Energy and cybersecurity

During the US Senate Energy and Natural Resource Committee's hearing last month on the nomination of Rick Perry to be energy secretary, the former Texas governor pledged his support for—and protection of—the Department of Energy and its energy-research efforts (OGJ Online, Jan. 30, 2017).

"My commitment is to support the extraordinary people at DOE working in many important research areas. I'm going to protect all the science, not only about the climate but also cybersecurity," Perry said. "If I'm confirmed, DOE will go to a new level of engagement to find anyone, whether they are private citizens or foreign governments, who are trying to penetrate US security."

With the ever-increasing digitization of the world's data, a strong focus on cybersecurity—particularly by businesses and organizations working in the oil and gas industry—has never been more paramount. The most cautious groups are doing their level best to keep ahead of industry's emerging cybersecurity threats. Findings of a recent research report, however, suggests that companies might not be doing enough.

The report, sponsored by Siemens and independently conducted by Ponemon Institute LLC, was conducted "to understand how companies in the oil and gas industry are addressing cybersecurity risks in the operational technology (OT) environment," it explained.

"According to the findings, the deployment of cybersecurity measures in the industry isn't keeping pace with the growth of digitalization in oil and gas operations," the report said. "In fact, just 35% of respondents rate their organization's OT cyber-readiness as 'high.'"

The report said most respondents, in fact, described their organization as having "low" to "medium" cybersecurity readiness. And 68% of respondents said their operations have had "at least one security compromise in the past year, resulting in the loss of confidential information or OT disruption."

Report findings

The report, issued this month, surveyed 377 individuals in the US who are responsible for securing or overseeing cyber-risk in OT environments.

Most of these individuals report to the head of industrial control systems (19%), head of quality engineering (15%), OT security leader (14%), head of process engineering (14%), and internet technology (IT) security leader (11%). Respondents work in the downstream (30%), upstream (24%), midstream (17%), or all of these environments in the oil and gas industry (29%).

The report made many key findings, including:

• 59% of respondents believe there is greater risk in the OT than the IT environment and 67% of respondents believe the risk level to industrial control systems over the past few years has increased because of cyber threats.

• The oil and gas industry has benefitted from digitalization, but it also has increased its cyber risks, according to 66% of respondents.

• 68% of respondents say their organization experienced at least one cyber compromise, yet many organizations lack awareness of the OT cyber risk criticality or have a strategy to address it.

• 61% of respondents say their organization's industrial control systems protection and security is not adequate.

• 65% of respondents say the top cybersecurity threat is the negligent insider and 15% of respondents say it is the malicious or criminal insider.

• Only 41% of respondents say they continually monitor all infrastructure to prioritize threats and attacks. In fact, an average of 46% of all cyber attacks in the OT environment go undetected.

• 68% of respondents say security analytics is essential or very important to achieving a strong security posture.

• Security technologies deployed are not considered the most effective, with 63% of respondents saying user behavior analytics and 62% saying hardened endpoints are very effective in mitigating cybersecurity risks.

"Cyber attacks in the oil and gas industry can have potentially devastating consequences for the economy and national security," said Larry Ponemon, chairman and founder of Ponemon Institute.

Judy Marks, Siemens USA chief executive officer, noted, "The fact that nearly 70% of oil and gas companies were hacked in the past year must serve as a call to action."

This call to action should be heeded, and taken most seriously, if the US is to become the energy powerhouse it was destined to be.