A significant majority of oil and gas companies have reported a serious security breach or incident in the past year, according to a new report. This comes at a time when the safety of critical infrastructure facilities is under renewed scrutiny following a series of attacks and government warnings.
The Ponemon Institute conducted the survey of security in the oil and gas industry, which is based on the results of 176 people responsible for cybersecurity within companies based in the Middle East. Siemens, which sells products and technology into that market, funded the study.
The results come less than a week after the US Computer Emergency Readiness Team (US-CERT), along with the FBI and the Department of Homeland security, issued a warning that charged several Russia-based group with hacking into several critical facilities, including oil, gas and other energy firms. (See FBI & DHS Accuse Russia of Hacking Critical Infrastructure.)
The Ponemon study found that there were a significant number of security incidents in the oil and gas industry, which researchers defined as disruption to operations in the operational technology (OT) environment or the loss of confidential information.
Of those surveyed, 11% reported that they had experienced more than 10 OT network intrusions, which is three times the global average. Not only that, nearly half of the respondents believe that they may not be aware of all breaches that have occurred.
The specifics of the OT environment weighed heavily on the participants in the study. Two-thirds of those interviewed believe that the risk of attack has grown on OT over the last several years. In addition, 60% report that the risk to OT is greater than the danger posed to traditional IT systems.
The respondents report that there are certain items that are most at risk from these incidents, including exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data that is collected by sensors.
The top cybersecurity threat for 68% of those surveyed was a careless or negligent insider, as opposed to 21% believing it was a criminal or malicious insider.
Respondents also attribute the cyber risk their organizations face to uncertainty about the cybersecurity practices of third parties in the supply chain and the difficulty in mitigating risks across the entire oil and gas value chain.
Additionally, respondents report that the primary reason that their organizations are at risk is a lack of cybersecurity awareness and training among employees. Other important factors that they perceive are a limited cybersecurity culture among their vendors, suppliers and contractors, as well as the use of standard IT products that have known vulnerabilities in the production environment.
The OT companies seem to realize they are at risk.
However, only 27% of respondents expressed confidence in their ability to assess cybersecurity risks and allocate the resources necessary to address those concerns. Overall, a third of their cybersecurity budget is directed at protecting OT environments.
Only 39% of respondents plan on hardening the endpoints of their systems, and 20% report that they plan on adopting analytics solutions over the next year.
Organizations that adopt a risk-based and compliance-based approach to their OT security programs have the best chance of keeping their OT operations both secure and running without problems, the study found.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.