The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

3 Distinctive Factors Making Cybersecurity Awareness Worse in the Oil & Gas Industry

image credit: Credit: Fox Media

Humans

Human errors stand behind malicious codes spread. That's no exception in the Oil & Gas industry according to the study shared by Norwegian DNV.  In offshore installations, incidents caused by human errors reach 80%.

How do you deal with imperfect homo sapiens who are the usual cause behind "unintentional" vulnerabilities? Yes, train them and build barriers! Well, as you already know, it is easier said than done. We, humans, don't always stick to algorithms.

One episode of complacency or irrational act may be enough for major exposure. You, the person in charge of cybersecurity at the Oil & Gas company, need to make sure that everyone knows specific cybersecurity risks on an oilfield, offshore platform, refinery, or in the office. That's where it all starts - awareness.

Measuring awareness 

Awareness is a non-technical metric. It is all about finding out who has taken and completed the training and checking if they understand the material. You quiz or survey staff about the knowledge of cybersecurity risks at organizational, departmental, and individual levels. 

People must know and understand how to stay safe in the age of the Internet of Things. Companies run security awareness campaigns. The biggest challenge in measuring such awareness is the quantification of human behavior. Some of your peers may use alternative approaches: 

  • to check non-ICT staff's prudence, see how they react to sample of email phishing attack;
  • to test your ICT colleagues' vigilance, consider fake attacks - sort of military drills. 

The distinctiveness of the Oil & Gas industry

Although bit already outdated by the time of my article publication (18.09.2020), DNV's 2015 finding highlights the following top 10 cybersecurity vulnerabilities in the Oil & Gas industry:

  1. Lack of cybersecurity awareness and training among employees
  2. Remote work during operations and maintenance
  3. Using standard IT products with known vulnerabilities in the production environment
  4. A limited cybersecurity culture among vendors, suppliers, and contractors
  5. Insufficient separation of data networks
  6. The use of mobile devices and storage units including smartphones
  7. Data networks between on- and offshore facilities
  8. Insufficient physical security of data rooms, cabinets, etc.
  9. Vulnerable software
  10. Outdated and aging control systems in facilities.

I assume you would agree that these vulnerabilities remain in the same priority order today in the global Oil & Gas industry perspective. The Norwegian industry esteemed at the forefront of adaptation and innovation by global standards. The Oil & Gas industry usually invests in long term projects and infrastructure. The combination of outdated infrastructure and a rapidly changing world makes your task of keeping everyone aware more challenging.

Working at a fossil fuel company in the era of renewable excitement you have a challenge attracting young talent who can keep up with modern trends. That recruitment challenge makes your goal of making people understand the risks even harder. 

Unobvious ransomware attack consequences

In 2019 Mexico’s PEMEX had become a victim of a ransomware attack. The attackers demanded 4.5 MLN Euro to decrypt the data. As a big and serious organization, PEMEX managed to keep its OT systems safe and prevent production disruptions. Yet PEMEX urged employees not to connect to the network and to secure important data externally. As reported, they had problems to pay employees on time as the hackers damaged the booking system. Yes, PEMEX managed to safeguard operations of its exploration & production, refineries, petrochemical, and gas processing complexes. But the attacks like that can leave many people disturbed especially when they don't get their salaries on time. Imagine such a distraction at your organization due to a cyber-attack.
 

Knowing vs. Caring

After deploying state of the art training program that has enough frequency and certification procedure you may still find yourself in witnessing recurring negligence. Why does that happen? Well, sometimes you may assume that if people aware then they care. Right? Wrong! Look, you may have aware people, but it doesn't always mean that they care.

Yes, culture matters here. And it takes time until the right preventive culture establishes when people know and care. You need patience, frequency, consistency, and persistence in training those colleagues who are not considerate.

Return rates on cybersecurity investments derailed by unaware/careless staff 

Homer Simpson can ruin your cybersecurity guard, despite huge investments in deploying costly industrial automation tools, control systems and hiring expensive consultants that you got the blessing from your CEO. The moment Homer uses his phone for leisure or leaves the system network unprotected while rushing to the buffet for his morning donuts eating ritual, he exposes his data about critical infrastructure to unauthorized access. Malicious codes threaten production equipment and voilà - shut down the output. Your CEO is angry and more importantly curious how it is possible after investing so much money in securing OT systems. Here what EY's Global Information Security Survey says about Homer(s):

EY's findings on awareness

D'oh!

COVID impact

COVID pandemic significantly and unexpectedly increased the need for remote work in 2020 to assure production continuity in the Oil & Gas assets. Today the level of vulnerabilities is much higher due to the need of maintaining and operating upstream, midstream, and downstream assets remotely. How do you discover and keep everyone around you aware of novel cybersecurity risks emerging in the current COVID period and ultimate post-COVID era? I can hear you. It is an issue because the scale of remote work unearthed the new type of risks on a higher priority.

Workforce culture

Security-related risks are reduced by 70% when businesses invest in cybersecurity training and awareness. As mentioned above, the Oil & Gas industry has a combination of 3 distinctive factors that make cybersecurity awareness worse comparing to other industries:

  • outdated infrastructure;
  • the challenge to attract enough ICT young talent due to ''dirty energy'' reputation; 
  • a fast-changing world. 

You should focus on what is in your control. The optimal thing to do is to cope with what is there ie adapt existing equipment and changing people's habits from top to down. To understand how you need to look at what others are doing about it.

P.S.

If you never watched The Simpsons animated sitcom: Homer Simpson is a patriarch of the Simpsons family. He works at Springfield Nuclear Plant as a safety inspector. Although being a good man, he is the embodiment of ignorance. He is my favorite because he is human.

Discussions

Matt Chester's picture
Matt Chester on Oct 22, 2020

After deploying state of the art training program that has enough frequency and certification procedure you may still find yourself in witnessing recurring negligence. Why does that happen? Well, sometimes you may assume that if people aware then they care. Right? Wrong! Look, you may have aware people, but it doesn't always mean that they care.

Yes, culture matters here. And it takes time until the right preventive culture establishes when people know and care. You need patience, frequency, consistency, and persistence in training those colleagues who are not considerate.

This is a great point-- I think you can see it happening across sectors too. Having the training brings a surface level of awareness, but doesn't necessarily create buy-in. Just look at how many employees tend to fall for test phishing email campaigns just weeks after getting phishing training for example. Leaders need to make sure employees treat the cybersecurity measures as integral, as a core part of their daily job performance

Rauf Fattakh's picture
Rauf Fattakh on Oct 23, 2020

Matt, I think it will take a generational transition to witness the behavioral change.

Henry Craver's picture
Henry Craver on Oct 29, 2020

How long do you think 'Humans' will remain a liability to power companies? Getting employees up to speed on the dangers of cyber attacks and how to resist them seems like an obvious move right now, but in the near-ish future shouldn't new, AI powered software take us out of the driver seat? 

Rauf Fattakh's picture
Rauf Fattakh on Oct 29, 2020

Hi Henry. The biggest vulnerability in any system is between the chair and the computer. Yes, giving control to AI would solve the immediate problem. But when we get there the whole bunch of moral matters still need to be dictated by humans to define what is good and what is bad. Hackers may also employ AI... 

Rauf Fattakh's picture

Thank Rauf for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »