Security is a Never-Ending Journey, Not a Destination
A study commissioned by HM Government found that 90% of large organisations reported they had suffered a security breach in 2015, up from 81% in 2014. It’s evident cyber-attacks are on the increase and clear they are also growing in sophistication. Major hacks are reported on an almost daily basis, with varying degrees of personal and corporate consequences. This means better and more robust processes are needed to tackle them.
We now live in a world where the internet of things is in abundance. We want everything connected, in our personal and business lives. This is no different in the Oil and Gas industry, where the focus is to make oil and gas as easily accessible as possible, whether removing oil from the ground, transporting it to refineries or getting it to the consumer. It’s no surprise then that the oil and gas sector is connecting its industrial control systems to the Internet. However, we are seeing that these connections are often full of unaddressed security vulnerabilities.
Of course, connecting industrial control systems to the internet has great advantages, including the speed at which information can be shared, from the platform to the beach, or between the control room and operational sites. It is great for connectivity and efficiency, as well as reducing costs. It also brings challenges and risk, not least the fact that it leads to a whole collection of security issues. By placing Operational Technology (OT)* on network nodes it automatically makes it available to those that hack or breach the network. In the Oil and Gas sector much focus has been on making the OT remotely accessible to provide faster understanding of the data as well as improve production performance, however has as much focus has been on the security of these OT systems?
Is cybersecurity still segmented?
Operational Technology and IT are still largely seen separately. OT has increasingly become integrated within the IT backbone of many organisations. In this merger of networks with fundamentally different purposes, is there enough understanding of the threat landscape between the two? Is too much focus still put on IT security and expecting it to effectively secure OT as well? An IT-centric approach to basic security such as antivirus and patching may not effectively patch the OT systems, which are often built to provide unidirectional communication and run legacy operating systems.
Process Control Security
The oil and gas industry has many unique challenges, including that it carries the dangers associated with dealing with a combustible element in extreme and often remote conditions, as well as an often unpredictable environment. In such a high stakes environment, risk management must be at the forefront of operational procedure, and it’s essential that includes cybersecurity.
Oil & Gas Industry
Risk management is considered highly in the decision making process within the oil and gas industry. If something goes wrong then lives, local habitats and even global economies are at risk. Safety within the industry is focused around reporting on near misses as well as actual incidents, companies promoting the value of holding the handrails when climbing or descending stairs. Cybersecurity should be considered in this same way. Where safety incorporates human risk factors, security procedures must also focus on this. Security threats don’t just come from outside an organisation. The HM Government 2015 Information Security Breaches Survey reported that 75% of large organisations suffered staff related breaches last year. A successful security policy should incorporate not just technology, but also process and people.
In the ever-changing and fast paced world, and especially in the world of the internet of things, a more integrated and sophisticated view of cybersecurity is needed. A successful security strategy needs to look at more than just the IT systems. IT should include OT and IT as one, focus on risk management, as well as a security process that includes the people, process and technology.