They say that the first step to recovery is admitting you have a problem. Some of the studies that have been coming out lately with regard to industrial cybersecurity seem to be geared primarily toward discovering perceptions. But if the perception is that there’s a problem, chances are that industry is more likely to take the steps necessary to do something about it.
In some of the latest findings, oil and gas cybersecurity risk managers reveal their concerns: Deployment of cybersecurity measures isn’t keeping pace with the growth of digitalization in oil and gas operations. Only about a third of those responding to a study from the Ponemon Institute rated cyber readiness in their organization’s operational technology (OT) as high. And 66 percent say that digitalization has significantly increased their cyber risks.
In fact, 68 percent of the respondents said that their operations have had at least one security compromise in the past year resulting in the loss of confidential information or OT disruption. “We are alarmed and concerned when we have almost 70 percent of oil and gas companies basically admitting that they were hacked in the past year,” said Judy Marks, CEO of Siemens USA, which commissioned the study.
The study surveyed 377 U.S.-based individuals responsible for securing or overseeing cyber risk in the OT environment, including upstream, midstream and downstream applications. Some two-thirds of them say the risk level to industrial control systems (ICSs) has substantially increased over the past few years because of cyber threats, and 61 percent say their ICS protection and security is inadequate.
Much of this has to do with outdated and aging control systems, which 63 percent of respondents say is putting their facilities at risk. Using standard IT products with known vulnerabilities in the production environment adds to this risk, according to 61 percent.
Only 41 percent of respondents say they continually monitor all infrastructure to prioritize threats and attacks. An average of 46 percent of all cyber attacks in the OT environment go undetected.
The OT environment overall is at greater risk than the IT environment, according to 59 percent of those surveyed. Marks sees this as a key reason for closer alignment between OT and IT. “We are an operational technology company, and we use what we sell and sell what we use,” she says. “In an OT world, while everyone gets comfortable in the IT world, we need this convergence.”
As important as oil and gas organizations are to national security, top threats are not seen coming from outside forces, but rather from within—65 percent of respondents say the top cybersecurity threat is the negligent or careless insider, and 15 percent say it is the malicious or criminal insider.
“Be they insider attacks or other malicious or criminal activity,” Marks says, “we need to encapsulate the technology and people and processes to respond to this.”
Technologies identified as very effective in mitigating cybersecurity risk include user behavior analytics (63 percent), hardened endpoints (62 percent) and encryption of data in motion (62 percent). Unfortunately, those security technologies aren’t extensively deployed, according to survey findings. Within the next 12 months, less than half (48 percent) of organizations represented say they will use encryption of data in motion, only 39 percent will deploy hardened endpoints, and only 20 percent will adopt user behavior analytics.
“Cyber attacks in the oil and gas industry can have potentially devastating consequences for the economy and national security,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “We hope the findings of this research create a sense of urgency to make the appropriate investments in people, process and technologies to improve the industry’s cyber readiness.”
Marks urges more cooperation within the oil and gas industry. “We need to share more information so we can respond to these threats quickly,” she says, “so oil and gas production and its impact on the economy are not impacted.”
For more information, read “The State of Cybersecurity in the Oil and Gas Industry: United States.”