Building cybersecurity culture is critical to energy industry resilience, WEF says

The World Economic Forum (WEF) said on Monday that the scale and impact of cyber-attacks in the energy industry are rising exponentially due to an expanding network of digital platforms, leaving the sector vulnerable to future threats without adequate preventative strategies. 

The threat and risk landscape in heavy asset industries, such as in the oil and gas and the energy industry, is developing at the speed of light with increased complexity, compounded by a reduction in situational awareness, according to the WEF post.

“Barring any action on our parts, we will very soon be left with little choice but to try to close the gaps and play from a position of weakness,” it added. “Rather than proactively mitigating vulnerabilities and pre-empting attacks, we will react defensively. There are existing opportunities and strengths inherent to industries which can prevent this outcome, and we still have time to take full advantage of them,” the WEF added.

The agency also said that “while online attacks are nothing new, what is different now is the scale of the risk and impact, which is directly related to the scale of digital connectivity and the massive ecosystem changes resulting from digitalization, decentralization and energy transition. Our cyber adversaries are more agile and sophisticated in their abilities to wreak great havoc from a distance with little to no risk. This needs to change.”

The Geneva-based body said that the first category of strengths and opportunities lies in the centuries of experience that industrial companies have as operators of high profile, high value, physically complex assets, and knowing how to keep such infrastructure physically safe and secure. This awareness and experience is baked into the industrial DNA and spans the entire ecosystem so that the defenses needed for tomorrow must combine industrial and manufacturing knowledge with the power of digital capabilities. It will continue to play an important role as a springboard to industrial cybersecurity, but alone it is not enough, it added.

To help the energy industry improve its resilience against cyber risk, the WEF had in May brought together over 40 senior executives to establish a blueprint for evaluating cyber risk across the oil and gas industry. The whitepaper, titled, “Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers,” delivers six principles to help boards at oil and gas companies govern the cybersecurity risk, and strengthen their organization’s cyber resilience. Adopting them will support the industry in its efforts to continue delivering safe, affordable, and low-carbon energy for decades to come.

Hackers increasingly view the energy industry as a ripe target to launch cyberattacks for financial, criminal, or geopolitical gain, the whitepaper said. Recent studies show the volume of attacks against operational technology (OT)-connected assets increased over 20 times from 2018 to 2019. Meanwhile, the average energy sector data-breach cost has risen more than 13 percent since 2019, to US$6.39 million – a higher cost than the global average of $3.86 million, the WEF added. 

Yet, even with expanding cyberattacks threatening the industry, two-thirds of oil and gas executives state that digitization is benefiting their business and will remain essential for their company’s success. The success of any such work is dependent on organizational adoption, and the width, breadth, and sustainability of the safety and security programs.

Industrial organizations have experience in securing massive physical assets, along with digital platforms, security software, and teams of technology experts. But they need to work harder towards getting cyber resilient.  

“Wars, including this new kind of cyberwar, are not won with brilliant military strategists, the best-trained soldiers and most experienced special ops personnel alone,” the WEF said. “To win, you need secure supply lines, the best intelligence operations, committed allies, and informed and engaged citizens,” it added.

There is a growing understanding in heavy asset industries, such as in the oil and gas and the energy industry of the massive changes that are in motion and the systemic risks that follow since the new risk landscape will require a different approach to security and safety, a more holistic and integrated approach tailored to the challenges at hand.

Several other agencies have urged energy organizations to beef up their cybersecurity posture. Following the Colonial Pipeline ransomware attack that affected fuel operations supplying the east coast of the US in May, the U.S. Department of Homeland Security’s Transportation Security Administration (TSA) division released In July its second security directive that requires TSA-designated critical pipeline owners and operators that transport hazardous liquids and natural gas to enforce several urgently needed protections against cyber intrusions. 

The move sought to implement specific mitigation measures to protect against ransomware attacks and other known threats to IT and OT systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.