International oil and gas companies are facing an increased risk of cyberattacks and will need to change the way they approach risk management to reduce the impact of cyberthreats, a recent Master's study by Stellenbosch University political scientist Kayla Mc Ewan shows.
She says that, by digitalising their systems to increase productivity and profitability, oil and gas companies are opening themselves up to a greater risk of being the target of a cyberattacks that can result in the theft or destruction of intellectual property, espionage, extortion and massive disruption of operations.
She points out that research by professional services multinational EY has shown that the oil and gas industry faces more cyberattacks and phishing attempts than other industrial sectors.
There is, nevertheless, limited information on the full impact of cyberattacks on the oil and gas industry despite it being targeted more than other industrial sectors, highlights Mc Ewan.
It is important for oil and gas companies to start developing management strategies to address the risk of cyberthreats. The industry must also identify vulnerabilities that exist throughout the industry as a key part of developing plans to either mitigate or manage cyberthreats, she says.
“Vulnerabilities include, besides others, a lack of well-developed plans and programmes for monitoring, detecting and dealing with cyberthreats. The industry’s size makes it difficult to secure all the different automated systems and Internet of Things devices, while the reliance on traditional methods of security, untrained employees and the use of different firms, suppliers and vendors with different security systems to protect their assets also constitute vulnerabilities.”
Mc Ewan advises that technological methods of risk management, such as early warning and detection systems, can act as safeguards against cyberthreats. She adds that oil and gas companies should start to deploy anti-malware reputation servers to supplement traditional, signature-based antivirus software and also separate the business systems from operational systems.
"To manage the risk of cyberthreats effectively, evaluation needs to be conducted continuously to detect any form of breach or inaccuracy in a facility’s system,” she notes.
Mc Ewan proposes that oil and gas companies also start sharing information with one another regarding their experiences with cyberthreats and the steps they may have taken to manage them.
They should also be promoting cybersecurity awareness among their employees and train them accordingly, she states.