Cybersecurity

Strengthening Cyber Resilience in the Oil and Gas Industry

The oil and gas industry uses a variety of complex systems and technologies that are becoming increasingly vulnerable to cyberattacks. Now, through the Cyber Resilience Pledge, more than 20 global CEOs have committed to work together to improve cyber resilience across the ecosystem.

WEFcyberresilience.jpg
Source: Bing Guan/Reuters

The oil and gas industry uses a range of complex systems and interconnected technologies to extract, transport, and refine oil and gas products. While these technologies are necessary to support the delivery of energy services and products, they are increasingly vulnerable to cyberattacks, thus making cybersecurity critical to collective resilience.

The World Economic Forum's Centre for Cybersecurity launched in 2020 the Cyber Resilience in Oil and Gas initiative as part of its efforts to strengthen cybersecurity across multiple industries. The initiative consist of a community of more than 40 public and private organizations working together to drive forward collective action on cyber resilience.

One of the key initiatives of the community is the Cyber Resilience Pledge. A first of its kind, the pledge is endorsed by 21 oil and gas chief executives committed to taking a common approach to cyber resilience and protecting digital infrastructure and assets in the sector.

Pledge endorsers include Aker, Check Point Software Technologies, Claroty, Cognite, Dragos, Ecopetrol, Eni, EnQuest, Galp, Global Resilience Federation, Institute for Security and Safety, KnowBe4, Maire Tecnimont, Occidental, OT-ISAC, Petronas, Repsol, Shell, Saudi Aramco, Schneider Electric, and Suncor Energy.

By signing the Cyber Resilience Pledge, all parties endorsed the cyber resilience principles to guide leadership and board members through the process of cultivating a cyber-aware and resilient corporate culture.

"One company working alone is effectively like locking the front gate while leaving the back door wide open," said Amin H. Nasser, president and CEO of Saudi Aramco. "We must work together if we want to truly protect the critical energy infrastructure that billions of people around the world depend upon."

The Challenges of Cybersecurity in the Oil and Gas Industry
The oil and gas industry powers the global economy and is vital to national security. For this reason, protecting this part of the critical infrastructure is fundamental for maintaining the security of people and stability of societies.

With a heavy reliance on technology and information systems to operate, a successful cyberattack against an oil and gas company could have serious consequences, such as operational disruptions, economic losses, reputation damage, and even environmental harm.

"Critical infrastructure security is at a pivotal juncture, where threats are proliferating and evolving, but there's also a growing collective interest and desire in protecting our most essential systems," said Claroty CEO Yaniv Vardi.

To illustrate, an attack against a major US pipeline system in 2021 not only resulted in the disruption of operations and financial losses for the company but also had a cascading effect on other industries. For example, the aviation sector saw disruptions because of jet fuel shortages, and the fear of a gasoline crisis caused panic buying, which in turn led to price spikes at gas stations across the US.

Additionally, during times of geopolitical conflict, the oil and gas sector, as the owner and operator of critical infrastructure, is a target for nation-state actors, hacktivists, and other attackers motivated by political, economic, or strategic interests. For example, before the Ukraine crisis, at least 21 gas producers in the US experienced cyberattacks targeting the production, exportation and distribution of liquified natural gas.

The Cyber Resilience Pledge was launched at the Annual Meeting in Davos in 2022. It is based on six guiding principles for cyber resilience that are specific to the oil and gas industry. These principles are designed to help boards of directors take action on cybersecurity within their organizations.

Read the full story here.