Speaking cyber cover to power

Nearly 70 percent of oil and gas companies have recently experienced a cyber incident, according to a 2017 study by Ponemon/Siemens. Coordinated attacks, such as the hack on companies that supply power to the US power grid in early September, or the one in Norway that targeted 300 oil and gas producers in 2014, underscore the growing risk.

Worldwide, the oil and gas sector has the highest percentage of cyber attacks of any industry: 32 percent of all attacks. Yet the industry appears slow to accept the likelihood and severity of the risk. Just a handful of the top 25 oil and gas companies worldwide cited cyber breaches as a major risk in their annual disclosures.

Oil and gas producers are increasingly in the crosshairs of hackers and protecting themselves has become more difficult than ever. The industry is operationally and financially complex, and the increasing reliance on technology only increases the risk.

Among the chief vulnerabilities is increased connectivity, with drilling and production operations often spread across a broad geographic area. That vulnerability is deepened with the growing use of automation, including robots, and the use of satellite links to control offshore operations.

The industry’s financial complexity also offers multiple avenues for hackers. With complex royalty payment structures for onshore operators, there is more of the ‘traditional’ data breach exposure than is often perceived. In addition, much of the data held and generated by oil and gas producers, such as seismic and well logs, is sensitive.

Among the top cybersecurity issues identified by Munich Re Syndicate, together with Munich Re’s Corporate Insurance Partner unit, is the fairly easy accessibility of production systems from the internet; the use of IT products with unpatched vulnerabilities in the production environment; insufficient monitoring of the systems for cyber attacks and incident response; a lack of employee cybersecurity awareness and training; access of suppliers to IT and production systems; and insufficient separation of data networks.

While the entire industry is vulnerable, upstream operations—exploration development and production—are at particular risk. The overarching reason is the legacy asset base, which has been retrofitted and patched together over the years.

Poor protection

The level of protection is surprisingly inadequate. Whether hackers are motivated by financial gain, including industrial espionage, or political gamesmanship, the ramifications of a breach are enormous. Still, 61 percent of oil and gas companies say their organisation has difficulty managing cyber risks, according to Deloitte data.