The digital age has enabled a dramatic change in business operations but this change has brought with it new risks that were previously not of any concern to Oil and Gas companies. Physically remote facilities with little or no connection to the outside world were isolated from the growing risks of cyber-attack that were occurring in other sectors, such as finance.
The cyber-security risk posture has changed dramatically for oil and gas companies and attention is needed if major production or safety incidents are to be avoided.
The Oil and Gas industry has seen a number of major drivers towards increased collaboration and interoperability:
IT equipment has been interconnected like this for many years, and companies have responded to the increased attacks this brings by introducing new protection mechanisms. However, in the operational world, there a number of key differences which make this more challenging:
The failure of a control or safety system could result in injury and loss of life to personnel and the public, as well as harm to the environment from which recovery may be extremely time consuming, expensive, and difficult. It is not acceptable to rely on independent protection mechanisms to protect against the effects of a cyber-incident.
Reports indicate a ten-fold increase in the number of successful cyber-attacks on infrastructure control systems since 2000. In addition to the factors already noted, there is an increased awareness outside of the industry of the existence of operational technology such as control systems. This awareness is being exploited for a number of reasons:
Oil and Gas companies must assess their cyber-security risk posture and take action to address any issues that leave them exposed. Cyber-security risk management involves people, process and technology.
Companies must assess the competency and awareness of their personnel and the personnel of contractors, vendors and other third parties that have access to their facilities. Training and awareness is a key risk mitigation that helps reduce the likelihood and impact of a cyber-incident.
Oil and Gas companies already produce and maintain extensive operational procedures for everything they do. These rarely consider the risks associated with technology, for example how to correctly handle removable media such as USB drives that may introduce malware into a facility. Not only do oil and gas companies need to review their existing policies and procedures but they will need additional policies and procedures to manage their cyber-security risks.
There are many technology considerations that oil and gas companies should make:
A comprehensive strategy is required to ensure that companies achieve the best return on their investment and do correctly minimize their cyber-security risks.
E&P consulting can help oil and gas companies with managing their cyber-security risk by:
The goal for E&P consulting is to ensure that your receive impartial consultancy and professional advice from an organisation that has successfully released the value of such approaches into Oil and Gas organisations.