Technological advances have greatly improved the capabilities of oil, gas and utility companies to produce, distribute and manage energy, but these advances come with risk. The more these entities rely on remote wireless and wired network technologies, the greater the threats they face from cyberattackers who want to compromise their information systems.
From terrorists intent on attacking U.S. critical infrastructure, to organized crime syndicates, corporate spies and governments working to steal valuable exploration data and technology, the energy and utility industries face a wide variety of threats. These threats have grown significantly in recent years, in most cases outpacing the industries’ defensive capabilities.
The climate is more dire than ever, and energy and utility companies must take new steps to defend themselves.
The Danger, by the Numbers
According to PwC’s Global State of Information Security Survey 2015, cyberattackers have made a prime target of the oil and gas industry: In 2014, the number of detected security incidents hit 5,493, while the estimated total financial losses associated with these attacks amounted to $4 million per incident — and this is based on only what has been reported.
Power and utilities haven’t fared much better. The PwC survey indicates that the number of detected incidents in these sectors skyrocketed from 1,179 to 7,391 between 2013 and 2014.
Cyberattacks aimed at the energy sector not only target proprietary information, but can also harm reputations, production processes, websites and critical infrastructure.
In 2014, total security incidents hit 5,493, with a financial loss of $4 million per. #cdwsolutionsblog
Last year, Bloomberg reported that the 2008 explosion of an oil pipeline in Turkey resulted from malicious software injected into its control network. And in 2013, cyberattacks on the nation’s power grid made up more than half of the incidents reported to the Department of Homeland Security, a Department of Energy memo states.
What Can Be Done?
To address the threat of cyberattacks, the Federal Energy Regulatory Commission approved industrywide reliability standards that provide a cybersecurity framework for critical power grid assets.
The Transportation Security Administration also put forth a set of pipeline security guidelines that cover basic security policies, physical access controls for cyberassets, user authorization and other measures. But because the TSA has not yet mandated compliance, the onus is on gas and oil companies to remain diligent, though eventually Homeland Security is expected to put a regulatory structure in place.
Shouldering the Security Burden
In the current cybersecurity environment, companies should consider how they will respond when — not if — they suffer a network breach. Risk mitigation should be a primary objective, but it’s not one they have to achieve on their own.
A security partner can help oil, gas and utility companies get a true picture of their current security controls and how they can strengthen their security posture. A partner can offer services such as network monitoring and even penetration testing in which white-hat hackers attempt to infiltrate corporate networks to identify hidden vulnerabilities.
While insights drawn from such third-party services go a long way to help businesses strengthen their cybersecurity efforts, energy leaders should be aware of the ramifications. Stricter controls can present new challenges for workers, who want technology to increase the ease, efficiency and safety of everyday operations. Oil, gas and utility leaders should prioritize better training and communication to bridge that divide and create a secure IT and OT environment that works for everyone.