By: Prasenjit Saha, Executive Vice president and Global Cyber Security Business Leader, LTIMindtree

Oil & Gas (O&G) companies operate in a geopolitically sensitive industry that remains a vital component in the global economic wheel, and has always been vulnerable to cyber security attacks. The risk has only increased in modern times, with miscreants seeking to exploit various digital technologies for their nefarious designs.

Around 43% of O&G organizations worldwide polled recently by cyber security major Symantec admitted to their security infrastructure having been breached at least once a year. And, 42% of energy enterprises revealed being victims of phishing attacks in PwC’s Global State of Information Security Survey of 2016.

As the physical and digital worlds increasingly converge in the era of Internet of Things (IoT), hyper mobility and cloud computing, O&G enterprises realize the pressing need to plug IT security loopholes. This imperative is all the more crucial, given the rapid pace of digitalization of the energy value chain, spanning various O&G functions.

Indeed, the industry could fall prey to a cyber security breach across different stages of its operations–exploration and production (E&P), and development. Since O&G companies work with multiple vendors, and across numerous energy wells throughout different locations, they employ centralized systems to manage a plethora of standalone security applications. This leaves them vulnerable to sabotage by miscreants, including pilferage of proprietary data concerning exploration, business intelligence (BI) and enterprise resource planning (ERP) production, or interference in drilling operations.

Furthermore, as energy organizations aggressively deploy IoT to merge their operational technologies (OT) with enterprise applications, the risks of a cyber intrusion into these assets are only growing. Attackers could exploit real-time information relating to a downstream entity’s refining and production schedule, an upstream organization’s cross-location E&P calendar, or planned maintenance activities, to disrupt business. They might also breach firewalls to orchestrate oil spills, plant shutdowns and outages, apart from manipulating plant equipment measurements to project false readings. Alternatively, attackers could install malware to project fraudulent information regarding energy stocks, creating chaos in the supply demand chain. Moreover, malefactors could potentially trigger oil explosions by remotely controlling burner management systems.

Current state of cyber security readiness
For O&G enterprises to accrue tangible–and sustainable–business benefits from their IoT rollouts and broader digital transformation initiatives, addressing the cyber security risk dimension is critical.However, many companies remain grossly underprepared to mitigate cyber security risks.

A survey of the US O&G cyber security risk managers carried out in February 2017 by Ponemon Institute, found only 35% of respondents expressing confidence over their OT’s robustness to handle cyber security issues. The same poll also revealed nearly 61% of respondents deemed their enterprises’ industrial control systems protection and security inadequate.

How to move forward?
In order to mitigate the threat of cyber attacks, O&G companies must design and implement advanced monitoring solutions that are anchored by an effective risk management framework. The framework should be flexible enough to incorporate different technologies, such as user behavior analytics, encryption of static and dynamic data, cloud workloads and endpoint hardening.

Private clouds, for instance, could emerge as a key enabler on this front, with off-premise managed security services helping integrate, oversee and enhance virtual security and privacy. Specific use cases here could include user authentication and access management, data loss prevention, and monitoring and analytics.