The World Economic Forum (WEF) proposes a harmonized and streamlined approach to help ensure that essential cybersecurity standards are met in an advancing supply chain ecosystem that exists among industries in the oil and gas sector.
The blueprint will help ensure that third-party risk management becomes a critical part of any organization’s overall risk management strategy. It is through this holistic and shared approach that all stakeholders in the digital ecosystem will address the threats of today and tomorrow, WEF said. As the world grows ever more complex, stakeholders in the oil and gas industry must guard against the growing numbers and varieties of threats by adopting a risk-informed cybersecurity approach to ensure its long-term sustainability and resilience, it added.
“Collaboration is our greatest protective measure and we hope that this report will trigger the necessary discussions and actions needed to build cyber resilience in this evolving technological ecosystem. Facilitating an open dialogue on cybersecurity threats and protections is a critical step in raising the bar for our global supply chain. It is through such dialogue that the industry will foster increased vigilance across the ecosystem while establishing mutual trust and understanding,” it added.
The WEF released a whitepaper, titled, “Advancing Supply Chain Security in Oil and Gas: An Industry Analysis,” which was written and led by the World Economic Forum, Saudi Aramco, Schneider Electric, and PwC, in collaboration with the cyber resilience in oil and gas community through multiple workshops and working group sessions.
Digital transformation and hyperconnectivity have increased the digital footprint in the oil and gas sector of third parties and transformed business models quickly, mainly through an increased focus on innovation and efficiency. Global companies currently rely on more than 1,000 third parties to support this transformation, to gain a variety of business benefits such as cost savings, operational efficiencies, scaling of capabilities and resources, and value generation.
Third-party expansions introduce significant cyber and operational risks, including the mishandling of confidential data, failure to meet business operational and compliance needs, and a lack of adequate safeguards against cyber threats, the WEF detected. These risks may generate important consequences for an organization’s operations, reputation, and, ultimately, its bottom line.
PwC data revealed that “at least one-third of our survey respondents said in the past year alone, they’d experienced significant disruptions due to third parties: software supply chain disruptions (47%), cloud breaches (45%), third-party platform exposures and outages and downtime (41%), data exfiltration (39%). And yet, the trend of new third-party dependencies seen last year continues to gather steam,” the report added.
The blueprint recommended a holistic approach in the oil and gas sector for managing third-party cyber risks. It also suggested accelerating and streamlining third-party risk management practices by developing a unified industry approach to identify, mitigate, monitor, and communicate third-party risk.
It also attempts to improve the accuracy and consistency of third-party assessments by establishing a baseline set of requirements to assess the risk associated with third-party relationships and increase the industry’s cyber resilience by continuously adapting baseline cybersecurity standards and risk management methodologies to keep up with the pace of change in the digital and threat landscapes.
The transformation of many oil and gas companies from a state of isolated operational systems and environments to fully integrated businesses has resulted in a complex supply chain and increased interdependencies between upstream, midstream, and downstream, the WEF whitepaper pointed out. However, the gains made possible by third parties are not without risks. Such digital interdependence has expanded the impact of potential cyberattacks as an attack on one can result in an attack on many.
In the aftermath of recent supply-chain cyberattacks affecting thousands of companies globally, organizations must take measures to protect not only their networks but also those of their interconnected third parties, it added.
The focus on the oil and gas sector was intensified by the recent cybersecurity incident carried out by ransomware attackers on the Colonial Pipeline systems, which forced the pipeline company that runs from Texas to New Jersey, to shut much of its network for several days in May, leaving thousands of gas stations across the U.S. Southeast without fuel.