Oil and Gas Security ‘Not Keeping Pace’

Thursday, February 16, 2017 @ 05:02 PM gHale


By Gregory Hale
When it comes to cybersecurity in the manufacturing automation sector, the oil and gas industry has hands down, the strongest security programs across any industry.

That is why reviewing and listening to Thursday’s webcast releasing a Ponemon Institute survey on “The State of Cybersecurity in the Oil & Gas Industry: United States,” commissioned by Siemens is disconcerting.

RELATED STORIES
ARC: Open, Secure Systems Moving Forward
ARC: Take ‘Crown Jewels’ Offline
Lesson Learned: IT-OT Convergence
Ukraine Attack: An Insider’s Perspective

“Cyber is not keeping pace with digitalization in the digital oilfield. It is a problem,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute, which conducted the survey on behalf of Siemens.

“Just 35 of respondents rate their organizations OT cyber readiness as high; 65 percent did not rate it as high, which is a problem of course. 68 percent of respondents say their operations had at least one security compromise in the past year, which resulted some case of loss of confidential information or an OT disruption.”

To repeat, he said 68 percent of respondents said they had at least one security compromise in the past year.

At least now with some of the information, everyone associated with security can at least learn and move forward.

“Through data we can act,” said Judy Marks, chief executive of Siemens USA. “It has become obvious over time oil and gas industry is a digital enterprise. We are alarmed and concerned when we have almost 70 percent of oil and gas companies saying they were hacked in the last year.”

One response in the survey focused on who respondents’ thought was conducting the attacks.

The response was 65 percent said the top cybersecurity threat is the negligent or careless insider and 15 percent of respondents said it is the malicious or criminal insider. All that points to the idea of monitoring solutions to identify behavior among workers.

“We need to protect our systems and protect the supply chain and our clients,” Marks said. “In an OT world, while everybody gets comfortable in the IT environment, we need this convergence and we need this ability to deal with interruptions be they natural or unnatural, be they insider attacks or other malicious or criminal activity, and we need to be able to encapsulate the technology and the people and processes to respond to this. We believe security analytics will give clients and customers that intelligence.”

Everybody is dealing with heterogeneous systems whether it is in exploration or downstream,” Marks said. “We need as an industry to come together to share information more, even with anonymity, to respond to these threats quickly and plan for our future so that the oil and gas energy security for our nation and the oil and gas production and its impact to the economy is not impacted.

Ponemon pointed out eight key findings in this research:
1. 59 percent of respondents believe there is greater risk in the OT than the IT environment and 67 percent of respondents believe the risk level to industrial control systems over the past few years has substantially increased because of cyber threats.

2. Oil and gas companies are benefiting from digitalization, but it has significantly increased cyber risks, according to 66 percent of respondents.

3. 68 percent of respondents said their organization experienced at least one cyber compromise, yet organizations lack awareness of the OT cyber risk criticality or have a strategy to address it.
4. 61 percent of respondents said their organization’s industrial control systems protection and security is not adequate.

5. 65 percent of respondents said the top cybersecurity threat is the negligent or careless insider and 15 percent of respondents said it is the malicious or criminal insider — underscoring the need for advanced monitoring solutions to identify atypical behavior among personnel.

6. 41 percent of respondents said they continually monitor all infrastructure to prioritize threats and attacks. An average of 46 percent of all cyberattacks in the OT environment go undetected, suggesting the need for investments in technologies that detect cyber threats to oil and gas operations.

7. 68 percent of respondents said security analytics is essential or very important to achieving a strong security posture.

8. Security technologies deployed are not considered the most effective. 63 percent of respondents said user behavior analytics and 62 percent of respondents said hardened endpoints are very effective in mitigating cybersecurity risks. In addition, 62 percent of respondents said encryption of data in motion is considered very effective. Yet, companies do not have plans to deploy these technologies. Specifically, in the next 12 months less than half of organizations represented (48 percent of respondents) plan to use encryption of data in motion, only 39 percent plan to deploy hardened endpoints and only 20 percent will adopt user behavior analytics (UBA).

Ponemon surveyed 377 individuals in the United States who are responsible for securing or overseeing cyber risk in the OT environment. Most of the respondents report to the head of industrial control systems (19 percent), head of quality engineering (15 percent), OT security leader (14 percent), head of process engineering (14 percent) and IT security leader (11 percent). Respondents work in the downstream (30 percent), upstream (24 percent), middle stream (17 percent) or all of these environments in the oil and gas industry (29 percent).



Leave a Reply

You must be logged in to post a comment.