Why security is critical to ICT-focused oil, gas and energy industries
Why security is critical to ICT-focused oil, gas and energy industries
Security, both physical and cyber security, is a top priority for any organisation, especially in light of the year-on-year rise in cybercrime. However, for certain industries, not having the proper security measures in place can put more than just the company's reputation on the line. The oil, gas, and energy industries are prime examples of such verticals. There is high adoption of ICT and automation in the energy, oil and gas industry, which has made their processes faster and leaner. However, it has also made them more susceptible to cyber lead attack on the physical and industrial asset.
Cybersecurity in energy, oil and gas industry has seen very sophisticated attacks in recent years which led to the breach of corporate assets, public infrastructure, and safety paving way for disruption, loss of life, reputation loss, and increase in the cost of energy, oil and gas prices.
The oil, gas and energy sectors are reliant on complex networks of pipelines, power stations, power grids and refineries which include a number of valuable assets, some of which can be potentially dangerous if they fall in the wrong hands. From an Information Technology (IT) infrastructure point of view, the complexity only increases. Many of these networks and operations are IT driven; their processes, workflows and procedures dependant on IT systems in order to function and operate optimally.
Securing both physical infrastructure and protecting sensitive data is key. Due to the complexity of these environments, security should be broken down into two components: traditional IT security and all it entails- coupled with industrial data, or cyber security. There is an overlap between the two, as industrial data is merged with IT data - information that is sensitive, highly confidential and must be protected at all costs.
Oil, gas and energy industries are facing several threats. Most oil and gas companies operate offshore in different countries for exploration, refining is known to us as upstream and midstream and hence are prone to attach from state and non-state actors operating in the region or globally.
There is also a higher threat faced by these industries due to their reliance on the third party for a large portion of work, given that they work in remote locations.
There is the enticement for terrorists and similar factions of disrupting, depleting or destroying the supply of critical government resources. Disruptions in energy plants and its operations can sabotage critical Infrastructure functions like railways, airports, plant, smart cities, etc. effecting the city, infrastructure and economy.
Most oil, gas and energy environments are fully digital or electronic today. From access control, to ventilation systems, to shaft lifts and pipeline shutdowns – virtually everything is automated. An attack on systems that control these processes can result in terrible disasters, such as trapped miners, loss of oxygen or gas explosions; all of which puts businesses and lives at risk. Protecting these systems becomes crucial to maintaining the integrity of an organisation.
The smarter organisation gets with their technology adoption, security needs are heightened. IT security measures are critical and need to cover all traditional bases. Everything from endpoint security to network and perimeter security, security within the data centres, advanced threat protection, Identity & Access Management, Application security, Security Intelligence & Monitoring of Operational Technology (OT), IOT, SCADA and industrial security along with IT.
These organisations should consider revisiting their investment in IP cameras; proper access controls which include biometrics, access permissions, ID validation and attendance verification systems; asset management systems, and much more. Ultimately, the security of an organisation is entirely dependent on how much it is willing to invest in top-to-bottom security measures – the higher the priority placed on security investments, the less risk for the business.
All of these measures should be implemented from a central point, for better management as well as to address compliance and regulatory requirements. There is a high level of risk and danger associated with these industries. Everything from health and safety practices, to transport and delivery compliances, to hazardous material handling and employee access rights must be factored into the security strategy. Managing these from a central point allows smoother transitioning between security functions, while giving security teams better track management and monitoring capabilities.
Also with high adaption of Internet of things organisations need to take their security and compliance into considerations. Apart from the critical infrastructure standard and specific industry standard for energy, oil and gas like NIST, CIS, ISO27001/2, PCI DSS, IOT to have standard such as ISA, ISO, IEEE, Fieldbus, Ethernet to name a few.
Energy, oil and gas Industry have also formed consortiums forums for cyber security. Oil and gas companies have formed forums since 2004 like Linking oil and gas Industry to Improve Cyber Security (LOGIIC), a program undertaken by British Petroleum (BP), Shell, Total and Chevron for research and development in the field of cyber security. Similarly, Energy companies have formed a Forum for Incident Response and Security Team (FIRST) which is the coordination body for cyber incident response for Government and Private sectors in around 61 countries.
Although technology enabled, not all players in the oil, gas and energy industries are abreast with implementation of technology. Their focus is typically on delivering sustainable energy solutions to the government and private sectors, as safely as possible.
Due to the complexities involved with compliancy, as well as the high level of technology and associated security risks, obtaining the services of a knowledgeable service provider can ensure that these organisations can focus on what they do best, while it is assured that security is being prioritised by those with the experiences and skills to do so.
Organisations need to constantly review their cyber security plans and strategy in order to be prepared for any onslaught. Organisations in the oil, gas and energy sectors should keep constant tabs on what is happening in the cyber-security and cyber-crime landscape - at all times. This will help them mitigate their risk and potentially avoid becoming targets.
Energy, oil and gas companies can leverage the insights and expertise of security service providers to ensure that they remain in the loop with current happenings. These partners are also able to help them to plan the best possible strategy which offers a 360° view of their security operations, in order to avoid common - and new - security pitfalls.
By Gavin Holme, Country Manager, Africa, Wipro Limited.