Deloitte: Oil and Gas Companies Poorly Prepared for Cyber-Attack
According to a report released yesterday by Deloitte LLP, the oil and gas industry is especially at risk for cyber-attack. The report, Protecting the Connected Barrels—Cybersecurity for Upstream Oil and Gas, authored by Anshu Mittal, Andrew Slaughter and Paul Zonneveld has the industry concerned.
Ponemon Institute research publicized in February says that the energy sector was the second most prone industry to cyber-attacks, with almost 75% of companies hit by at least one significant cyber-incident in 2016.
There are many reasons for the industry to worry. When the authors of the Deloitte report visited oil fields in the United States, Zonneveld observed some lax security practices. “(It) was like walking into the 1980s, with shared passwords and passwords written down on paper,” he said to Bloomberg. Only 14% of oil drilling operations have fully operational security monitoring operations. In a report from the Industrial Control Systems Cyber Emergency Response Team dated in 2015, more than 30% of cyber-attacks on critical infrastructure had an unknown infection vector, or were untraceable.
The differing priorities of all stakeholders and entities involved in oil and gas systems adds a layer of complexity which poses a cybersecurity challenge. IT prioritizes confidentiality and intergrity over availability. Drlling and well site operations, which have programmable logic controllers and sensors, prioritize availability more than confidentiality and integrity. Plus, older technological components, which are often more difficult to secure, must work with much newer components.
The oil and gas industry has a large cyber-attack surface constituting many vectors. One company alone stores petabytes worth of sensitive data, uses half a million processors for just oil and gas resovoir simulation, and shares thousands of production and drilling control systems with vendors and partners around the world. One attack can cost millions of dollars and put the environment and human lives at risk.
Report author Andrew Slaughter emphasizes the industry significance of Deloitte's findings. “The culture needs to change, and that’s happening but it takes time," he said. "This report serves as a call to arms."
Source: Information Security Magazine