The energy sector is no stranger to cyber attacks. For many American families and businesses, the most personally disruptive incident in recent memory came in May 2021 with the ransomware attack that shut down a major U.S. oil and gas pipeline responsible for supplying nearly half of the East Coast’s petroleum. But for global energy industry leaders – and the oil, gas and utility sectors in particular – this is another incident in a series of cyber attacks on critical infrastructure in the increasingly harried digitally connected energy ecosystem that requires an urgent solution.
Navigating big challenges, from the NotPetya cyber attack on a Ukrainian utility in 2017 that shut down much of the country’s power grid, to the attack on the Colonial Pipeline in 2021, is a responsibility that now falls on the energy sector’s top executives and board members. These leaders need to mitigate cyber risk in a sector undergoing a digital revolution and is now frequently targeted for geopolitical purposes and financial gain by cyber criminals. While governments around the world develop new policies, norms and consequences for future cyber attacks, oil and gas executives and board members cannot wait on government to come to a geopolitical détente, issue new regulations or aid in efforts to secure critical energy systems.
Instead, CEOs and board members must draw from their decades of expertise in integrating energy assets with operational technology (OT) and leveraging information technology (IT) networks to reduce cyber risk across their hyperconnected operating environments. For decades, oil and gas companies have pursued productivity gains by linking physical energy assets with OT control systems and IT networks. That trend continues today with energy organizations seeking big data, artificial intelligence (AI), and automation solutions to reduce costs, improve efficiency and help reduce emissions. Throughout this process, industry executives have also pioneered key management principles and risk-based approaches to securing the technologies and processes that serve as the foundation for their hyperconnected industrial Internet of Things (IoT) business model.
To prepare for the new normal of more frequent and sophisticated cyber attacks on energy and critical infrastructure, energy sector CEOs and corporate board members must take the best practices and key lessons learned from a decade of both successfully addressing and learning from the failures of addressing cyber risk.
The World Economic Forum (WEF) boils down current best practices into succinct principles in a useful publication titled Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers. Oil and gas industry leaders looking to address cyber risk will find guidance on how to implement key recommendations within their organizations and how to level up security practices throughout the value chain and the broader energy ecosystem.
The WEF’s six cyber resilience principles for oil and gas infrastructure are drawn from the shared real-world experience of leading companies in the oil and gas sector, and are worth quoting in full:
- Cyber resilience governance – Cybersecurity efforts count on broad participation within an organization. Aligning efforts and setting clear accountability are fundamental to success.
- Resilience by design – Including cybersecurity as a design parameter and as part of corporate culture helps improve outcomes.
- Corporate responsibility for resilience – Recognizing that sophisticated, frequent threats are likely to continue or escalate, organizations should be examining their cyber risks, and taking responsibility for managing those risks.
- Holistic risk management approach – As with other risks, managing cyber risks requires a mandate, funds, resources and accountability. In the oil and gas sector, it’s especially important to discover and mitigate risks to all parts of the value chain, so that one weak link doesn’t bring production to a halt.
- Ecosystem-wide collaboration – Weak links in defenses may lie outside of an organization. Intentional efforts to share cyber threat information, use best practices and improve cybersecurity maturity across the whole sector help industry-wide stability.
- Ecosystem-wide cyber resilience plans – Recognizing that cyber attacks will continue to occur, organizations should build resilience plans to help mitigate damage from those that succeed in whole or in part. Cybersecurity exercises enable defenders to test and improve defenses – including how they will cooperate with other industry partners.
Oil and gas sector leaders will need to build cyber resilience into their organizations and partnerships to continue providing reliable, timely fuel deliveries to their customers in a future full of cyber threats. Efforts to gather and share hard-won wisdom will surely help.
Source: Harvard Business Review