Human errors stand behind malicious codes spread. That’s no exception in the Oil & Gas industry according to the study shared by Norwegian DNV. In offshore installations, incidents caused by human errors reach 80%.
How do you deal with imperfect homo sapiens who are the usual cause behind “unintentional” vulnerabilities? Yes, train them and build barriers! Well, as you already know, it is easier said than done. We, humans, don’t always stick to algorithms.
One episode of complacency or irrational act may be enough for major exposure. You, the person in charge of cybersecurity at the Oil & Gas company, need to make sure that everyone knows specific cybersecurity risks on an oilfield, offshore platform, refinery, or in the office. That’s where it all starts – awareness.
Awareness is a non-technical metric. It is all about finding out who has taken and completed the training and checking if they understand the material. You quiz or survey staff about the knowledge of cybersecurity risks at organizational, departmental, and individual levels.
People must know and understand how to stay safe in the age of the Internet of Things. Companies run security awareness campaigns. The biggest challenge in measuring such awareness is the quantification of human behavior. Some of your peers may use alternative approaches:
- to check non-ICT staff’s prudence, see how they react to sample of email phishing attack;
- to test your ICT colleagues’ vigilance, consider fake attacks – sort of military drills.
The distinctiveness of the Oil & Gas industry
Although bit already outdated by the time of my article publication (18.09.2020), DNV’s 2015 finding highlights the following top 10 cybersecurity vulnerabilities in the Oil & Gas industry:
Lack of cybersecurity awareness and training among employees
Remote work during operations and maintenance
Using standard IT products with known vulnerabilities in the production environment
A limited cybersecurity culture among vendors, suppliers, and contractors
Insufficient separation of data networks
The use of mobile devices and storage units including smartphones
Data networks between on- and offshore facilities
Insufficient physical security of data rooms, cabinets, etc.
Outdated and aging control systems in facilities.
I assume you would agree that these vulnerabilities remain in the same priority order today in the global Oil & Gas industry perspective. The Norwegian industry esteemed at the forefront of adaptation and innovation by global standards. The Oil & Gas industry usually invests in long term projects and infrastructure. The combination of outdated infrastructure and a rapidly changing world makes your task of keeping everyone aware more challenging.
Working at a fossil fuel company in the era of renewable excitement you have a challenge attracting young talent who can keep up with modern trends. That recruitment challenge makes your goal in making people understand the risks even harder.
Unobvious ransomware attack consequences
In 2019 Mexico’s PEMEX had become a victim of a ransomware attack. The attackers demanded 4.5 MLN Euro to decrypt the data. As a big and serious organization, PEMEX managed to keep its OT systems safe and prevent production disruptions. Yet PEMEX urged employees not to connect to the network and to secure important data externally. As reported, they had problems to pay employees on time as the hackers damaged the booking system. Yes, PEMEX managed to safeguard operations of its exploration & production, refineries, petrochemical, and gas processing complexes. But the attacks like that can leave many people disturbed especially when they don’t get their salaries on time. Imagine such a distraction at your organization due to a cyber-attack.
Knowing vs. Caring
After deploying state of the art training program that has enough frequency and certification procedure you may still find yourself in witnessing recurring negligence. Why does that happen? Well, sometimes you may assume that if people aware then they care. Right? Wrong! Look, you may have aware people, but it doesn’t always mean that they care.
Yes, culture matters here. And it takes time until the right preventive culture establishes when people know and care. You need patience, frequency, consistency, and persistence in training those colleagues who are not considerate.
Return rates on cybersecurity investments derailed by unaware/careless staff
Homer Simpson can ruin your cybersecurity guard, despite huge investments in deploying costly industrial automation tools, control systems and hiring expensive consultants that you got the blessing from your CEO. The moment Homer uses his phone for leisure or leaves the system network unprotected while rushing to buffet for his morning donuts eating ritual, he exposes his data about critical infrastructure to unauthorized access. Malicious codes threaten production equipment and voilà – shut down the output. Your CEO is angry and more importantly curious how it is possible after investing so much money in securing OT systems. Here what EY’s Global Information Security Survey says about Homer(s):
COVID pandemic significantly and unexpectedly increased the need for remote work in 2020 to assure production continuity in the Oil & Gas assets. Today the level of vulnerabilities is much higher due to the need of maintaining and operating upstream, midstream, and downstream assets remotely. How do you discover and keep everyone around you aware of novel cybersecurity risks emerging in the current COVID period and ultimate post-COVID era? I can hear you. It is an issue because the scale of remote work unearthed the new type of risks on a higher priority.
Security-related risks are reduced by 70% when businesses invest in cybersecurity training and awareness. As mentioned above, the Oil & Gas industry has a combination of 3 distinctive factors that make cybersecurity awareness worse comparing to other industries:
· outdated infrastructure;
· the challenge to attract enough ICT young talent due to ”dirty energy” reputation;
· a fast-changing world.
You should focus on what is in your control. The optimal thing to do is to cope with what is there ie adapt existing equipment and changing people’s habits from top to down. To understand how you need to look at what others are doing about it.
Benchmarking best practices
Prospero Events Group is bringing together the best cybersecurity practitioners for the 7th consecutive year at the ”Cyber & SCADA Security for Oil & Gas Industry 2020” virtual conference on 19-20 November 2020. One of the sessions of this exclusive event will be focused on breaking the wall of workforce culture – Cyber Security 360 Model presented by Abid Hashmi, ICT Security Advisor at Var Energi, Norway. Envisioning awesome culture preventing unwanted incidents is the surest way to extract the highest return on investment in cybersecurity.
The speaker panel consisting of top cybersecurity experts from Saudi Aramco, Maersk Drilling, Aker Solutions, Trans Adriatic Pipeline, Var Energy, and Danish Energy Agency is the perfect opportunity to get all your questions answered by your peers. All. Because more minutes of net interaction you get at a Prospero event than any other energy conference in Europe. Let’s keep the European and global Oil & Gas community aware of cybersecurity risks together. Culture is not an isolated notion because it spreads beyond the walls of your organization. Join us to benchmark best practices about prioritizing cybersecurity in E&P. About inclusion cybersecurity as part of procurement. About catching hackers with honeypots.
If you never watched The Simpsons animated sitcom: Homer Simpson is a patriarch of the Simpsons family. He works at Springfield Nuclear Plant as a safety inspector. Although being a good man, he is the embodiment of ignorance. He is my favorite because he is human.