Study Finds Gaps in Oil and Gas Cybersecurity

A survey of U.S. oil and gas cybersecurity risk managers indicates that the deployment of cybersecurity measures in the industry isn’t keeping pace with the growth of digitalization in oil and gas operations. In a study from the Ponemon Institute, just 35 percent of respondents rated their organization’s operational technology (OT) cyber readiness as high.

The study surveyed 377 individuals in the United States who are responsible for securing or overseeing cyber risk in the OT environment. With most respondents describing their organization as being in the early to middle stage of maturity with respect to their cyber readiness, 68 percent of respondents said their operations have had at least one security compromise in the past year, resulting in the loss of confidential information or OT disruption.

Additional key findings related to readiness, risks and challenges include:

59 percent believe there is a greater risk in the OT environment than the IT environment;
61 percent said their organization has difficulty mitigating cyber risks across the oil and gas value chain;
Only 41 percent of respondents said they continually monitor OT infrastructure to prioritize threats and attacks;
65 percent of respondents say the top cybersecurity threat is the negligent or careless insider and 15 percent of respondents say it is the malicious or criminal insider – underscoring the need for advanced monitoring solutions and critical safety zones to identify atypical behavior among personnel;
61 percent say their organization’s industrial control systems protection and security is inadequate.

With regard to solutions and security practices, the security technologies that are considered most effective are not extensively deployed. Technologies identified as very effective in mitigating cybersecurity risk include: user behavior analytics (63 percent), hardened endpoints (62 percent) and encryption of data in motion (62 percent). But within the next 12 months less than half of organizations represented say they will use encryption of data in motion (48 percent of respondents), only 39 percent will deploy hardened endpoints, and only 20 percent will adopt user behavior analytics.

“The fact that nearly 70 percent of oil and gas companies were hacked in the past year must serve as a call to action,” said Judy Marks, CEO of Siemens USA, which sponsored the study. “As oil and gas producers use digitalization to become safer and more efficient, there is a clear need to bulk up defenses for operational technology, which is even more vulnerable to attacks than the IT environment.”

Read the study online here.

Kylie Bull began her career in television news at ITN in the UK before moving to print journalism. She has been an editor at IHS Jane's for sixteen years, where she continues today, and was recently the managing editor at Homeland Security Today. Bull has reported on a wide variety of security, geopolitical and counterterrorism subjects and has interviewed world leaders such as Russian President Vladimir Putin and UK Prime Minister Theresa May.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.