It should come as no surprise that the upward trend of larger-scale attacks against critical infrastructure poses substantial cyber and physical risks across the enterprise. After all, critical infrastructure sectors are categorized as such because, according to the Department of Homeland Security, “they are considered so vital that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” This classification applies to 16 different sectors, some of which face greater risks and challenges than others when it comes to security. Oil and natural gas (ONG) is one such sector. Here’s why:
Unsecure technologies are prevalent
Overall, many ONG companies’ IT & OT infrastructures mimic an ongoing trend we’ve seen across all sectors: the widespread presence of security vulnerabilities stemming from the rapid (and often premature) adoption of digital technologies and IoT devices. Similar to how the healthcare sector’s rushed implementation of electronic medical record systems ultimately fueled an uptick in healthcare data breaches, the ONG sector’s continual adoption of increasingly-interconnected industrial control systems (ICS) is expanding the surface area upon which potential vulnerabilities could occur, threats manifest, and attacks transpire.
Even worse, many ONG companies continue to rely on outdated, insecure operating systems and even hardware. A recent Ponemon Institute study on “The State of Cybersecurity in the Oil & Gas Industry” revealed that these issues may be exacerbating the fact that ONG already lags behind many other sectors when it comes to cybersecurity capabilities, readiness, and awareness. Consequently, over 70% of ONG companies have been breached in the last year.
Threat actors are more complex
While most security and intelligence teams are well-versed in protecting their organizations from the fraudsters and cybercriminals responsible for the majority of threats emanating from the Deep & Dark Web, combatting the myriad of malicious cyber and physical actors targeting the ONG sector can create substantial challenges for which many teams may be neither prepared nor able to address. Indeed, actors who target ONG companies specifically tend to be far more sophisticated both in their capabilities and motivations.
State-sponsored actors are one such example. Often driven by political, ideological, and/or adversarial gain, these actors have historically targeted ONG industrial control systems, launched cyberattacks aimed at disrupting the operational continuity of regional ONG entities, and attempted to access and exploit confidential ONG information to support foreign military initiatives.
Furthermore, terrorists are another significant concern for many ONG companies – particularly those with operations located in high-risk regions. After all, some jihadist groups have long sought to compromise energy infrastructure in order to disrupt a target country’s economy and further their radical agenda.
Damages can be severe
Perhaps the most obvious reason for the ONG sector’s increased cyber and physical risks stems from its omnipresent and truly vital role in modern society. Given that oil and natural gas account for the majority of the world’s energy consumption, power international trade, and remain integral determinants of the global economy, any threat that could compromise these resources and/or the systems on which they rely has the potential to yield catastrophic damages.
So what exactly could these damages look like? Past cyberattacks in the ONG sector provide some insight. Following the 2012 attack on Saudi Aramco’s cyber infrastructure, for example, nearly 75 percent of the company’s data was lost and operations – as well as a global oil supply chain – were disrupted for months and yielded lasting economic consequences.
Clearly when it comes to safeguarding critical infrastructure entities, the stakes are high – especially for ONG companies. And given the pervasiveness of the numerous factors contributing to cyber and physical risks across the sector, it’s crucial for the ONG sector to recognize and make efforts to address such factors in the name of security. Regardless of sector or business function, safeguarding critical assets, proactively addressing cyber and physical threats, and assessing and mitigating risk accurately and effectively requires a comprehensive understanding of all factors contributing to an organization’s risk.