Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Assessing Cyber and Physical Risks to Oil & Gas Sector

It should come as no surprise that the upward trend of larger-scale attacks against critical infrastructure poses substantial cyber and physical risks across the enterprise.

It should come as no surprise that the upward trend of larger-scale attacks against critical infrastructure poses substantial cyber and physical risks across the enterprise. After all, critical infrastructure sectors are categorized as such because, according to the Department of Homeland Security, “they are considered so vital that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” This classification applies to 16 different sectors, some of which face greater risks and challenges than others when it comes to security. Oil and natural gas (ONG) is one such sector. Here’s why:

Unsecure technologies are prevalent

Overall, many ONG companies’ IT & OT infrastructures mimic an ongoing trend we’ve seen across all sectors: the widespread presence of security vulnerabilities stemming from the rapid (and often premature) adoption of digital technologies and IoT devices. Similar to how the healthcare sector’s rushed implementation of electronic medical record systems ultimately fueled an uptick in healthcare data breaches, the ONG sector’s continual adoption of increasingly-interconnected industrial control systems (ICS) is expanding the surface area upon which potential vulnerabilities could occur, threats manifest, and attacks transpire.

Even worse, many ONG companies continue to rely on outdated, insecure operating systems and even hardware. A recent Ponemon Institute study on “The State of Cybersecurity in the Oil & Gas Industry” revealed that these issues may be exacerbating the fact that ONG already lags behind many other sectors when it comes to cybersecurity capabilities, readiness, and awareness. Consequently, over 70% of ONG companies have been breached in the last year.

Threat actors are more complex

While most security and intelligence teams are well-versed in protecting their organizations from the fraudsters and cybercriminals responsible for the majority of threats emanating from the Deep & Dark Web, combatting the myriad of malicious cyber and physical actors targeting the ONG sector can create substantial challenges for which many teams may be neither prepared nor able to address. Indeed, actors who target ONG companies specifically tend to be far more sophisticated both in their capabilities and motivations.

State-sponsored actors are one such example. Often driven by political, ideological, and/or adversarial gain, these actors have historically targeted ONG industrial control systems, launched cyberattacks aimed at disrupting the operational continuity of regional ONG entities, and attempted to access and exploit confidential ONG information to support foreign military initiatives.

Furthermore, terrorists are another significant concern for many ONG companies – particularly those with operations located in high-risk regions. After all, some jihadist groups have long sought to compromise energy infrastructure in order to disrupt a target country’s economy and further their radical agenda.

Advertisement. Scroll to continue reading.

Damages can be severe

Perhaps the most obvious reason for the ONG sector’s increased cyber and physical risks stems from its omnipresent and truly vital role in modern society. Given that oil and natural gas account for the majority of the world’s energy consumption, power international trade, and remain integral determinants of the global economy, any threat that could compromise these resources and/or the systems on which they rely has the potential to yield catastrophic damages.

So what exactly could these damages look like? Past cyberattacks in the ONG sector provide some insight. Following the 2012 attack on Saudi Aramco’s cyber infrastructure, for example, nearly 75 percent of the company’s data was lost and operations – as well as a global oil supply chain – were disrupted for months and yielded lasting economic consequences.

Clearly when it comes to safeguarding critical infrastructure entities, the stakes are high – especially for ONG companies. And given the pervasiveness of the numerous factors contributing to cyber and physical risks across the sector, it’s crucial for the ONG sector to recognize and make efforts to address such factors in the name of security. Regardless of sector or business function, safeguarding critical assets, proactively addressing cyber and physical threats, and assessing and mitigating risk accurately and effectively requires a comprehensive understanding of all factors contributing to an organization’s risk.

Related: U.S. Oil and Gas Industry Lagging in Security

Related: Oil and Gas Industry Increasingly Hit by Cyber-Attacks

Related: Cyber Attacks Fuel Spending in Oil and Gas Security

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.