A survey from Siemens with the Ponemon Institute shows that most oil and gas companies were hacked last year, writes Judy Marks, CEO of Siemens USA. Data is being compromised and supplies are getting stolen, but most companies are still not taking adequate action. Marks explains how companies may protect themselves.
It’s common practice to think of challenges as opportunities in disguise. But for the oil and gas industry, opportunities are creating challenges.
Look no further than the emergence of digital oil and gas fields. By embracing software and digital solutions, firms can drive efficiency and uptime, improve safety, and reduce costs in a low-price market. That’s the opportunity.
Companies suspect that supplies are getting siphoned off by criminal actors. But they can’t capture the evidence – and prove it – with their current systems
Now, by engaging with the Ponemon Institute to survey more than 300 oil and gas companies, Siemens has learned more about the challenge. If cybersecurity isn’t fully aligned with a digital strategy, oil and gas companies are extremely vulnerable to hackers trying to steal valuable information and supplies, disrupt operations, or otherwise inflict harm.
Some key findings
- Most oil and gas companies have been hacked: In the past year, nearly 70 percent of oil and gas organizations have endured security compromises. These breaches have exposed confidential information and disrupted operational technology – or OT – operations.
- The threat against OT is growing: Two-thirds of respondents said they believe attacks against industrial control systems have increased during the past few years.
- More must be done to stop the threat: Only a third of respondents thought OT and information technology (IT) networks were fully aligned for cybersecurity. Little more than that – 35 percent – rated their readiness to address cyber threats as high. It is no surprise that nearly half of all OT attacks are not being detected.
What the oil and gas industry can do to protect itself
Siemens’ view is that the first priority for the oil and gas industry should be bulking up its defenses for OT attacks. Deploying state-of-the-art rugged network solutions and hardening assets are both necessary steps forward.
Another important tool is security analytics to detect anomalies in data. I hear this frequently from offshore operators. Digital enterprises, they tell me, are enabling them to collect and interpret operational data in real-time. This is informing smarter business decisions.
What frustrates them, though, is their inability to determine if data is being compromised. They suspect that supplies are getting siphoned off by criminal actors. But they also can’t capture the evidence – and prove it – with their current systems. Security analytics can deliver needed change.
Still, security is only part of the solution. No matter how secure an enterprise is, hackers will still try to break into it. It’s critical to develop comprehensive strategies to stand up operating models to manage risk.
If cybersecurity isn’t fully aligned with a digital strategy, oil and gas companies are extremely vulnerable to hackers
Successfully merging OT with IT is one priority. But so is having a plan for incident response that goes from the field, to the control room, to the enterprise network.
Lastly, every company needs to be focused on protecting their own operations. But there should also be more emphasis on working together to protect an industry.
The industry could benefit from more information sharing. It could benefit, in particular, from having a global playbook tailored to both small and medium-size firms that covers how to protect assets and implement incident response.
At Siemens, we’ve tailored our portfolio and solutions to the oil and gas industry’s commitment to embracing new technology. Cybersecurity is a strong part of our vision for the digital enterprise. And as a company working in 190 countries, we’re eager to share best practices we’ve developed through securing a global footprint.
This new report might be the latest evidence that the oil and gas industry’s cybersecurity challenge is very real. But the good news is that it’s already very solvable too.