Get to Know the Oil and Gas Sector

Learning Objectives

After completing this unit, you’ll be able to:

Define the oil and gas (OG) sector's expanding digital threat landscape.
Describe the complexities of securing global industrial operating environments.
Explain the importance of operational technology (OT) to guard against cyberattacks.

This module was produced in collaboration with the World Economic Forum (WEF). Learn more about partner content on Trailhead.

Before You Start

If you completed the Cyber Resilience Program Development module, then you already know what cyber resilience is, why we care about it, what you have to do to establish it, and how members of the board can promote and strengthen an organization’s cyber resilience. Now let's dig into this topic a bit more by exploring how it manifests in the oil and gas (OG) industry. As one of the world’s most complex industries makes a multifaceted transition–from analogue to digital, centralized to distributed and fossil-based to low-carbon–managing cyber risk and preventing cyberthreats are quickly becoming critical to company value chains.

The Digital Threat Landscape

The digital revolution and the transition from fossil-based to low-carbon energy sources have jointly transformed the OG industry’s decades-old business model in just a few short years. The OG sector’s future relies on digitalization, the process of converting information into a digital format, to manage a vast network of global energy assets and operations to maximize profits, improve safety, and minimize emissions.

Today, companies control physical energy assets by linking operational technology (OT) with information technology (IT) networks that leverage big data, artificial intelligence (AI), and automation. OT monitors and manages industrial process assets and manufacturing/industrial equipment. IT covers any form of technology–any equipment, service, or technique used by a company, institution, or any other organization that handles information.

These new, pervasive linkages between OT and IT serve as key factors to a more efficient, resilient, and lower-carbon operating model for the energy sector. However, these shifts bring about cyber risks to critical infrastructure, sectors whose assets, systems, and networks are considered so vital to a country that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health, or safety. Since both critical infrastructure and entire supply chains are exposed to cyber risks, cybersecurity is a core consideration of the OG industry’s business model.

To stay ahead of cyberattacks in this rapidly changing industry, OG companies must make sure cyber risk mitigation progresses at the same pace as innovation. Cyber risk is the loss that can occur when a cyber threat affects an asset and results in a material impact on an organization. Cyber risk can be measured as the probable frequency and the probable impact of a loss event.

The key to managing cyber risk is cyber resilience. According to the National Institute of Standards and Technology (NIST), the term cyber resilience refers to organizational resilience against cyber threats with a heavy emphasis on effective implementation of good cybersecurity practices and a continuity of operations plan (COOP). To thrive in today’s threat landscape, executives in the OG industry must continually improve their organization’s cyber resiliency, evaluate new and existing risks, and create a dialogue between board members, corporate officers, and key security professionals.

Board members and corporate officers in the OG industry have an important role to play in promoting cyber resilience at their organizations. Board members are corporate fiduciaries responsible for overseeing management strategies and identifying and planning responses to enterprise-wide risks that affect a company and its value to stakeholders and shareholders. Board members must balance the competitive advantage associated with digitizing their company’s industrial operating environment against greater exposure to cyber threats that seek to disrupt operations.

Corporate officers are accountable for reporting on the organization’s capability to manage cyber resilience. The chief information security officer (CISO) is often the individual within the organization who’s responsible for overseeing the organization’s cyber-resilience program, which aims to protect digital infrastructure against cyber threats and to ensure the continuity of business operations.

With industrial device connections expected to reach 37 billion by 2025, digitalization is rapidly transforming the OG industry from a commodity-based business run on analog equipment into an automated, remotely controlled, and AI-driven industry that makes risk-based decisions faster than ever before. An example of an industrial device connection in the OG industry is sensors that monitor inventory levels of oil tanks and automatically dispatch trucks when the tanks need to be emptied. They also monitor the performance of above-ground pumps to alert maintenance teams of issues, and provide employees with warning signs of safety concerns to prevent injuries and fatalities. Real-time oil tank sensor notifications enable continuous pumping while optimizing inventory transportation and minimizing downtime costs.

An onshore oil tank, a connected truck, and an above-ground pump

At the same time, amidst this digital transformation, malicious actors increasingly view the energy industry as a ripe target to launch cyberattacks for financial, criminal, or geopolitical gain. Yet, many OG companies aren’t accustomed to thinking of themselves as digital companies and therefore lack the cybersecurity technologies, systems, personnel, and protocols to protect industrial operating environments.

Securing Industrial Operating Environments

Cybersecurity in the OG sector is inherently difficult due to the complexity of running a large organization with different businesses, assets, and personnel located all over the world, and working with a complex supply chain of customers and suppliers. The transformation of many OG companies from a state of isolated operational systems to fully integrated businesses has resulted in a complex supply chain and increased interdependencies between upstream, midstream, and downstream businesses.

Such digital interdependence has expanded the impact of potential cyberattacks. What’s more, legacy equipment would not have been built with the security vulnerabilities or interconnectivity needs of modern operating environments in mind, presenting challenges for modernizing the industry’s underlying technology.

Without robust cybersecurity technologies and protocols, companies slow to prioritize the deployment of proper cyber hygiene, and monitoring and defense solutions for vulnerable devices, will find themselves unable to compete with cyber-protected peers who offer reliably and efficiently delivered products and services. In many cases, companies face challenges with cyber hygiene as systems are interconnected but responsibility is siloed or shared across many partners with varied priorities. Many organizations find cybersecurity’s complexity overwhelming, and this is particularly true when needing to secure both OT and IT environments.

Use OT to Guard Against Cyberattacks

To better understand the importance of OT to guard against cyberattacks, let’s look at an example. Erika is a board member at an OG refinery. Unbeknownst to her, over the course of several years, a malicious adversary breached the cyber defenses of the refinery using OT-specific malware to target the safety systems used for OG production. Malware (short for “malicious software”) is a file or code typically delivered over a network that infects, explores, steals, or conducts virtually any behavior an attacker wants.

After going undetected for 3 years by the OG company’s security team, the attackers activated its malware to disrupt the refinery’s safety systems. But when the attack was deployed, an error in the malware caused the plant to shut down instead of causing significant physical damage as intended.

Immediately following the attack, plant security personnel–and third parties–didn’t consider the abrupt shutdown to be a direct result of a cyberattack and, thus, didn’t investigate this possibility as a root cause of the shutdown. With the malware still active, a month later attackers made a second attempt to disrupt the refinery’s safety system, but this time attempted to shut down even more critical infrastructure. Fortunately, the attackers again failed due to a different error. During the proceeding investigation, the plant’s security team requested support from OT specialists to investigate the shutdowns. After the second investigation, security experts found that attackers were manipulating the plant’s OT systems.

Recovering from the security incident to full operation took over 70 days and cost tens of millions of dollars. Attacks like these aren't uncommon and could have been detected with measures in place and with a rehearsed incident response plan in place. Had these measures been deployed, the time lost and the impact of the attack would’ve been significantly reduced.

Adversary errors prevented physical damage in this incident, but board governance can–and should–make organizations more resilient against OT cyber threats to critical safety infrastructure. As a board member, Erika has a responsibility to promote the implementation of this approach to minimize the chances of another incident like this.

Six Cyber Risk Principles for the OG Industry

Where applicable, an organization’s board of directors is the ultimate entity accountable for the safety and security of a company’s financial, legal, strategic, and ethical decisions. For smaller organizations, your applicable cyber leaders can use these principles to improve cyber resilience. Let’s review guidance for board members to help execute their oversight role and obtain actionable insights to improve cyber resilience.

Corporate officers responsible for cyber resilience must clearly communicate to boards why cyber resilience matters for the security, and success, of their organization. This module provides corporate officers and managers with recommended activities to help implement cyber-resilience principles and facilitate communication on the risks with executive board members.

According to the World Economic Forum (WEF), there are six principles that help boards at OG companies mature their approach to cybersecurity. You’ll learn more about these principles in the next unit.

Hai bisogno di aiuto?