Many oil & gas companies don’t think they have much exposure to cyber threats, and as a result, energy companies spend almost nothing on cybersecurity. According to a 2016 Deloitte report, the average O&G company spends less than 0.2% of their revenues on cyber security, compared to over three-times this amount spent for financial services providers.i A different report conducted by the Ponemon Institute found that the energy industry was the second most popular target for cyber-attacks with nearly three-quarters of US O&G companies experiencing at least one cyber incident.ii
Addressing cybersecurity issues in O&G is a difficult job, given this is a complex and diverse industry, however, digitalization and reliance on industrial internet of things technology (IIoT) are increasing the complexities of the cyber threat landscape and must to be addressed. Opportunities for criminals are abound given the reliance on and potential gaps in security between operational technology (OT) and information technology (IT). In addition, those operating within the O&G space are prime targets for hacktivists, or state-sponsored hackers who are attempting to sabotage a company, or steal proprietary information.
Cyber risk for oil & gas space will be driven by a hacker’s exploitation of unsecured connections between IT and OT environments leading to disruption of operations or exposure of proprietary information, and potential business income loss.
Additional cyber exposures for the O&G industry include:
• Fraudulent wire transfer fraud: wire transfer schemes based on business email compromise or social engineering can result in funds going to the wrong place and cause significant losses.
• Lost/stolen devices: given some O&G companies have employees ‘on the road’ or ‘in the field’, stolen unencrypted laptops/smart-phones containing sensitive proprietary information can be costly.
• Phishing attacks: these highlight an organizations great vulnerability – people- and have become prevalent due to its success. Such attacks often result in compromised email systems.