ZenGRC

Simply Powerful GRC

Oil & Gas

Top Risks Faced by Oil and Gas Companies

· ·

Risk management programs must be tailored to a company’s specific risks, and often those risks correlate to whatever industry that company is in.

Oil & gas companies are particularly challenged because they are a critical infrastructure sector with little room for error and they operate in complex environments, which means plenty of risks that demand attention. Let’s take a look at what those risks are, and how oil & gas companies can begin to tame them.

Biggest Risks Facing Oil & Gas Companies

Cyber Risks

Oil and gas companies are rapidly digitizing systems and implementing new technologies to increase productivity and profitability. This exposes the companies to cyber attacks trying to disrupt operations, steal intellectual property, swipe personal data of employees, commit extortion, and the like.

The energy industry must develop cybersecurity risk management strategies to protect from cyber threats.

Financial Risks

Oil and gas are commodity products, with pricing much more volatile than other markets. Natural resource pricing is heavily influenced by the underlying costs of collecting and refining them, in addition to the actual price of the raw materials.

Oil & gas companies therefore need to hedge their risks by investing in options, futures, puts, and other financial instruments to reduce the threat that price volatility could leave the business operating at a loss for long periods.

Supply and Demand Risks

Supply and demand shocks are a risk for oil and gas companies, especially since operations in the energy industry require a lot of capital and time to bring to full capacity. The use of technology and artificial intelligence (AI) tools enable companies to increase their business effectiveness.

It’s also challenging to manage operations with a cycle of rising and falling prices. Other economic factors also play a role, as financial crises can drain capital regardless of the usual price risks.

Environmental Risks

Energy industry operations directly affect the environment, including greenhouse gas emissions, climate change, oil spills, and solid and hazardous waste.

For this reason, oil companies are under heavy pressure to protect the natural environment as much as possible. Energy companies need to seek ways to minimize harm to the environment, communities, and people generated by the processes that sustain our way of life.

Safety Risks

Oil & gas extraction can be dangerous. It requires long hours, difficult working conditions, and complex machinery that can break down and cause serious injury to nearby people. So the companies must implement robust safety management and monitoring processes.
What Risks Do Operational Technologies Pose?

The oil and gas industry has embraced advanced operational technologies (OT) such as robotics, digitization, and the internet of things (IoT). The technologies can exist as either hardware or software – but they are expensive and deeply integrated into a company’s operations; and carry their own class of risks to address.

Industrial controllers, such as programmable logic controllers (PLC), distributed control systems (DCS), and supervisory control and data acquisition (SCADA) systems, come with a long lifecycle: 15 to 20 years, compared to three or five years typical of other enterprise IT.

This means oil & gas companies must be sure that new IT risks don’t overwhelm long-lived industrial control systems. They need to assess how emerging risks might affect their controllers, and assure that any new threats can be patched even with legacy software running the controller systems.

Risks from the Internet of Things

More companies within the oil and gas industry rely on the internet of things (IoT) to gather data to monitor OT. These sensors, cameras, and embedded analytics systems connect the OT environment with the IT environment.

For example, a natural gas company may need to monitor the pressure in the OT environment. First, the IoT monitors the SCADA system’s ability to control the pressure. Then the IoT informs business leadership or external parties who need to provide oversight.

Enterprise IT networks that interact with OT networks, however, can lead to cyber risk. Most companies struggle with securing their data environments, and those in the oil and gas industry are no different. Anywhere the IT networks interact with the OT network can be a significant security issue.

Risks From Employees

While all industries suffer from employee cyber awareness issues, oil and gas companies must be particularly attuned to the threat because they are critical infrastructure; even one careless act by one employee could cause widespread disruption in the physical world.

For instance, an employee may idly click to a website in a phishing email and enable access to his user ID and password. With this information, a cybercriminal can gain access to all networks, including segregated or secured ones that manage industrial control systems.

Risks From Lack of Cybersecurity Staff

All industries face a shortage of information security professionals. Oil & gas, however, have particular needs due to the overlap between OT and IT systems. Cybersecurity professionals with critical infrastructure experience are a niche within a niche in an already limited hiring pool. As a result, when oil and gas firms do find someone to handle their specific risks, they have to figure out how to make the most of that employee’s time.

Incorporating Cyber-Risk Oversight

Quite naturally, oil & gas businesses tend to people their boards of directors with executives who have experience in the energy sector. That’s fine, but to ensure sufficient attention to cybersecurity, oil & gas companies should also look for board directors who understand cybersecurity and how to apply it to the unique, complex systems this sector entails.

Mitigating Cybersecurity Risks in the Oil and Gas Industry

Mitigating cybersecurity risk in the oil and gas industry begins the same way other risk management programs start: with conversations.

These cross-departmental discussions must identify the physical and data assets that are in danger. For example, software, network architecture, and devices essential for company operations are usually the focus of enterprise risk mitigation.

Additionally, the oil and gas industry adds a second layer of network infrastructure to assist OT monitoring. As a result, detecting all points of network danger becomes increasingly tricky. In many cases, the oil and gas companies need to segregate their OT networks and keep the IT infrastructure data from migrating to the OT infrastructure.

Finally, as critical infrastructure, companies also must align controls with increasingly burdensome regulatory requirements and industry standards.

ZenGRC Helps You Manage Risk in the Oil and Gas Industry

The ZenGRC is an intuitive, simple-to-use platform that keeps track of your processes and also identifies high-risk areas before they become severe issues.

Our risk management software generates heat maps to illustrate your organization’s high, low, and medium risk regions in a user-friendly, color-coded dashboard. These tools allow you to take action quickly and to share the results with your C-suite and board of directors.

Companies in the energy industry struggle to maintain appropriate risk management programs. They need an effective workflow tool to coordinate communication and task management among internal and external stakeholders. A cybersecurity specialist in the oil and gas industry may assign roles and tasks to the responsible employees using our workflow tagging, allowing for a more thorough examination of the activities involved in cyber risk management.

Worry-free risk management is the ZenGRC way! For more information on how ZenGRC can streamline your risk management process, contact us for a demo.

Understanding the Types of Risk in the Oil & Gas Industry

· ·

Defined as critical infrastructure, the oil & gas industry increasingly faces cybersecurity risks as nation-state cybercriminals attempt to undermine other countries. The integration of information technology (IT) systems into operational technologies (OT) creates a unique threat to the oil and gas industry that places both the companies and the public at risk.

Biggest Risks Facing Oil & Gas Companies

What risk do Operational Technologies pose?

The oil and gas industry suffers from outdated operational technology that makes securing it difficult. The most recent industry report from Ponemon, now theoretically outdated because it released in 2017, indicated that

  1. 59% felt operations technology was at higher risk than information technology.
  2. 68% had operations with at least one security compromise.
  3. 46% of operational technology cyber attacks remain undetected.

These numbers indicate a variety of problems endemic in the industry. First, monitoring IT environments protects data, but it does not keep gas companies from the risks inherent in their operations. Second, while more than 2/3 of companies found at least one compromise, nearly half of compromises remained undetected which means that the number far exceeds that already frightening 68%.

What risks are unique to OT?

Whether as a software or hardware, OT monitors or controls physical processes. However, OT is costly and deeply integrated into a company’s infrastructure.
The industrial controllers, such as programmable logic controllers (PLC), distributed control systems (DCS), and supervisory control and data acquisition (SCADA) systems, come with a longer lifecycle. While enterprise IT comes with a lifetime of last three to five years, OT often comes with a fifteen to twenty year lifetime.

In cybersecurity, IT risks can change at the blink of an eye making the controls outdated. Often, enterprises replace these frequently to keep them as secure as possible. However, with the longer expected lifespan of OT, which directly correlates to the costs incurred, these types of updates are not possible.

Therefore, the primary unique risk for OT comes from how gas companies and others use them and intend to use them.

What risks arise from the Internet of Things?

To monitor OT, more companies within the oil and gas industry rely on the Internet of Things (IoT) to gather data. These sensors, cameras, and embedded analytics systems connect the OT environment with the IT environment.

For example, a natural gas company may need to monitor pressure in the OT environment. The IoT monitors the SCADA system’s ability to control the pressure. Then the IoT informs business leadership or external parties who need to provide oversight.

However, enterprise IT networks that interact with OT networks can lead to cyber risk. Most companies struggle with securing their data environments, and those in the oil and gas industry are no different. Thus, anywhere that the IT networks interact with the OT networks as a result of increased IoT use can lead to a security issue.

Where do workforce members increase cyber risk?

While all industries suffer from employee cyber awareness issues, the oil and gas industry’s importance to economic and social stability means that a single careless employee can undermine the entire country.

While this can sound dramatic, a successful social engineering attack against a traditional enterprise leads to financial, reputation, and compliance costs. However, for a member of the oil and gas industry, a successful social engineering attack can dismantle the critical infrastructure.

An employee idly clicking through to a website in a phishing email enables access to their user ID and password. With this information, a cybercriminal can gain access to all networks, including segregated or secured ones, upon which the employee is authorized. Thus, even segregating the IT and OT networks may not be enough protection is a cybercriminal can obtain the login information.

Why the oil and gas industry needs to engage more cybersecurity professionals

All sectors face a shortage of information security professionals. However, while traditional enterprise IT security remains a continually moving target, it lacks much of the criticality and complexity as security within the oil and gas industry. The overlap between OT and IT means that the industry needs security professionals who can navigate both environments.

As a niche within a niche, cybersecurity professionals with critical infrastructure experience are limited within an already limited hiring pool. Thus, if oil and gas companies can find someone to manage their unique risks, they need to find a way to optimize the staff’s time. If they need to hire two different people to coordinate across the differing environments, then the companies need to find a way to ease communications.

How to engage the Board of Directors for incorporating cyber risk oversight

News outlets and the public often focus on the environmental risk that the oil and gas industry poses. Thus, many companies choose their Board of Directors based on engineering and financial expertise. Although they understand the importance of cybersecurity, they may struggle to quantify the way cybersecurity risks impact the chemical, environmental, and industrial engineering risks that lead to financial loss.
Thus, the risk management process and the Board’s program oversight lead to another overarching risk within the oil and gas industry.

How to mitigate the cybersecurity risks in the oil and gas industry

Mitigating the cybersecurity risks plaguing the oil and gas industry begins the same way other risk management programs start – with conversations.

These interdepartmental conversations need to determine the physical assets and data assets that pose a risk. Enterprise risk mitigation traditionally focuses on software, network architecture, and devices required for business operations. The oil and gas industry, however, adds a second layer of network infrastructure to support monitoring the OT environment. Thus, locating all the points of network risk becomes more complicated.

Looking to mitigate these risks, companies employing a security first approach still face complex issues. In many cases, the oil and gas companies need to segregate their OT networks and keep the IT infrastructure data from migrating to the OT infrastructure. To ensure this, they need to engage in vendor risk management processes and procedures as well as enforce their patch management processes.
Finally, as critical infrastructure, companies also must align controls with increasingly burdensome regulatory requirements and industry standards.

How ZenGRC Enables Risk Management for the Oil and Gas Industry

Oil and gas companies struggle to maintain effective risk management programs, needing an efficient workflow tool to coordinate communication and task management across internal and external stakeholders.

ZenGRC enables companies to prioritize tasks, from alerts to vendor reviews, so that everyone knows what to do and when to do it. This eases the burden of records retention and audit preparation.

With our workflow tagging, a cybersecurity professional in the oil and gas industry can assign roles and tasks to the responsible individuals, enabling stronger review over the activities involved in cyber risk management.

Finally, with our audit trail capabilities, companies can document corrective actions and response activities to prove that they maintained cybersecurity by continuously monitoring the myriad of threat vectors.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.

Top Issues Facing Compliance Managers in the Oil & Gas Industry

· ·

With malicious actors targeting critical utilities. the top issues facing compliance managers in the oil and gas industry revolve around cybersecurity. A single intrusion to a power grid or energy source provider can cripple global economies. Regulatory compliance for the energy sector needs to be viewed through a “security-first” lens to ensure ongoing protection of systems that power the world.

Regulatory & Compliance Issues in the Oil and Gas Industry

What is the security status of the oil and gas industry?

According to the Department of Energy 2018 multiyear plan, Nation-state actors increasingly target the energy industry infrastructure. According to a 2015 Director of National Intelligence report, cybercriminals were working to find ways to remotely access industrial control grids. The focused cyber attacks on critical utilities include probes, data theft, and new malware.

According to the Department of Energy, the 2015  average annual cost of cybercrime to the energy and utility industries was $27.62 million. In February 2017, the Ponemon Institute released The State of Cybersecurity in the OIl & Gas Industry: United States. The key findings, based on 377  individuals responsible for security in the oil and gas industry, included:

  1. 35% rated operational technology environment as cyber ready.
  2. 68% had operations with at least one security compromise.
  3. 59% felt operations technology was at greater risk than information technology.
  4. 67% believe industrial control systems risks increased over the past few years.
  5. 61% felt their industrial control systems protection and security was inadequate
  6. 65% felt insider negligence posed the largest security threat.
  7. 15% felt malicious or criminal insiders posed a risk minimizing the importance of advanced monitoring.
  8. 41% continually monitor all infrastructure.
  9. 46% of operational technology cyber attacks remain undetected.
  10. 68% felt security analytics helped achieved a stronger security posture.

What exploits and security breaches threaten the oil and gas industry?

New trends in digitizing the energy sector also increase the likelihood of cyberattacks. For example, the industry increasingly connects smart gas, water, and transportation using the Internet of Things (IoT). Simultaneously, the oil and gas industry supervisory control and data acquisition (SCADA) systems use outdated, insecure software.

Attacks to the operational technology environment remain undetected thus disrupting operations for longer periods of time. Lack of awareness directly correlates to the infrastructure security tasks remaining incomplete. Organizations lacking awareness leads to a vicious cycle of non-investment in infrastructure security. Overall, the data most at risk seemed to be exploratory information and production information.

How digitization of the oil and gas industry increases security risks

From an IT security standpoint, increased digitization is a primary reason that most oil and gas companies are at risk. Although they need to update operating technology to integrate with IoT, many use insecure legacy systems. The movement to digitize also increased the number of vendors integrated into the supply chain, increasing the risks.

Integrated into operations in the 1960’s, supervisory control and data acquisitions systems (SCADA) enabled the oil and gas industry to efficiently manage process production. The SCADA systems enable companies to control and monitor their operational technologies by using sensors to collect and transmit data.  SCADA systems remain embedded in the oil and gas industry due to historical use.

However, SCADA systems which work well to enable operational technologies were not intended to connect to information technology networks. Thus, they often do not incorporate the needed security features to protect against external intrusions.

What are the security problems with connecting operational technology and information technology?

The primary security issue arising out of these connections lies in the number of vendors used to enable business solutions. The increasing sophistication of ransomware combined with the cybersecurity gaps make the Industrial Internet of Things (IIoT) and its connection to Industrial Control Systems (ICS) problematic.

As evidenced by 2017’s WananCry and the continued evolution of ransomware through 2018, malicious actors will likely focus on industrial ransomware attacks. Nation-state actors look to control global politics through fear while the rise in daily technology use makes the energy sector more critical overall. For example, as more individuals and businesses use smart home technology to control heat, the oil and gas sector becomes a greater target.

While traditional IoT remains a security issue, even more risks face IIoT. Media outlets increasingly put pressure on smart home technology but do not incorporate the same level of responsibility for IIoT, likely because they do not know it exists. Therefore, as IIoT technologies connect the operational industrial network to the IT landscape, they create a weak point in the cybersecurity protections, effectively a backdoor for hackers.

How to secure effectively secure the IIoT and IT environment connection within the oil and gas industry

The first step to better securing the oil and gas industry comes from engaging in a risk mitigation strategy. Increased vendors and technology use add to the complexity of securing the operational and information technology environment.

Understanding the vulnerabilities and risks allows oil and gas companies to begin the process of risk mitigation. IIoT vendors who enable information sharing across and between the operational and information technology environments access critical data and systems. Their vulnerabilities and risks translate directly to the oil and gas sector’s stability. Some suggestions to help secure the IIoT, IoT, operational and information data landscapes, however, include:

  1. Create a list of information assets
  2. Create a list of all applications and systems that connect to your IT network
  3. Create a list of all vendors
  4. Define risks to the IT environment, including software, systems, networks, devices, and vendors.
  5. Review Service Level Agreements to maintain supply chain security
  6. Establish controls that protect systems, networks, and applications to mitigate risks.
  7. Continuously monitor the IT environment to ensure ongoing control effectiveness

How ZenGRC Eases Security-First Compliance for the Oil and Gas Industries

Taking a security-first approach to compliance enables the oil and gas industries to better protect their operational and information technology environments. However, documenting continuous monitoring efforts remains a pain point. After establishing controls to mitigate threats to the data environment, companies need to map those controls across the various frameworks and regulations. For example, mapping controls to both NIST and ISO 27001 becomes time-consuming if done manually.

ZenGRC’s System-of-Record makes collecting audit information easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.
For example, as part of the System-of-Record dashboard, organizations have at-a-glance insight into the percentage of controls finalized and a portion of controls mapped to a particular framework.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

GRC automation enables organizations to focus on the fundamental issues of compliance while eliminating the tedious tasks that often make compliance feel like a burden. Not only does this help compliance officers feel more effective at their jobs, it also makes organizations more efficient at the ongoing task of governance and continuous monitoring.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.