zorandim75 - Fotolia

Digitisation opens up security weakness in oil and gas

The oil and gas industry needs to address the security risks associated with operational technology and vulnerable IT systems, says Ponemon Institute report

A report from the Ponemon Institute has painted a damning picture of the state of technology in the oil and gas industry.

The report, based on a survey of 1,092 qualified respondents in Europe, the Middle East, Asia-Pacific and the Americas, was sponsored by Siemens.

Among the companies that took part in the study, Ponemon Institute found that 68% said they had experienced at least one cyber compromise.

The report stated: “Many organisations lack awareness of the OT [operational technology] cyber risk criticality or have a strategy to address it.”

The survey also warned that 61% of respondents felt their organisations’ industrial control systems protection and security is not adequate.

The report noted that while oil and gas companies have benefited from digitisation, 66 % of respondents admitted it has made them more vulnerable to security compromises.

Only 33% of the organisations that participated in the survey believe there is full alignment between operational technologies (OT) and IT with respect to cyber security operations.

Some 60% said they do not have enough staff and only 45% of respondents said they have the internal expertise to manage cyber threats in the OT environment.

Negligent, malicious or criminal insiders pose the most serious threat to critical operations, while the biggest vulnerability to oil and gas companies is outdated and aging control systems in facilities.

Some 63% of the businesses surveyed said outdated and aging control systems in facilities put organisations at risk.

Read more about operational technology security

The respondents also pointed a finger at IT, with 61% saying that standard IT products with known vulnerabilities were being run in their in the production environments.

While 68% of the organisations saw a need for advanced techniques such as security analytics, Ponemon Institute’s research also found companies were slow at adopting more secure technologies.

In the next 12 months, less than half of organisations represented (48% of respondents) plan to use encryption of data in motion, only 39% plan to deploy hardened endpoints and only 20% will adopt user behaviour analytics (UBA).

Ponemon Institute’s research follows on from a report published in January 2017 by the European Union Agency for Network and Information Security (Enisa), highlighting the risks of cyber attacks on critical national infrastructure. According to Enisa, many senior managers in utilities, transportation, healthcare and manufacturing are unaware of the security risks in industrial systems.

Read more on IT risk management