A comprehensive analysis of the cyber risk in the oil and gas industry was written by Liji Philips upon completing her Certified Cyber Insurance Specialist (CCIS) training.
The oil and gas industry is a major contributor to the global economy and a significant indicator of cost indexes with tremendous growth potential. The adoption of new technology has significantly improved efficiency, but it has brought concerns of cyber risk at the same time. The rising energy demand and depletion of energy resources in recent years have pressured companies and governments to develop robust plans for oil and gas security system measures to mitigate systemic impact.
The Root Causes of Cyber Risk in The Oil and Gas Industry
The oil and gas industry has made significant strides when it comes to technological advancements but there are still many holes in these systems leaving these companies vulnerable to cyberattacks. Aging operational technology, geopolitical risks, and the introduction of Point of Sale (POS) have become areas of major cyber risk in the oil and gas industry.
Aging Operational Technology
Aging operational technology in the oil and gas industry is exposing companies to potential cyberattacks. The problem is that the cost of updating the equipment is higher than the expected commercial output of the plant causing companies to neglect technological updates. This outdated technology was not designed to combat cyberattacks, with archaic security patches and software, therefore leaving these companies vulnerable.
The Impact of Geopolitics on Cyber Risk in The Oil and Gas Industry
Geopolitical risk is a rising cybersecurity threat for the oil and gas industry. These risks affect the price and availability of oil and gas which in turn dictates what countries they are allowed to operate in. This can be seen playing out between Russia and Europe with the distribution of the energy trade causing an astronomical rise in oil and gas prices. This uncertainty creates a plethora of cybersecurity risks pertaining to the protection of operations and sensitive information which opens the door for cyber terrorists to gain access to sensitive information. Moreover, the Allianz Risk Barometer ranked political risk and violence as one of the top 10 risks in 2023. So these increased geopolitical tensions coupled with the energy crisis, which was ranked number 4, could be exploited by threat actors either on behalf of the state or for individual gain.
Point of Sale (POS) Technologies
In a bid to boost customer experience, oil and gas companies have started introducing Point of Sale (POS) tools. This type of electronic payment system leaves transactions open to interception by cybercriminals if not properly protected, exposing companies to cyberattacks.
External Threats in the Oil and Gas Industry
The oil and gas industry relies on many third-party contractors. The midstream segment is responsible for the storage of raw oil and gas materials. Midstream company facilities are geographically widespread with unsecured access. This dispersion often leaves these third-party contractors at risk of cyberattacks which in turn, affects oil and gas companies. An example of this was the Colonial Pipeline cyber incident, where attackers stole over 100 gigabytes of data and held it for ransom.
Another example took place In 2021. The world’s most valuable oil producer in the Middle East, Saudi Armaco, declared that company data was leaked from one of its contractors. Just a few years prior, this same oil giant was hit by the Shamoo Computer Virus, a virus that deleted hard drives and displayed a picture of a burning American flag on computer screens. The attack forced this Oil Company to shut down its network and destroy over 30,000 computers. The files were reportedly used in an attempt to extort $50m (£36.5m) from the company.
Oftentimes, these third-party contractors are unaware of the relevant cyber risks they introduce to oil and gas companies so they can’t properly defend against cyberattacks. To mitigate these risks, the OTORIO supply-chain risk management suite is a program that helps identify potential threats and offers safety practices to help prevent cyber risk.
In conclusion, mitigating cyber risk in the oil and gas industry presents unique challenges. There is an ever-changing threat landscape, a vast attack surface, ever-growing attack vectors, shortfalls in the number of skilled security professionals, masses of data that have moved beyond a human-scale problem, and more. The solution to these problems could potentially be a self-learning, AI-based cybersecurity posture management system that can solve many of these challenges. However, this is uncharted territory, and we have yet to unleash the true potential of applying AI cybersecurity solutions to the oil and gas industry.