The rise of the Industrial Internet of Things (IIoT) and the convergence of operational technology and information technology is leading to more efficient oil and gas production operations.
Networked digital platforms and connected assets, however, potentially open doors for cyber intruders. Unsurprisingly, filling cyber security gaps now ranks highly on the list of concerns for today’s oil and gas leaders.
But is current thinking effective? A lack of cyber analytics technology within the sector means that most oil and gas companies are not fully aware of when or even how cyber attacks might affect them.
In 2015, the Industry Control Systems Cyber Emergency Response Team reported 295 attacks in the US against control systems, with the systems governing energy production and distribution being the second biggest sector hit.
At the end of last year, we surveyed 186 oil and gas company leaders as part of the Accenture High Performance Security Report 2016. While most believed their cyber security strategies could protect their companies’ reputation, information and prevent disruption, when it came to understanding the nature of security breaches and measuring their impact, the survey revealed key contradictions to these beliefs, with 60% of energy leaders saying cyber security is a bit of a “black box”.
The companies surveyed reported an average of 96 cyber attacks over 12 months, with one in three attacks leading to a security breach that was discovered only 62% of the time by firms’ security teams. Even then, detection took weeks for 25% of companies and months for 51%. The rest of the time, other employees and law enforcement officials most often discovered the breaches.
Cyber crime is a multi-billion dollar business, orchestrated on an international level and what we read in the media is only the tip of a very big iceberg. The cyber criminals are constantly adapting and changing their mode of attack and simply to monitor their activity requires analysis of vast quantities of data.
The harsh reality is that a breach in IT systems is a matter of when, not if, for all companies, whatever size or type. Cyber security, therefore, is fundamental for a sustainable operation and making performance gains, but as our research suggests, success must start with re-evaluating our perceptions and re-booting our cyber security strategies.
Are you confident that you have identified all priority business data assets and their location? Are you able to defend your business from a motivated adversary? Do you have the tools and techniques to react and respond to a targeted attack? Do you even practice your response plan as you would a fire alarm or physical emergency?
These are critical questions. Once answered, we can begin to anticipate future threats, build in resilience and nurture a security-minded culture with a clear cut chain of command that fits the specific business operation. Ultimately, cyber security is everyone’s job – from the boardroom to the individual employee – but while there is a dangerous disconnect between perception and reality, no strategy will be wholly effective.
The oil and gas industry is not alone in the fight against cyber crime. Looking at how other industries and organisations have responded when their systems have suffered a cyber attack and in particular how internal strategies were adapted is invaluable. As cyber security matures, collaboration of this kind will be imperative and has to be encouraged.
This is a rapidly changing environment and old ways of working are no longer appropriate for the evolving security threat.
Martin Mackenzie, senior manager and security lead, Accenture Resources