Austin Scott, Accenture senior manager in Accenture Asset and Operations Services (AAOS), explains how oil and gas companies can address industrial cyber security concerns.
Why should oil and gas companies be concerned about industrial control system (ICS) cyber security?
The buzz around cyber security is nothing new for corporate executives, but most of the discussion in the media and in boardrooms has centered around data privacy, until fairly recently. Connected field devices, sensors, control systems and other Industrial Internet of Things (IIoT) devices like RFID tags in operational environments have changed the game. Programmable logic controllers, connected sensors and other industrial computing devices are often connected to each other and to the Internet, to allow people to remotely access data and control the operation of a refinery, gas well or oil pipeline (just to name a few). These are highly complex operations often located in remote environments and involving hazardous materials. There are potential safety risks even when they are operating efficiently.
Now imagine there is a cyber threat targeting these operations. The implications for data security, personnel safety, community safety and the environment are potentially huge.
The reality is that many energy companies are already a target. In a recent survey by Accenture Strategy, 63 percent of Energy executives said their organizations experience significant attacks on a daily or weekly basis,1 and those are probably the ones that are really looking. In today’s digital world, oil and gas companies must invest in industrial cyber security to protect themselves from financial, health, safety and environmental risk.
Why is industrial cyber security a challenge?
Industrial cyber security is a challenge for even the most technologically advanced oil and gas companies for a number of reasons:
Long life cycles: Field devices and industrial control systems, including programmable logic controllers (PLCs), distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems and others, have much longer life cycles than their counterparts in enterprise IT—decades as, opposed to years. This means many systems in operation today were installed years ago and may not be compatible with modern cyber security methods, even those that are commonplace, such as data encryption. While many original equipment manufacturers (OEMs) are now investing in cyber security development, most industrial applications are playing catch-up to meet cyber security requirements.
Outdated technology inventories: When pipelines, refineries and production assets grow to meet market demand or through the acquisition of other companies’ assets, new technology is added over time and often not tracked. When it is time to implement cyber security standards, it is impossible to secure something you do not know you have.
Continuous run-times: In enterprise IT environments, you can shut down a system when running a security exercise, updating a piece of software or installing new hardware. This is often not the case in operating assets that are expected to run 24/7, making cyber security especially difficult.
Lack of regulatory requirements or corporate standards: There are no regulations forcing oil and gas companies to invest in industrial cyber security. Most companies have some kind of industrial cyber security standards in place, but they are often not uniformly adopted or maintained across all of their operating assets, resulting in coverage gaps and vulnerabilities.
What are some simple ways that oil and gas companies can make big improvements in industrial cyber security?
One of the deceptively simple ways for companies to address industrial cyber security is by looking at the humans involved in their operations. Human behaviors are an essential component of any robust cyber security strategy.2 Oil and gas companies invest time and money in general cyber security education for their employees, but this is not always the case for industrial cyber security, so this is a good place to start.
Another way is by selecting a recognized industry standard or framework on which to base your corporate strategy. Other organizations have made significant investments in their development, so use them to your advantage.
Lastly, invest in aligning your enterprise IT and operational IT organizations. This is often easier said than done, but without strategic alignment of both teams, any industrial cyber security program is set to fail. These two groups often have competing agendas and objectives. Enterprise IT wants to improve data security and accessibility by adopting innovative technologies; operational technology wants to keep assets and legacy infrastructure running by maintaining existing technology and adding tried-and-tested products. But if you fail to address the concerns of either one in your cyber security agenda, you risk low adoption and possible failure.
Investing in education, selecting a standard, and achieving organizational alignment are just some of the ways oil and gas companies can address industrial cyber security concerns.
1 “How Energy executives can boost resilience in the face of cyber risk,” https://www.accenture.com/sa-en/insight-energy-development-building-business-resilience-infographic
2 Sloman, Colin. "What impact does human behavior have on cyber security?" https://www.accenture.com/us-en/blogs/blogs-what-impact-human-behavior-cyber-security