Despite companies generally becoming more cyber resilient (as evidenced by Accenture’s latest survey on Cyber Resilience the volume of cyber-attacks continues to increase. Accenture’s Cyber Resilience research shows that while the number of targeted cyber-attacks doubled in 2017, security investments by companies is increasing their resilience. This also holds true for the oil and gas sector, where the research shows that in 2017 only 5% of oil companies could identify 75% or more of cyber threats, which increased to 27% in 2018.
The oil industry is not only getting better at identifying cyber threats, but is also responding and dealing with them faster. On average, in 2017, it took 17% of oil and gas companies surveyed, less than one day, on average, to detect a successful breach (compared to an industry average of 12%). Oil companies were also faster at dealing with the impact of cyber-attacks and getting their business back to normal.
This is just as well. As oil industry assets grow more intelligent through digital connections, so the exposure to cyber threats increases. Furthermore, as technology is evolving from pure hardware into the cloud and becoming increasingly “edgeless”, there is a growing assumption that more cyber-attacks are inevitable for every company.
For the oil sector, it should also be a focus area for improvement. Partnerships, joint ventures and a large contingent workforce are fundamental to this industry. While better than average at protecting their supply chain or ecosystem from cyber threats (measured by holding its partners to the minimum standards for cyber security) the oil industry lags on holding it partners to the same or higher security standards.
There is wider pressure to increase cyber resilience for many industries particularly from new regulations. In Europe, in November 2018, the Network and Information Security (NIS) Directive comes into force for operators of essential services, including electricity, oil, and gas companies. They will need to comply with minimum security and incident notification requirements or risk facing high fines. Cyber-attacks can already cost a company millions of dollars and force it to take down thousands of its systems. Now, in Europe at least, protecting your business and protecting essential public services are becoming fundamentally interlinked. For example, in the UK, the government is estimating fines for cyber breaches affecting essential services could be as high as £170 million.1 There is also wider pressure on companies in Europe from the recent General Data Protection Regulation (GDPR) which is advocating that companies better educate and protect their customers around data privacy and security.
Cyber resilience is now becoming part of a wider set of responsibilities for oil companies as they work to maintain both their licence to operate and their commitment to their stakeholders. Managing exposure to attacks will no longer be just a matter of protecting their reputation, share price and operations, but, for oil companies, will be part of a greater responsibility for national services and security.
While the Accenture survey shows that investment in cyber resilience by oil companies is expected to increase by over 30% over the next three years, there is still more to be done. Another cyber research report by Accenture shows that that only 13% of companies surveyed plan their security budgets based on past, present, and future risks and most struggle to expand the influence of their Chief Security Officer from security through to the business. Investment in newer technology areas is also needed - notably to overcome gaps in systems which are increasingly disconnected and to automate more responses in real-time.
Accenture’s 2018 digital refining survey shows that while oil companies are maintaining technology spend on traditional technologies in segments like refining, they are focusing less on newer technology investments2 such as artificial intelligence and machine learning which can support better cyber security. Good cyber resilience starts inside out and the stakes are now higher with governments and society both expecting more and monitoring more.
1 UK Government Press Release “New fines for essential service operators with poor cyber security”, August 8th, 2017 -https://www.gov.uk/government/news/new-fines-for-essential-service-operators-with-poor-cyber-security
2 Accenture’s The Intelligent Refinery showed refiners investing a higher proportion of their digital technologies budget to advanced process control technologies (over 50%) than for tools to improve cybersecurity (28%) or automation (8%)