Although U.S. oil and gas companies have so far avoided devastating data breaches, cybercriminals are growing bolder. During an average month, for example, a company like ExxonMobil now blocks more than “64 million emails, 139 million internet access attempts and 133,000 other potentially malicious actions.”
But many attacks are still getting past the defenses. Between 2011 and 2015, the U.S. Department of Homeland Security registered more than 350 incidents at energy companies. An equally troubling statistic: The department has identified nearly 900 security vulnerabilities within U.S. energy companies, a figure that was higher than any other industry.
A long haul awaits
Part of this is the inevitable pain caused during a tech transformation. Many oil and gas companies still use outdated and aging control systems in their facilities, which may also have nonstandard equipment and potentially insecure technologies.
When the Houston Chronicle recently investigated the cybersecurity readiness of oil and gas installations along the Gulf Coast, it led to the shocking revelation that many facilities still run Windows XP on their computer systems. Others were found using Windows predecessors that date back to the 1990s. And "in rare cases, a few still use MS-DOS, the precursor to Windows," the newspaper reported.
There’s no doubt that the sector will benefit from digitization. Companies in the sector that successfully employ automation enjoy significant bottom-line improvements. But the scramble to retrofit decades-old infrastructures will take time. Many of the devices that automate processes within oil and gas installations were designed in earlier eras before the advent of online threats. What’s more, the myriad of more modern devices and sensors being added also risk introducing new vulnerabilities into the system.
When the Ponemon Institute surveyed oil and gas cybersecurity risk managers for their 2017 report, some 68 percent said their companies had suffered at least one security compromise involving the loss of confidential information or the disruption of their operations, in the past year. In addition, 66 percent of the respondents expressed concern that digitization had made them more vulnerable to security compromises.
Only 35 percent of the respondents in Ponemon’s survey rated their organization’s cyber readiness as high. The vast majority said that the deployment of cybersecurity measures had failed to keep pace with the increasing digitization of their oil and gas operations.
Putting security on the agenda
Oil and gas companies have been around for the last century — sometimes longer — so it may be hard for some of them to get religion about security. But they can’t continue to ignore the matter now that they are up against a full range of threat actors.
What’s more, systems are no longer isolated. As the oil and gas industry incorporates more connected systems and networking technologies, companies will need to develop an understanding of the new security risks and what’s required to combat them.
While the oil and gas sector may have unique challenges, it nonetheless shares many of the same security challenges that face other enterprises. So the response should lean heavily on the basics of cybersecurity. The National Institute of Standards and Technology provides detailed guidance on a comprehensive set of cybersecurity guidelines and how to implement best practices for cybersecurity.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.