May 2017, Vol. 244, No. 5

Features

Study Points to Cybersecurity Gaps in Oil & Gas Industry

A survey of U.S. oil and gas risk managers indicates the deployment of cybersecurity measures in the industry isn’t keeping pace with the growth of digitalization in oil and gas operations. In a study from the Ponemon Institute, The State of Cybersecurity in the Oil & Gas Industry: United States, only 35% of respondents rated their organization’s operational technology (OT) cyber-readiness as high.

The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, examined how oil and gas companies are addressing cybersecurity risks. Its authors surveyed 377 individuals in the United States who are responsible for securing or overseeing cyber-risk in the OT environment, including upstream, midstream and downstream applications.

Most respondents described their organization as in the early to middle stage of cyber-readiness maturity, with 68% of respondents saying their operations experienced at least one security compromise in the past year that resulted in the loss of confidential information or OT disruption.

Additional key findings related to readiness, risks and challenges included:

• 59% believe there is a greater risk in the OT environment than the IT environment.

• 61% said their organization has difficulty mitigating cyber-risks across the oil and gas value chain.

• Only 41% of respondents said they continually monitor OT infrastructure to prioritize threats and attacks.

• 65% of respondents said the top cybersecurity threat is the negligent or careless insider, while 15% pointed to the malicious or criminal insider, underscoring the need for advanced monitoring solutions and critical safety zones to identify atypical behavior among personnel.

• 61% said their organization’s security is inadequate for protecting industrial control systems.

With regard to solutions and security practices, technologies that are considered most effective aren’t extensively deployed. Technologies identified as “very effective” in mitigating cybersecurity risk include: user behavior analytics (63%), hardened endpoints (62%) and encryption of data in motion (62 %).

However, within the next 12 months, less than half of organizations surveyed said they will use encryption of data in motion (48% of respondents), only 39% will deploy hardened endpoints and only 20% will adopt user behavior analytics.

“Cyberattacks in the oil and gas industry can have potentially devastating consequences for the economy and national security,” said Larry Ponemon, chairman and founder of Ponemon Institute. “We hope the findings of this research create a sense of urgency to make the appropriate investments in people, process and technologies to improve the industry’s cyber-readiness.”

The executive summary of the study was released Feb. 15 in conjunction with a Bloomberg Live event in Houston – The Future of Cyber Security: Spotlight on Oil and Gas.