Oil and gas cybersecurity not keeping pace with technology developments

A research report by Ponemon Institute indicates that while oil and gas cybersecurity is strong, the industry is note keeping pace with technology developments and their cyber readiness is not high.

By Gregory Hale, ISSSource March 15, 2017

When it comes to cybersecurity in the manufacturing automation sector, the oil and gas industry has hands down, the strongest security programs across any industry. However, a report by Ponemon Institute survey on "The State of Cybersecurity in the Oil & Gas Industry: United States," commissioned by Siemens, is disconcerting because that security is hollow at the center.

"Cyber is not keeping pace with digitalization in the digital oilfield. It is a problem," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute, which conducted the survey on behalf of Siemens.

"Just 35% of respondents rate their organizations operations technology (OT) cyber readiness as high; 65% did not rate it as high, which is a problem of course. Sixty-eight percent of respondents say their operations had at least one security compromise in the past year, which resulted some case of loss of confidential information or an OT disruption."

To repeat, he said 68% of respondents said they had at least one security compromise in the past year.

"Through data we can act," said Judy Marks, chief executive of Siemens USA. "It has become obvious over time oil and gas industry is a digital enterprise. We are alarmed and concerned when we have almost 70% of oil and gas companies saying they were hacked in the last year.

"We need to protect our systems and protect the supply chain and our clients," Marks said. "In an OT world, while everybody gets comfortable in the information technology (IT) environment, we need this convergence and we need this ability to deal with interruptions be they natural or unnatural, be they insider attacks or other malicious or criminal activity, and we need to be able to encapsulate the technology and the people and processes to respond to this. We believe security analytics will give clients and customers that intelligence.

"Everybody is dealing with heterogeneous systems whether it is in exploration or downstream," Marks said. "We need as an industry to come together to share information more, even with anonymity, to respond to these threats quickly and plan for our future so that the oil and gas energy security for our nation and the oil and gas production and its impact to the economy is not impacted.

Ponemon highlighted eight key findings in the research report:

  1. 59% of respondents believe there is greater risk in the OT than the IT environment and 67% of respondents believe the risk level to industrial control systems over the past few years has substantially increased because of cyber threats.
  2. Oil and gas companies are benefiting from digitalization, but it has significantly increased cyber risks, according to 66% of respondents.
  3. 68% of respondents said their organization experienced at least one cyber compromise, yet organizations lack awareness of the OT cyber risk criticality or have a strategy to address it.
  4. 61% of respondents said their organization’s industrial control systems protection and security is not adequate.
  5. 65% of respondents said the top cybersecurity threat is the negligent or careless insider and 15% of respondents said it is the malicious or criminal insider—underscoring the need for advanced monitoring solutions to identify atypical behavior among personnel.
  6. 41% of respondents said they continually monitor all infrastructure to prioritize threats and attacks. An average of 46% of all cyberattacks in the OT environment go undetected, suggesting the need for investments in technologies that detect cyber threats to oil and gas operations.
  7. 68% of respondents said security analytics is essential or very important to achieving a strong security posture.
  8. Security technologies deployed are not considered the most effective. Sixty-three percent of respondents said user behavior analytics and 62 percent of respondents said hardened endpoints are very effective in mitigating cybersecurity risks. In addition, 62% of respondents said encryption of data in motion is considered very effective. Yet, companies do not have plans to deploy these technologies. Specifically, in the next 12 months less than half of organizations represented (48% of respondents) plan to use encryption of data in motion, only 39% plan to deploy hardened endpoints and only 20% will adopt user behavior analytics (UBA). 

Ponemon surveyed 377 individuals in the United States who are responsible for securing or overseeing cyber risk in the OT environment. Most of the respondents report to the head of industrial control systems (19%), head of quality engineering (15%), OT security leader (14%), head of process engineering (14%) and IT security leader (11%). Respondents work in the downstream (30%), upstream (24%), middle stream (17%) or all of these environments in the oil and gas industry (29%).

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See additional stories from ISSSource about the IIoT linked below.

Original content can be found at Oil and Gas Engineering.