Cyber-attacks cost companies worldwide an estimated $300-400 billion each year in unanticipated downtime and that number is projected to increase sharply. Some large industrial organizations estimate their cost of downtime in the millions of dollars per hour. When a plant shuts down unexpectedly, it takes 3 to 4 days to get everything started up again. These are sobering business continuity-related lost revenue numbers.
The more connected nature of oil & gas operations, driven in large part by the Industrial Internet of Things (IIoT) and related digitalization trends, although beneficial to bottom lines, introduces an element of cyber-risk that should be addressed. In fact, inaction is not an option. Cybersecurity is now a cost of doing business. The question is, what is the optimal approach?
When considering the issue of cybersecurity and its impact on business continuity, several types of threats come into play. The first is the exposure of employees to outside emails. Over 400 businesses every day are exposed to email “spear-phishing” schemes draining three billion dollars from businesses over the last three years. The percentage of emails that contain potential business disrupting malware today stands at one in 131, the highest rate in five years.
A second issue involves attacks by organized groups on critical infrastructure. Oil & gas facilities are increasingly considered critical national infrastructure. As such they are targeted not only by malevolent individuals but also by organizations that use cyberattacks as weapons to be used to weaken nation states and other global institutions.
A third element to consider when formulating a cybersecurity strategy is the proliferation of mobile devices. Cell phones, tablets, laptops and thumb drives in the hands of practically every oil & gas industry employee worldwide creates a need for the development of more modern and robust security policies. The added connectivity of these devices makes it easy for outsiders who guess or steal passwords to penetrate the control environment.
A reasoned, and steady, approach for deploying cybersecure solutions
Fortunately, there are several steps that oil & gas companies can pursue in order to minimize the threat to cyberattack-driven disruptions to business continuity:
1. Step 1 involves building firewalls to keep outsiders from entering the corporate network and gaining access to control systems. This will work in environments where entry points into the system are somewhat limited. However, in an IIoT world, cybersecurity will need to be built into every control system hardware and software component, protecting every node that has computing capability.
2. Step 2 requires a gradual approach to strengthening cybersecurity infrastructure. Responsible control systems manufacturers are now designing cybersecurity into every module they build and deliver so that clients don’t have to concern themselves with building in cybersecurity after they purchase a new product.
Manufacturers like Schneider Electric, for example, apply a Secure Development Life Cycle (SDL) approach to their product development. Within the context of SDL, secure architecture reviews are performed, threat modeling of the conceptual security design takes place, secure coding rules are followed, specialized tools are utilized to analyze code, and security testing of the product is performed. These actions help to ‘harden’ products, making them more resilient against cyber-attacks. In this way, as new products replace old, entire systems evolve to become more cyber secure.
3. Step 3 includes the education of employees. A cybersecurity-aware culture needs to be developed within oil & gas organizations to help employees understand or appreciate the key risks, so that operations can be run in a secure manner (including basic password management or changeover management).
Such an environment should audit and enforce cybersecurity best practices on a consistent and effective basis, utilizing available supervision and detection tools, so that exposure to risk can be minimized. In such a cybersecurity-aware process culture, the priorities of the IT and industrial control departments need to be aligned. Both employees and vendors coming in need to be aware of the security policies or risk being denied access to sensitive equipment and operations software.