The scale of the Industrial Internet of Things (IIoT) used by the oil and gas industry poses a growing cyber-risk. Schneider Electric offers three best practice guidelines to minimise the threat of cyberattack-driven disruptions to business continuity.
Cyberattacks cost companies worldwide an estimated US$300-400 billion each year in unanticipated downtime and that number is projected to increase sharply.
Some large industrial organisations estimate their cost of downtime in the millions of dollars per hour. When a plant shuts down unexpectedly, it takes three to four days to get everything started up again. These are sobering business continuity-related lost revenue numbers.
The more connected nature of oil and gas operations, driven largely by the Industrial Internet of Things (IIoT) and related digitalisation trends, although beneficial to bottom lines, introduces an element of cyber-risk that should be addressed.
In fact, inaction is not an option. Cybersecurity is now a cost of doing business. The question is, what is the optimal approach?
When considering the issue of cybersecurity and its impact on business continuity, several types of threats come into play.
The first is the exposure of employees to outside emails. More than 400 businesses every day are exposed to email ‘spear-phishing’ schemes, draining three billion dollars from businesses over the last three years. The percentage of emails that contain potential business disrupting malware today stands at one in 131, the highest rate in five years.
A second issue involves attacks by organised groups on critical infrastructure. Oil and gas facilities are increasingly considered critical national infrastructure. As such they are targeted not only by malevolent individuals but also by organisations that use cyberattacks as weapons to be used to weaken nation states and other global institutions.
A third element to consider when formulating a cybersecurity strategy is the proliferation of mobile devices.
Mobile phones, tablets, laptops and thumb drives in the hands of practically every oil and gas industry employee worldwide creates a need for the development of more modern and robust security policies. The added connectivity of these devices makes it easy for outsiders who guess or steal passwords to penetrate the control environment.
A reasoned – and steady – approach for deploying cybersecure solutions
Fortunately, there are several steps that oil and gas companies can pursue in order to minimise the threat to cyberattack-driven disruptions to business continuity:
- Step 1 involves building firewalls to keep outsiders from entering the corporate network and gaining access to control systems. This will work in environments where entry points into the system are somewhat limited. However, in an IIoT world, cybersecurity will need to be built into every control system hardware and software component, protecting every node that has computing capability.
- Step 2 requires a gradual approach to strengthening cybersecurity infrastructure. Responsible control systems manufacturers are now designing cybersecurity into every module they build and deliver so that clients don’t have to concern themselves with building in cybersecurity after they purchase a new product.
Manufacturers like Schneider Electric, for example, apply a Secure Development Life Cycle (SDL) approach to their product development.
Within the context of SDL, secure architecture reviews are performed, threat modelling of the conceptual security design takes place, secure coding rules are followed, specialised tools are utilised to analyse code and security testing of the product is performed.
These actions help to ‘harden’ products, making them more resilient against cyberattacks. In this way, as new products replace old, entire systems evolve to become more cybersecure.
- Step 3 includes the education of employees. A cybersecurity-aware culture needs to be developed within oil and gas organisations to help employees understand or appreciate the key risks, so that operations can be run in a secure manner (including basic password management or changeover management).
Such an environment should audit and enforce cybersecurity best practices on a consistent and effective basis, utilising available supervision and detection tools, so that exposure to risk can be minimised.
In such a cybersecurity-aware process culture, the priorities of the IT and industrial control departments need to be aligned. Both employees and vendors coming in need to be aware of the security policies or risk being denied access to sensitive equipment and operations software.
For more best practices in countering cybersecurity threats, download Schneider Electric’s complimentary reference guide, A Practical Guide to Achieving Oil & Gas Operational Efficiency through Digitization.