Oil and gas cybersecurity not keeping pace with technology developments

A research report by Ponemon Institute indicates that while oil and gas cybersecurity is strong, the industry is note keeping pace with technology developments and their cyber readiness is not high.


When it comes to cybersecurity in the manufacturing automation sector, the oil and gas industry has hands down, the strongest security programs across any industry. However, a report by Ponemon Institute survey on "The State of Cybersecurity in the Oil & Gas Industry: United States," commissioned by Siemens, is disconcerting because that security is hollow at the center.

"Cyber is not keeping pace with digitalization in the digital oilfield. It is a problem," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute, which conducted the survey on behalf of Siemens.

"Just 35% of respondents rate their organizations operations technology (OT) cyber readiness as high; 65% did not rate it as high, which is a problem of course. Sixty-eight percent of respondents say their operations had at least one security compromise in the past year, which resulted some case of loss of confidential information or an OT disruption."

To repeat, he said 68% of respondents said they had at least one security compromise in the past year.

"Through data we can act," said Judy Marks, chief executive of Siemens USA. "It has become obvious over time oil and gas industry is a digital enterprise. We are alarmed and concerned when we have almost 70% of oil and gas companies saying they were hacked in the last year.

"We need to protect our systems and protect the supply chain and our clients," Marks said. "In an OT world, while everybody gets comfortable in the information technology (IT) environment, we need this convergence and we need this ability to deal with interruptions be they natural or unnatural, be they insider attacks or other malicious or criminal activity, and we need to be able to encapsulate the technology and the people and processes to respond to this. We believe security analytics will give clients and customers that intelligence.

"Everybody is dealing with heterogeneous systems whether it is in exploration or downstream," Marks said. "We need as an industry to come together to share information more, even with anonymity, to respond to these threats quickly and plan for our future so that the oil and gas energy security for our nation and the oil and gas production and its impact to the economy is not impacted.

Ponemon highlighted eight key findings in the research report:

  1. 59% of respondents believe there is greater risk in the OT than the IT environment and 67% of respondents believe the risk level to industrial control systems over the past few years has substantially increased because of cyber threats.
  2. Oil and gas companies are benefiting from digitalization, but it has significantly increased cyber risks, according to 66% of respondents.
  3. 68% of respondents said their organization experienced at least one cyber compromise, yet organizations lack awareness of the OT cyber risk criticality or have a strategy to address it.
  4. 61% of respondents said their organization's industrial control systems protection and security is not adequate.
  5. 65% of respondents said the top cybersecurity threat is the negligent or careless insider and 15% of respondents said it is the malicious or criminal insider—underscoring the need for advanced monitoring solutions to identify atypical behavior among personnel.
  6. 41% of respondents said they continually monitor all infrastructure to prioritize threats and attacks. An average of 46% of all cyberattacks in the OT environment go undetected, suggesting the need for investments in technologies that detect cyber threats to oil and gas operations.
  7. 68% of respondents said security analytics is essential or very important to achieving a strong security posture.
  8. Security technologies deployed are not considered the most effective. Sixty-three percent of respondents said user behavior analytics and 62 percent of respondents said hardened endpoints are very effective in mitigating cybersecurity risks. In addition, 62% of respondents said encryption of data in motion is considered very effective. Yet, companies do not have plans to deploy these technologies. Specifically, in the next 12 months less than half of organizations represented (48% of respondents) plan to use encryption of data in motion, only 39% plan to deploy hardened endpoints and only 20% will adopt user behavior analytics (UBA). 

Ponemon surveyed 377 individuals in the United States who are responsible for securing or overseeing cyber risk in the OT environment. Most of the respondents report to the head of industrial control systems (19%), head of quality engineering (15%), OT security leader (14%), head of process engineering (14%) and IT security leader (11%). Respondents work in the downstream (30%), upstream (24%), middle stream (17%) or all of these environments in the oil and gas industry (29%).

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See additional stories from ISSSource about the IIoT linked below.

No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Controller programming; Safety networks; Enclosure design; Power quality; Safety integrity levels; Increasing process efficiency
Additive manufacturing benefits; HMI and sensor tips; System integrator advice; Innovations from the industry
Robotic safety, collaboration, standards; DCS migration tips; IT/OT convergence; 2017 Control Engineering Salary and Career Survey
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This article collection contains several articles on how automation and controls are helping human-machine interface (HMI) hardware and software advance.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Future of oil and gas projects; Reservoir models; The importance of SCADA to oil and gas
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me