Cybersecurity Threats Require More Hands-On Investment by US Oil and Gas Companies

By Martin Riley, Director of Managed Security Services, Bridewell

The US oil and gas industry is going through an exciting period of change, with a noticeable trend towards integrating new technologies into their operations that improve their environmental impact, streamline services and enhance their customer experience. Much of this transformation has been driven by the demand for data and leveraging IoT, AI and automation, and has helped to modernise how many US oil and gas companies operate. While these technologies are rightly attracting significant investment in the sector, it’s an opportune moment for these businesses to also review how they’re investing in cyber security.

The challenge for many US oil and gas companies is that they want to realise the benefits of digital transformation at pace, which means building these new capabilities quickly. However, as the industry is well aware, this cannot come at the expense of cyber security. For these companies, cyber attacks are a disruptive threat to their operations that outweigh the benefits of rapid digital transformation. In the last few years, these attacks have become more frequent and sophisticated as threat actors have become more skilled and ambitious in their goals.

This threat is particularly prevalent in the US where, just last year, the largest ever attack upon the oil and gas industry took place with Colonial Pipeline falling victim to ransomware. The attack extorted millions of dollars from Colonial Pipeline and led to them shutting down their pipeline for several days as they brought their comprised billing system back online. With these risks in mind, US oil and gas companies are right to question how they can most appropriately invest in cyber security to enable their wider digital transformation and mitigate cyber risks.

Why are cyber-attacks increasing in the oil and gas industry?

Historically, oil and gas companies have clearly separated their IT and “Operational Technology” (OT). This has been beneficial for these companies as it meant IT issues couldn’t have a direct impact on their operations. However, this separation has been diminished in recent years by the convergence of IT and OT, driven by digital transformation. As the industry has trended towards connecting more OT systems to the internet along with the introduction of IIoT, they’ve increased their availability at the expense of greater security risk.

In practice, the blurring of IT and OT technologies has created major visibility challenges, as well as a gap in ownership and skills. As a result, issues that affect IT now impact operations; making it a potential attack vector into the OT environment. It’s also worth mentioning the technology in “OT” has been designed to be in service for up to 30 years. While this is standard for the industry, it means vulnerability and risk management have historically followed a different process and leaves vulnerabilities open for potential exploitation.

For oil and gas companies, the challenge is fundamentally that the new security risks they face are less known to existing teams, unquantified and relatively new. Accordingly, understanding the scope of the threats they face and where they should be investing is difficult. While many have the resources to secure their IT and OT environments, the main questions they need to answer are “where should we start investing?” and “what is best practice?”.

Where should oil and gas companies be investing?

With these trends in mind, it’s clear the perspective of the industry and the US as a whole is changing. This year, President Biden implemented new measures designed to tackle ransomware operations for core national infrastructure – a group which oil and gas naturally falls into. The measures state that companies falling victim to ransomware must disclose it within 72 hours – thereby building a stronger understanding of how threat actors are targeting US companies.

Biden’s new measures align with the NIS directives already in place in Europe which mandate operators of “essential services” report security incidents to relevant bodies “without undue delay”. As a whole, the NIS directives provide a strong basis for US oil and gas companies in understanding where they should focus. As part of an upcoming report from Bridewell Consulting, 91% of the respondents surveyed in oil and gas, electricity and smart energy agreed the NIS Regulations and cyber security oversight process has improved their cyber security posture.

Particularly relevant for these companies is the NIS’ clear focus on detection and response. Objectives C and D of the NIS security principles mandate that organisations implement monitoring to detect potential security problems, track the effectiveness of their existing security measures and detect anomalous events in relevant network and information systems. Organisations also need to put suitable incident management and mitigation processes in place to make a more resilient service. For US oil and gas companies, applying some of these practices to their own operations will drive their ability to detect threats and respond appropriately.

Aside from improving their detection and response, underpinning asset visibility, these companies can also benefit from investing in assurance activities, such as red team assessments. Ideally, they should become standard practice across the whole industry to ensure that these companies are sufficiently prepared. Given their vulnerability and risk management has traditionally been lacking, this will help them identify potential problems and signpost other areas for subsequent investment based upon targeted activities that mimic an attackers methodology.

Finding the right approach to security transformation

The challenge for US oil and gas companies is the complexity and time needed to build these capabilities internally. As these companies continue their wider digital transformations, they ideally want their cyber security to keep pace and support it. While many could build the resources to effectively augment their detection and response given enough time, it could take several years to recruit, train and embed the right cyber security personnel into their business for this purpose.

This is where working with a cyber security services provider such as Bridewell Consulting can help. With our Managed Detection and Response services, we can help oil and gas companies build these capabilities in a matter of minutes or hours. With cyber security experts acting as an extension of their team, they can rely on us to manage, detect and respond without the delays of scaling internally.

With US oil and gas companies undergoing major change, outsourcing management and detection can ensure their cyber security is enabling digital transformation rather than hindering it. Regardless of the approach US oil and gas companies take, however, the most important thing is that they begin investing in cyber security today.

About the Author

Martin Riley, Director of Managed Security Services, Bridewell. Martin joined Bridewell in 2021 as Director of Managed Security Services. A Board Director, he is responsible for leading the continued growth and scaling of Bridewell’s Managed Security Service portfolio, including the Security Operations Centre (SOC) and Managed Detection and Response (MDR) service.

Martin has nearly 20 years’ experience in designing, implementing and leading on secure networking solutions across on premise, public, private and hybrid cloud services. Prior to joining Bridewell, he was CTO of Timico where he was responsible for the strategic direction and digital transformation of the business as well as service development. Before this he was Head of Infrastructure at Adapt.

Martin is passionate about the role cyber security plays in infrastructure and cloud services. He is Azure certified and is an AWS Architect, with accreditations in Cisco and Juniper Networks.

Linked In – https://uk.linkedin.com/in/martinariley

Company Website – www.Bridewell.com