WEF’s Cyber Resilience Pledge ropes in oil and gas companies to mitigate growing cyber risks, promote resilience

The World Economic Forum (WEF) announced that 18 oil and gas organizations are championing the building of a unified approach that mitigates growing cyber risks and pledges to promote cyber resilience. The Cyber Resilience Pledge recognizes the fact that a much more collective preparedness is needed and promotes a shift towards a resilience-by-design culture, ecosystem-wide, cyber-resilience plans, and greater collaboration between players.

The global organizations that have taken the pledge include Aker ASA, Aker BP, Aramco, Check Point Software Technologies, Claroty, Cognite, Dragos, Ecopetrol, Eni, EnQuest, Galp, Global Resilience Federation, Maire Tecnimont, Occidental Petroleum, OT-ISAC, Petronas, Repsol, and Suncor. 

By signing the Cyber Resilience Pledge, the parties commit to strengthening ecosystem-wide cyber resilience by adopting the cyber resilience principles. The commitment also engages senior cyber leaders from signatory organizations to take collective action by developing global approaches and improving cyber resilience across ecosystems. Additionally, the pledge covers advocating and showcasing experiences by demonstrating the impact achieved by the Cyber Resilience Pledge.

The pledge aims to mobilize global commitment toward strengthening cyber resilience across industry ecosystems. Organizations endorsing the pledge commit to collaborating and taking collective action on cyber resilience. Launched with the support of organizations engaged in the WEF’s Cyber Resilience in Oil and Gas initiative, the pledge seeks to empower organizations to take concrete steps to enhance cyber resilience across their industry. 

Cyberattacks on the Colonial Pipeline in the U.S. last May and on European oil facilities in February this year have forced the facilities to operate at limited capacity, causing huge economy and society-wide disruptions.

The WEF identifies achieving cyber resilience as one of the biggest cybersecurity challenges. It is not a one-time or a one-actor effort and data suggest that a harmonized approach that stretches across borders and businesses is necessary. The global cost of cybercrime is expected to reach US$10.5 trillion a year by 2025, while the threat of infrastructure breakdown due to a cyberattack is the top personal concern for cyber leaders.

“First endorsed by key CEOs in the oil and gas value chain, the Cyber Resilience Pledge is a landmark step as it signals recognition of the complexities of building a cyber-resilient industry ecosystem and a commitment towards collective action to achieve it,” Alexander Klimburg, head at the Centre for Cybersecurity of the WEF, said in a media statement. “The World Economic Forum Centre for Cybersecurity is proud to have led this effort in conjunction with our partners. We look forward to scaling the pledge to other industries in the future.” 

“As the world deepens its digital footprint, cyber threats are becoming more sophisticated,” said Amin H. Nasser, CEO of Saudi Aramco. “But one company, working alone, is effectively like locking the front gate while leaving the back door wide open.” Companies must work together if they want to truly protect the critical energy infrastructure that billions of people around the world depend on. 

Common, industry-wide, cyber-resilience practices are essential, said Robert M. Lee, CEO and co-founder of Dragos. “As our world becomes more digitally connected it is imperative, especially for our industrial and operational technology, to ensure our infrastructure’s secure and safe operation,” he added.

“The oil and gas industry is going through a digital revolution that has been a catalyst to the energy transition and sustainability,” Felipe Bayón, CEO of Ecopetrol, said. “Cyber resilience is key in this revolution, as staying ahead of vulnerabilities is fundamental to our business. The pledge is a step further by developing a collective effort to embed cyber-resilience and a cyber-risk aware culture across the energy industry,” he added.

“The pledge advances Galp’s commitment to joint action on managing cyber risks and protecting cybersecurity of critical energy infrastructure, by creating awareness and a unified stance on cyber resilience in the global energy sector,” said Andy Brown, CEO of Galp.

“Petronas upholds the safety of its people, assets and the environment as our utmost priority, including reinforcing better cyber security and safety practices. Petronas is committed to and fully supports the World Economic Forum’s Cyber Resilience Pledge and its principles in safeguarding our ability to deliver energy responsibly and securely,” said Tengku Muhammad Taufik, CEO of Petronas. “In this respect, we believe that addressing the risks and enhancing cyber resilience is critical as the oil and gas industry embraces greater digitalization to capture valuable opportunities in this digital era.”

Commenting on the initiative, Edward Liebig, global director of cyber-ecosystem at Hexagon PPM wrote in an emailed statement that as the threats against critical infrastructure become more prevalent and brazen, there is a growing and deep concern for strengthening cyber resiliency across industry ecosystems. “For the OT/ICS industry operators at large, this pledge makes a bold ‘first step’ statement of solidarity to reinforce that ‘nobody is a competitor’ when it comes to cybersecurity. ‘We are in this together.’ There is much to do, however, in empowering senior leadership to act,” he added. 

Cyber resiliency needs to be deeply rooted in corporate culture and flow down from the top, through every aspect of an organization, according to Liebig. “This Cyber Resilience Pledge is certainly going to reinvigorate the cyber discussion in many more boardrooms than just those signatory companies,” he added.

The WEF has also invited organizations across sectors to endorse the Cyber Resilience Pledge and enhance cybersecurity throughout their systems.

Data released by NCC Group’s strategic threat intelligence team showed that the number of victims of ransomware attacks appears to have stabilized in April. In total, it observed 288 attacks last month, a minor increase from the 283 observed in March. “The most targeted sectors in April were industrials, making up 35% of attacks, followed by consumer cyclicals, making up 19% of attacks. With similar results to March, it remains clear that there is an unrelenting interest in these sectors from ransomware threat actors,” the research added.

Earlier this week, the WEF recognized that critical infrastructure protection is vital to keep essential services running and often relies on public-private cooperation models. Additionally, the cost of failure of critical infrastructure is often considered a worst-case scenario, as there is often a question over who pays for its security. The agency suggested that identifying ‘systemically important critical infrastructure’ could help open up new cooperation models and unlock new funding mechanisms.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.