Oil and gas cybersecurity not keeping pace with technology developments

A research report by Ponemon Institute indicates that while oil and gas cybersecurity is strong, the industry is note keeping pace with technology developments and their cyber readiness is not high.

03/15/2017


When it comes to cybersecurity in the manufacturing automation sector, the oil and gas industry has hands down, the strongest security programs across any industry. However, a report by Ponemon Institute survey on "The State of Cybersecurity in the Oil & Gas Industry: United States," commissioned by Siemens, is disconcerting because that security is hollow at the center.

"Cyber is not keeping pace with digitalization in the digital oilfield. It is a problem," said Dr. Larry Ponemon, chairman and founder of Ponemon Institute, which conducted the survey on behalf of Siemens.

"Just 35% of respondents rate their organizations operations technology (OT) cyber readiness as high; 65% did not rate it as high, which is a problem of course. Sixty-eight percent of respondents say their operations had at least one security compromise in the past year, which resulted some case of loss of confidential information or an OT disruption."

To repeat, he said 68% of respondents said they had at least one security compromise in the past year.

"Through data we can act," said Judy Marks, chief executive of Siemens USA. "It has become obvious over time oil and gas industry is a digital enterprise. We are alarmed and concerned when we have almost 70% of oil and gas companies saying they were hacked in the last year.

"We need to protect our systems and protect the supply chain and our clients," Marks said. "In an OT world, while everybody gets comfortable in the information technology (IT) environment, we need this convergence and we need this ability to deal with interruptions be they natural or unnatural, be they insider attacks or other malicious or criminal activity, and we need to be able to encapsulate the technology and the people and processes to respond to this. We believe security analytics will give clients and customers that intelligence.

"Everybody is dealing with heterogeneous systems whether it is in exploration or downstream," Marks said. "We need as an industry to come together to share information more, even with anonymity, to respond to these threats quickly and plan for our future so that the oil and gas energy security for our nation and the oil and gas production and its impact to the economy is not impacted.

Ponemon highlighted eight key findings in the research report:

  1. 59% of respondents believe there is greater risk in the OT than the IT environment and 67% of respondents believe the risk level to industrial control systems over the past few years has substantially increased because of cyber threats.
  2. Oil and gas companies are benefiting from digitalization, but it has significantly increased cyber risks, according to 66% of respondents.
  3. 68% of respondents said their organization experienced at least one cyber compromise, yet organizations lack awareness of the OT cyber risk criticality or have a strategy to address it.
  4. 61% of respondents said their organization's industrial control systems protection and security is not adequate.
  5. 65% of respondents said the top cybersecurity threat is the negligent or careless insider and 15% of respondents said it is the malicious or criminal insider—underscoring the need for advanced monitoring solutions to identify atypical behavior among personnel.
  6. 41% of respondents said they continually monitor all infrastructure to prioritize threats and attacks. An average of 46% of all cyberattacks in the OT environment go undetected, suggesting the need for investments in technologies that detect cyber threats to oil and gas operations.
  7. 68% of respondents said security analytics is essential or very important to achieving a strong security posture.
  8. Security technologies deployed are not considered the most effective. Sixty-three percent of respondents said user behavior analytics and 62 percent of respondents said hardened endpoints are very effective in mitigating cybersecurity risks. In addition, 62% of respondents said encryption of data in motion is considered very effective. Yet, companies do not have plans to deploy these technologies. Specifically, in the next 12 months less than half of organizations represented (48% of respondents) plan to use encryption of data in motion, only 39% plan to deploy hardened endpoints and only 20% will adopt user behavior analytics (UBA). 

Ponemon surveyed 377 individuals in the United States who are responsible for securing or overseeing cyber risk in the OT environment. Most of the respondents report to the head of industrial control systems (19%), head of quality engineering (15%), OT security leader (14%), head of process engineering (14%) and IT security leader (11%). Respondents work in the downstream (30%), upstream (24%), middle stream (17%) or all of these environments in the oil and gas industry (29%).

Gregory Hale is the editor and founder of Industrial Safety and Security Source (ISSSource.com), a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineeringcvavra@cfemedia.com.

ONLINE extra

See additional stories from ISSSource about the IIoT linked below.



The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Maximize ROI with integrated control system approach; Microcontrollers vs. PLCs; Power quality; Accelerate and rewire IIoT; Traits for excellent engineers
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how plant engineers and subject matter experts (SME) need support for time series data and its many challenges.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me