Why the Oil and Gas Sector Needs Layered Cybersecurity
In previous posts we’ve been talking about cybersecurity in the marine industry. Malware could disrupt or disable the onboard systems in increasingly high-tech vessels. Far more likely are attacks targeting end-user devices that could result in costly IT system downtime or a data breach. In light of these risks, operators of maritime and inland marine vessels should implement a layered security approach that incorporates network and end-user security.
The oil and gas industry faces similar threats. In a recent EY survey of IT professionals in oil and gas, 60 percent of respondents said their organizations had recently suffered a significant cybersecurity incident. As in the marine industry, most of these attacks used phishing and other forms of social engineering to spread malware and compromise user credentials. More than three-fourths (78 percent) of respondents said that a careless end-user was the most likely source of an attack.
However, the oil and gas industry must also contend with threats targeting operational technology (OT) networks and Internet of Things (IoT) devices. OT includes hardware and software, such as SCADA and other industrial control systems, that monitor and/or operate physical infrastructure. Increasingly, these tasks are being performed by IoT devices, which offer more sophisticated capabilities and global access to data.
However, OT networks often lack basic security and are vulnerable to attacks that compromise sensitive data, disrupt operations, and jeopardize human and environmental safety.
Traditionally, organizations protected their OT networks by isolating them from the public Internet. However, a recent study found that one-third of all sites in oil and gas, energy, manufacturing and other industries are connected to the Internet, proving that “air-gaps” often don’t exist.
The study also found that most OT networks can be easily hacked because they do not receive security patches or use antivirus protection. Most use weak passwords that can easily be cracked to gain access to critical industrial devices. Many have one or more rogue devices and wireless access points that hackers can exploit to access the network. Most are using remote management tools, which can be used to manipulate equipment when compromised.
In a recent survey of IT professionals in oil and gas, 60 percent of respondents said their organizations had recently suffered a significant cybersecurity incident.
IoT devices face similar threats, and generally lack robust security due to low power consumption and other constraints. According to the Ponemon Institute, more than a quarter of all data breaches can be specifically tracked to unsecured IoT devices or applications.
In light of these threats, EY recommends that oil and gas firms implement a cybersecurity strategy based upon these core principles:
- Because OT and IoT systems are vulnerable, network defenses should incorporate advanced firewall, intrusion prevention and antimalware services to prevent attacks from entering the environment.
- End-user security should focus on preventing phishing, rapidly detecting and blocking malicious content, and continuously scanning endpoint devices.
- Cybersecurity systems should not rely on signatures alone but use continuous monitoring, behavior analysis and threat intelligence to detect unknown and emerging attacks.
- Oil and gas firms should leverage security operations center (SOC) services for around-the-clock monitoring and rapid detection and response.
Comprehensive Security Solutions for Oil & Gas
GDS offers a comprehensive suite of security services that fully address these requirements. Our infrastructure, end-user, email and web security work in concert to protect the IT environment, and are monitored and managed by our team of experts. Our managed network services incorporate these same defenses, providing secure connectivity for oil and gas operations regardless of location. Let us put our advanced technology and years of experience in oil and gas to work for your organization.