Opinion: The oil and gas sector must not be complacent about cyber security

Written by George Scott, Director for KPMG’s cyber and privacy practice in Scotland.

The recent financial pressures as a result of the oil downturn have left cyber security functions for many firms within the oil and gas sector  considerably underfunded and out of date.

This has the potential to create a wealth of opportunity for cyber criminals to test their capabilities, and those operating in the oil and gas sector must not be complacent.

The high-value and high profile nature of the sector, coupled with the complex layers of supply chains, processes and industrial controls, makes the industry a potentially high value target for hackers. The attack could be for financial gain, to steal intellectual property, data, or to cause operational disruption.

It’s therefore easy to appreciate why our 2017 global CIO survey found that confidence in cyber security has steadily fallen, with only one in five IT leaders feeling well prepared to respond to an attack. Meanwhile the number of serious cyber-attacks has continued to rise, with one in three businesses reporting a major attack in the past two years, 45% higher than four years ago.

In the oil and gas sector, CIOs face a huge task in ensuring all systems are updated with the latest security patches. Today’s operations use increasing levels of automation – complex and interconnected sub-systems – from operational, hydraulic, mechanical, to electrical. System monitoring, inventory control, and information and business systems all link together from the business to function. A problem in one system can have a cascading failure effect on the entire operation, so all of these must be secure.

In addition, on 25 May 2018 the new EU General Data Protection Regulation (GDPR) comes into effect, which will directly impact any organisation in the UK and worldwide which has dealings with consumers and businesses in EU member states. This will fundamentally alter the scale, scope and complexity of the way personal information is processed, and the threat of fines for businesses who fail to comply will create a step change in the digital landscape. While GDPR will inevitably play a major role in bolstering cyber security defences by forcing businesses in oil and gas to reflect on their own digital systems, and how they handle data, the preparation will require significant investment.

Fortunately, with confidence growing in the sector and investment returning, now is the time for firms to take a serious look at how effective existing security arrangements are, what has changed in the threat landscape in recent years, and what level of investment in cyber security and privacy will be needed to keep risks at an acceptable level. It’s essential for boards to examine how time is being spent on cyber risk and question whether those accountable have a clear enough and well explained view of the risk they’re accepting, consciously or otherwise.

If successful, a cyber-attack could prove catastrophic in the oil and gas sector. In light of recent attacks, such as May’s Wannacry ransomware attack, which wreaked havoc on the NHS, and the more recent Petya attack, cyber security capabilities and investments must be reviewed regularly. Further attacks that disable operational or business systems are likely to arise and the GDPR means organisations now have a legal obligation to act. Combined, there is no excuse for complacency.