Cyber Security series: Oil and Gas industry not immune to risk
17 October 2017
John Hinchcliffe, cyber security specialist
Cyber security has had a lot of media airtime recently – none more so than the recent Wannacry and Petya malware attacks that impacted businesses and organisations worldwide, including our own NHS. Cyber security risks aren’t limited to malware; attacks on supply chains are increasing and this changes how we need to manage our relationships with third parties.
Recent events have made one thing abundantly clear, everyone needs to be aware of cyber security and technology risks and what they can do to manage them.
In this series of blog posts we will discuss some areas for focus and potential issues for the oil & gas (O&G) industry. We’ll look at some case studies and discuss how framing your security against the principles of Identify, Protect, Detect, Respond & Recover can help you stay resilient. Balancing your security measures, protecting the right things and knowing what to do when something happens will position you for the future.
As technology develops there is an increasing level of information technology (IT) and operational technology (OT) convergence – operational control systems are becoming more similar in nature to enterprise IT and are increasingly connected to the corporate environment and the internet beyond. This introduces risk. And we are already seeing this happen right across the O&G value chain – from upstream control systems on production platforms all the way through to card payment systems at the pump.
The drive for convergence is obvious. Data from the operational environment is being used to drive optimisation of production processes and asset lifecycles, from both traditional control systems and new architectures developing in parallel that greatly expand the sensory environment (the ‘Industrial Internet of Things’). Increasingly this decision support relies on performing analytics in the cloud - and changes the way we need to think about technology risk.
In the O&G ecosystem there is a need to think about security more broadly – not just in terms of IT and OT but as these converge, so should the approach to security and risk. Managers of IT cannot assume that OT is protected and likewise the engineers supporting OT cannot assume that IT controls will stop all security breaches at the perimeter.
Both need to work together to provide a secure environment across all systems; any disconnect between OT and IT teams and their support arrangements can exacerbate risks. Operating in security ‘silos’ can mean you lose valuable intelligence and insight. This leaves the organisation open to attackers who don’t care that there are two teams and will exploit any gaps between them.
Research and experience shows us that when businesses are compromised or suffer loss, it’s often because attackers exploited a gap in controls – and in many cases, this gap could have easily been identified and corrected. Like other industries, O&G organisations need to get the basics right. In complex organisations, even getting the basics right can be difficult.
The O&G sector is critical to our economy. As such, it’s vital it has a clear understanding of the risks it is facing, working together to protect the ecosystem. We've produced an infographic (view here on our webpage) that gives an overview of some of the key risks and some of the threat actors which could threaten the security of that ecosystem – we’ll look at some of these in more detail in these blogs.
Next: How you are helping the hackers
Contact: John Hinchcliffe, cyber security specialist
Tel: 07702 699 175