The future of the oil and gas industry, through a cyber risk lens

While some might say that the future is now, others would argue that the future is just beginning to unravel itself. I’m not much of a crystal ball reader, but I can look through the risk lens to tell you that technology is going to fuel a future that is even more connected, agile, and seamless than today. The same holds true for the oil and gas (O&G) industry, where the future will likewise be agile, and data driven. As O&G companies prepare for that future, it’s important to look at it through a risk lens – determining where risks lie and taking steps to anticipate and mitigate them.

The O&G industry plays a pivotal role for many nations; countries have depended on it for their prosperity and growth and will continue to do so. Accordingly, it’s not surprising that national security apparatuses guard oil rigs and refineries in almost all countries. While these measures protect assets physically, a more insidious threat comes from attackers that are hidden from plain view. When these adversaries strike, their effects aren’t just felt on the ground; rather, they also reverberate across stock markets and board rooms. So it’s only natural that board members focus their attention on this far-reaching, current and future threat: cyberattacks.

The State of Cybersecurity in O&G

The O&G industry is heavily regulated in many countries from a policy perspective, yet there are hardly any cybersecurity guidelines or frameworks from governments or industry groups. What’s more, there can be a tendency to downplay cybersecurity in industrial environments such as O&G – assuming, for example, that Internet of Things (IoT) devices used in operations (such as sensors for valve monitoring) aren’t attractive hacking targets, the same way a bank’s network might be. But in an industry like O&G with an integrated upstream and downstream supply chain, cyber risks and incidents can have a “domino effect.” Setting and executing standards and frameworks can help reduce these threats and errors.

To better visualize the consequences of inaction, picture this scenario: Witnessing how technology continues to transform the business landscape, a major O&G company has been investing in technology and automation. The company has also heavily invested in the Industrial Internet of Things (IIoT), and built a data backbone to link its offices, rigs and refineries – along with its entire supply chain and retail locations across the globe. It is, after all, a connected world. The company’s suppliers, likewise, are in sync with this enterprise technology vision. But although these connections and interdependencies drive great efficiencies, they also introduce potential vulnerabilities.

Here’s an example of how business could be disrupted. One afternoon, as a board meeting is concluding, the CEO gets a phone call: The company’s retail fuel station network has halted operations across the world. The CTO states that the company’s network is under a ransomware attack; its refineries could be next the target.

What might have gone wrong here? The O&G company’s network had been set up by the best names in the industry, with vendors adhering to stringent standards. A strong cybersecurity posture was lacking, though – while the company had intended to invest in a robust cybersecurity infrastructure, this hadn’t been prioritized from a time and budgetary perspective. Even the board had considered such an investment as overkill, figuring that companies don’t shut down operations completely due to a cyberattack. In addition, the company had previously discussed implementing IEC 62443 standards – which fortify IT security for Industrial Control System (ICS) networks – but plans were put on the backburner, since the standards are not industry requirements.

A Focus on the Future

A scenario similar to this one has already played out earlier this year, and it had a crippling impact in the form of fuel shortages and price spikes in multiple states. The business impact and some precipitating factors of this attack were similar to the scenario mentioned above – underscoring the need to address the risks and their root causes leading to such an attack.

Could investments in cybersecurity help avert situations like these? Could the board take on a greater role in cybersecurity strategy and execution – asking key questions; including someone with cyber expertise on the board, where possible; and helping implement strategies to prevent, address and recover from such attacks? Rather than have to ask questions like these in the wake of an attack, companies can proactively plan for a crisis by preparing for technology disruption scenarios (including cyber incidents). They can increase the resiliency of their business, by placing as much importance on response efforts as prevention and detection including business resiliency planning and simulation exercises.

Cybersecurity and the future of the O&G industry are also impacted by another key challenge: the need for O&G enterprises to focus on renewable energy and offset their carbon footprint. Efforts to transform, address this challenge and abide by more responsible business practices will introduce new players and partners into the O&G ecosystem, who will need to integrate with the entire technology network. But linking systems introduces risks, as the partners may not have the same cybersecurity standards and requirements – opening up O&G enterprises to potential threats via these third parties, and underscoring the need for effective third-party risk management.

In addition, as improvements in oil refining, supply chain efficiencies and other aspects of O&G come to the fore, plant design is another area that will face disruptive changes. With the upstream and downstream processes already embracing digital technologies, core manufacturing processes will have an increased reliance on data. This, too, introduces a heightened risk of cyberattacks, and necessitates awareness and risk mitigation.

The aim here isn’t to paint a grim picture – but, rather, an informed, future-forward and progressive one, where potential risks can be identified, anticipated and even transformed into growth opportunities. By taking a proactive approach to cybersecurity, O&G companies can also demonstrate their commitment to protecting their assets and revenue, minimizing downtime and maximizing business resilience.  The automobile industry took a while to embrace the latest in digital technologies, but with the advent of Tesla, adoption has taken an accelerated pace.

The question is, what will be the Tesla moment for the oil and gas industry?