When the HMS Dreadnought was christened in 1906, it became the defining military force of the early 20th century. Suddenly every major power had to have its own dreadnought, as they came to be called, and they became a source of national pride in Great Britain, giving rise to the “We want eight, and we won’t wait!” slogan.
“The Admiralty had demanded six ships; the economists offered four; and we finally compromised on eight,” said then Home Secretary Winston Churchill.
17th February 1906: The most powerful battleship in the world, the HMS ‘Dreadnought’ at its launch … [+]
Getty Images
There was just one problem with the most-feared military weapon in human history: It was incredibly vulnerable to attack. All the armor anticipated attacks from other ships, leaving dreadnoughts dreadfully slow and exposed to attacks in the pre-airpower era from mines, torpedoes, submarines, and even frogmen.
A similar dynamic is in play right now with the oil and gas industry’s posture toward cybersecurity. The industry is clear on the threat landscape: an attacker can remotely freeze operations to extract ransom, inflict financial damage, access proprietary data, harm reputation, jeopardize personnel safety, or even, as was the case with Saudi Aramco, unleash terrorism.
In fact, one of the greatest threats to the energy industry is its lagging cyber resilience performance. Compared to cyber security leaders in other industries, oil and gas players are nearly four times worse at stopping targeted cyberattacks, four times slower at finding breaches, three times slower when fixing them, and half as effective at reducing their impact. For example, other industries reported 83% of breaches as having minor or no impact, while in energy fewer than 60% of the breaches did; and while 96% of cross-industry leaders plugged their breaches in 15 days or less, only 51% of energy players could do the same.
The problem is that the oil and gas industry is deploying Internet of Things technologies at an unprecedented rate, increasing the attack surface to potentially vulnerable industrial environments in distributed upstream, midstream, and downstream assets. There are sensors literally everywhere along the value chain, each one presenting another threat vector to IT and OT networks that has been compounded by the increase of remote connectivity during the pandemic and the enhanced integration of OT with IT platforms as companies utilize operational data to streamline their value chain.
While it is true that increased connectivity during the pandemic impacts all industries, the oil and gas sector finds itself particularly vulnerable to cyberattacks because the security priorities are not just different in the oilfield versus the headquarters but in fact are contradictory. In an IT system, the ladder of priority for cyber security is confidentiality, integrity and availability. Whereas, in an OT system – such as at the well-site – the ladder is flipped: it is safety, availability, integrity, and confidentiality. Put another way, the people drilling for oil aren’t collecting personal data, so they prioritize safety, not confidentiality, making OT systems softer targets for cyber criminals.
Oil and gas executives are beginning to respond accordingly. In an Accenture survey, 61% of oil and gas companies said that cybersecurity was their top investment in digital technologies ahead of AI and data analytics, a 49% increase from three years ago. This growth in spending on cybersecurity is encouraging; however, it’s not yet working. What’s needed isn’t just spending more money on cybersecurity. What’s called for is a holistic approach to security that takes into account the entire operation.
The solution begins with re-platforming by migrating data to the cloud, which is as much a business imperative as a security one. Advocating a data migration to the cloud as a means of increasing security may sound counterintuitive. But it’s only by securing the data infrastructure in the cloud that the industry can continue accelerating its digital transformation, increase its investment in intelligent design and keep afloat in a minefield of hidden security threats.
Next, the security of operational and information technologies needs to be integrated and synchronized. Too often, OT and IT are not considered together. Moreover, OT cybersecurity often is left up to the plants and refineries leading to a distributed and sometimes fragmented response to cybersecurity.
If IT and OT security are siloed, an oil and gas company will be slower at identifying threats, much less preventing them. A bifurcated security posture compounds the difficulty in creating effective incident response procedures, contingency plans, and attack simulations, turning the Internet of Things into the Internet of Threats. If the industrial control systems are connected and optimized along with IT infrastructure, companies will be better able to protect critical processes without exposing operations.
Being able to see the whole data landscape – both above and below sea level, if you will – allows firms to actively and accurately monitor threats and defenses in real time, as well as to collect cyber threat analytics.
Last, as the recent events of the SolarWinds
SWI
Like the dreadnoughts of yore, unseen attacks aren’t just a threat but a constant reality for oil and gas companies, the energy grid, and regulatory agencies. Despite the increasing cybersecurity attacks on the oil and gas industry, it lags other industries in cyber resilience. This needs to change, and fast. Otherwise, oil and gas companies will keep getting torpedoed by attacks they don’t see coming.
