilience in Oil and Gas
The energy sector is no stranger to a cyber attack. For many American families and businesses, the most personally disruptive incident in recent memory came in May 2021 with the ransomware attack that shut down the Colonial Pipeline, a major U.S. oil and gas pipeline responsible for supplying nearly half of the East Coast’s petroleum.
With industrial device connections expected to reach 37 billion by 2025, digitization is rapidly transforming the oil and gas industry from a commodity-based business run on analogue equipment into an automated, remote-controlled and artificial intelligence (AI)-driven industry that makes risk-based decisions with internet-like speed. This rapid pace of digitalization comes at a cost, however; as oil and gas companies digitize operations, they simultaneously expose their companies to cyber risks.
Malicious actors increasingly view the energy industry as a ripe target to launch cyberattacks for financial, criminal or geopolitical gain. Recent studies from IBM indicate, the volume of attacks against operational technology-connected assets increased over 20 times from 2018 to 2019. Further studies from the IBM Security and Ponemon Institute show the average energy sector data-breach cost has risen more than 13% since 2019, to $6.39 million – a higher cost than the global average of $3.86 million.
To prepare for the new normal of more frequent and sophisticated cyber attacks on energy and critical infrastructure, energy sector CEOs and corporate board members must take the best practices and key lessons learned from a decade of both successfully addressing – and learning from – the failures of addressing cyber risk.
The World Economic Forum (WEF) boils down current best practices principles in a useful publication titled Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers. Oil and gas industry leaders looking to address cyber attack risks will find guidance on how to implement key recommendations within their organizations and how to level up security practices throughout the value chain and the broader energy ecosystem.
The WEF’s six cyber resilience principles for oil and gas infrastructure are drawn from the shared real-world experience of leading companies in the oil and gas sector, to include:
- Cyber resilience governance – Cybersecurity efforts count on broad participation within an organization. Aligning efforts and setting clear accountability are fundamental to success.
- Resilience by design – Including cybersecurity as a design parameter and as part of corporate culture helps improve outcomes.
- Corporate responsibility for resilience – Recognizing that sophisticated, frequent threats are likely to continue or escalate, organizations should be examining their cyber risks, and taking responsibility for managing those risks.
- Holistic risk management approach – As with other risks, managing a cyber attack requires a mandate, funds, resources and accountability. In the oil and gas sector, it’s especially important to discover and mitigate risks to all parts of the value chain, so that one weak link doesn’t bring production to a halt.
- Ecosystem-wide collaboration – Weak links in defenses may lie outside of an organization. Intentional efforts to share cyber threat information, use best practices and improve cybersecurity maturity across the whole sector help industry-wide stability.
- Ecosystem-wide cyber resilience plans – Recognizing that a cyber attack could continue to occur, organizations should build resilience plans to help mitigate damage from those that succeed in whole or in part. Cybersecurity exercises enable defenders to test and improve defenses – including how they will cooperate with other industry partners.
Oil and gas sector leaders will need to build cyber resilience into their organizations and partnerships to continue providing reliable, timely fuel deliveries to their customers in a future full of cyber threats.