The energy industry is lagging behind other industries in protecting themselves against malicious hackers as cybersecurity protection remains weak and is not a priority.
Nearly seven out of ten respondents who work in the upstream, midstream and downstream companies said in a survey that their businesses have been compromised at least once during the year, with a loss of confidential information and disrupting their operations. Oil and gas companies are failing to protect themselves against hackers, according to a survey of 377 executives who secure or oversee cyber risk that was conducted by the Ponemon Institute, a Traverse City, Mich.-based privacy, data protection and information security policy research group, and sponsored by Siemens, a German-based electrification, automation and digitalization company.
The survey also revealed that 61% of respondents said their company has difficulty mitigating cyber risks with only 41% who said they continually monitor their infrastructure to prioritize threats and attacks. A large percentage of companies or 65% said the top cybersecurity threat is a negligent or careless insider and 61% said the company's industrial control systems protection and security is inadequate.
Energy companies have not updated their systems and technology, leading to the potential of large breaches that can affect major infrastructure needs in the U.S., said Mike Kail, chief innovation officer at Cybric, a Boston-based security-as-a-service platform provider.
"The overall evolution of operational excellence has lagged far behind industry trends and standards," he said. "The security issues and challenges within the oil and gas industry are monumental."
These industries need to be more pro-active in their approach towards infrastructure and security and failing to address these issues quickly can be far reaching.
"Not to be a doomsayer, but imagine what the consequences would be if critical infrastructure were to go offline for even a few hours due to an attack or breach," said Kail. "The original Mad Max movie gives a sensationalistic view into what could happen as a result of a longer term issue, but given our implicit reliance on such resources, it's not that far-fetched."
The businesses in the energy sector have focused too much of their resources and attention on physical security such as their plants and machinery instead of their technology.
These flaws lead companies more susceptible to attacks, said James Lee, executive vice president at Waratek, a Dublin, Ireland-based provider of application security solutions.
"To a hacker, the ways you attack a control application is just the same as how you steal information from a retailer or bank," he said. "The difference is a cyberattack against control technology puts lives at risk."
For years, the energy industry believed they were protected against hackers more because their energy management and industrial systems were physically isolated from everything else, said Nathan Wenzler, chief security strategist at AsTech, a San Francisco-based security consulting company.
"Even as they added localized servers and workstations to manage them, they were considered air gapped, but then employees would bring USB keys or other devices into those isolated systems and inadvertently compromise them," he said. "Then came the inevitable decision to network these systems or connect them to the Internet to allow for remote management."
The focus should not be on their employees and the industry needs to take a broader approach to tackle the inevitable evolution of their technologies and build a framework to protect and secure these systems "before it's too late," Wenzler said.
"For oil and gas industry respondents to stress multiple times that their largest area of concern is dealing with insider threats, whether accidental or malicious, is incredibly shortsighted to me," he said. "There's much more coming down the road that they may not be seeing and preparing for."
The largest group creating threats and attacks are the vendors, partners, suppliers and trusted advisors.
"If you are securing your front door as a hacker, I'm just going to break into you via your vendor," said Chris Roberts, chief security architect at Acalvio, a Santa Clara, Calif.-based provider of advanced threat detection and defense solutions.
Energy companies are failing to protect themselves against hackers and it is "not really a surprise that most of the companies on this list are still sitting there twiddling their thumbs," he said. "Welcome to reality. It is frustrating that once again regulatory compliance is pretty much being ignored in the interest of either productivity, bottom line and ultimately the almighty dollar as opposed to the safety/security first mentality."
The operational systems in the energy industry are interconnected with IT systems, increasing their risk.
"Basically, if your industrial control system (ICS) is not air gapped and you don't have good, well-defined protocols for how to move data between the two systems, you are at a huge risk," Roberts said. "If you are telling me that most companies are in the early stages, it simply means that they are ad-hoc, inconsistent and basically flying by the seat of their pants. This is not a good place to be if you are part of critical infrastructure and not somewhere we want to be relying on for core capabilities to keep the lights on."
Similar to many other sectors, the oil and gas industry is under "tremendous pressure to turn profits in the face of dropping prices and an increasingly competitive marketplace," and one strategy is slashing the IT budget, said Corey Thomas, CEO of Rapid7 (RPD), a Boston security data and analytics solutions provider.
The lack of improving and also investing in security can result in long term, negative implications because threats are not being detected quickly.
"Given the critical nature of the energy industry, this failure of investment opens the door to malicious actors," he said. "It's not an exaggeration to say that attacker methods evolve with every new incident. Our defenses and detections need to evolve as well and companies can no longer rely on the old method of 'block and protect' to secure their IT environment, especially when analytics is available to help reduce cybersecurity risk."