Cybersecurity Threat Profile: Energy, Oil & Gas

Aug 12, '19 by Joerg Schneider-Simon

A whopping 96 percent of energy, oil, and gas industry professionals fear operational shutdowns and threats to their employees’ safety due to a digital attack, according to a 2018 Tripwire study.

Their fear is well-justified: 40 percent of respondents in a recent Oil and Gas IQ report believed that the risk profile in their organization is “poorly understood and not improving.”

It’s not being alarmist to say that the industry is in a cybersecurity crisis. How did things get to this point, and what can EOG executives do to turn the tide?

More Entry Points, More Problems

Long gone are the days when EOG companies were in a closed system, with data and processes only flowing within the company on secure, internal servers.

Now, the risk surface for these companies has grown exponentially, in large part due to our increasingly connected industrial landscape. There are two major factors in this increase:

External Access to Systems

It’s no surprise that a large number of EOG companies use SAP to handle their data and their processes. Tracking production numbers, logging quality control data, taking care of accounts receivable, accounts payable, purchasing, and more — SAP has long been the system of choice for energy, oil, and gas customers.

Part of the convenience of SAP is the ability to open up access to outside parties so suppliers can upload quotes and invoices, customers can send through purchase orders, and job seekers can even complete their application and upload their CV via SAP.

This convenience, however, has also increased SAP’s risk surface: The more outside parties that have access to SAP, the greater your chances that one of those parties has been compromised by a cyberattacker.

The risk can even come from within the company. Many EOG companies use SAP FIORI to enable their field/sales staff to access SAP applications via mobile device. However, these mobile devices often have inadequate security protections.

While it’s a threat that is relevant to SAP, it is certainly not SAP-exclusive. A 2018 Eversheds Sutherland/Microsoft joint report highlighted the issue as well:

Executives travel with laptops and mobile devices with local or remote access to business plans, financial records and customer data, but in the process are susceptible to risk of compromise. Contractors work side-by-side with employees, integrating their systems with, and plugging their devices into, corporate networks, providing multiple points of entry for threat actors. Data is so ubiquitous and data flows are so complex that companies are often like goalkeepers before an ever-expanding soccer net.

Industrial IoT

Connectivity is no longer limited to computers and mobile devices. Indeed, the EOG industry has started to embrace “smart” technology and the Internet of Things. The appeal is undeniable: Oxford Economics claims that Industrial Internet of Things (IIOT) could increase the global GDP by as much as 0.8 percent, or $816 billion during the next decade. And of course, what EOG company would not enjoy the increased efficiency (and massive savings) that comes with equipment that can troubleshoot itself in minutes, as well as the reams of useful real-time data that can skyrocket production numbers?

As we’ve previously examined, however, IoT – and consequently IIoT – are all too often unsecured, making them a ripe target for cyberattack. A best-case scenario at this point would be data theft. The worst-case scenario? Equipment sabotage, which in the EOG industry, has devastating potential. Richard Garcia, a former FBI agent who is now a cybersecurity specialist, told the San Antonio Express News, “You could mess with a refinery or cause a vessel to explode.”

Energy Oil and Gas Cybersecurity: What Needs to Be Done?

If the issue is that the “soccer net” of EOG risk surface keeps increasing, the answer seems relatively straightforward: Hire extra goaltenders.

As it turns out, it’s not as straightforward as it would seem.

An alarming number of companies appear to think they’re not at risk, or that their cybersecurity defenses are robust enough to stand up to this increasing onslaught. Just over half (56 percent) of the Tripwire survey respondents said it would take “a significant attack” to get their companies to adequately invest in security.

Exacerbating the problem is that if companies do decide to bring on more goaltenders, the pickings may be slim. There currently exists a serious dearth of available cybersecurity talent in the marketplace. And while EOG companies may have an easier time finding cybersecurity professionals than other, lower-paying industries do, the demand is still much higher than the supply, with no signs of improvement. And EOG companies looking to hire cybersecurity professionals who specialize in SAP? They may have a long road ahead of them, and should put serious consideration into third-party solutions to offset this shortage.

The energy, oil, and gas industry is vast and dynamic. For companies within this industry to stay safe, productive, and on track, it’s vital to take a proactive and risk-based approach that combines stringent self-analysis with a determination to mitigate the many cybersecurity risks that face not only their SAP system, but all systems and data.

New call-to-action