Downstream Digital Defence. Next steps in cybersecurity for oil and gas leaders

Programmers planning for a data protection system

“Cyber-attacks are always in the news and headlines”, states the Head of Cybersecurity Risk and Governance at a major Saudi Arabian oil company. He isn’t wrong. Remote working has created a borderless and hyperconnected attack surface. A recent survey revealed that in the oil and gas industry alone, 86% of responding companies had experienced a cyber- attack in the last 12 months.

But as attacks become more persistent, are we better prepared to tackle them? And how do you protect your virtual refinery from real world threats?

New world, no perimeters

The health and safety risks of the downstream industry are well-documented. Explosions, fires, shutdowns and exposure to hazardous substances are all factors making HSE one of the top priorities of a high-stakes sector. Digitalisation can help address these issues, but it can also create new risks. The real-life impact of a digital breach is high. Digital twin simulations – technology that Gartner believes over half of oil and gas operators will employ by next year – provides a virtual operational blueprint for potential hackers to access.  Machine learning algorithms hold valuable information, and where there are no borders to a virtual refinery, data is the new oil, and its potential to leak is limitless.

Feeding the algorithms  

IoT and AI technologies feed and function on vast volumes of data. Operators are increasingly turning to the Cloud to ease and scale data storage potential. Saudi Aramco recently announced their partnership with Google Cloud platforms to address a US $10 billion market opportunity, and a mission to “allow organizations nationwide to grow and scale their offerings, while delivering digital products and services faster and more reliably” in a world driven by data.

But moving your digital assets to the Cloud introduces new questions around their protection. As a round-table last year which brought together cybersecurity professionals from across various high-stakes sectors revealed, ‘who holds accountability for your Cloud-based assets?’, is a key question for business leaders embarking on their Cloud migration journey. Clear transparency with the right CSP (Cloud Solutions Provider) is critical for confidence in your Cloud-based data.

Cyber as a service

One issue, as the Head of IT at an Algeria based public-private downstream initiative stresses, is “it’s become very easy for everyone to launch an attack if you see cyber as a service”. Just as operators are outsourcing their cybersecurity to third parties, so too, can attackers outsource their skills to the highest bidder. “Attackers are not obliged to conduct the attack themselves. They can sell the service”, confirms the IT Head. And adversaries could have a wide variety of motives: from personal profit to industrial espionage.

As we enter the era of refinery 4.0, effective communication and collaboration is needed between private and public sector to ensure the security of a connected critical national infrastructure that involves all major stakeholders. As a report by Mckinsey states, “Asking the right questions to define government’s role in cybersecurity provides a framework for how…policy makers can think about engaging constructively”.

Business awareness and accountability

Yet policy is only part of the picture, and if, as the Algerian IT Head claims, cybersecurity is now a “need to have” for the business, it needs to become part of the business infrastructure as well. And the majority of downstream leaders in the ADI community believe that if cultural change comes first, budget will follow.

“Cyber is now the responsibility for everybody not just IT”, says a Head of Operations of a COTC complex at PRrefChem.  “[especially] now we are all working outside office”.

Empowering your workforce to understand the basics of digital hygiene, from recognising phishing emails, to ensuring the board and senior management understand the value and ROI of proactive cyber-risk management, is a way to ensure your cyber-defence stretches across all points of your distributed workforce.

“Cyber not just becoming interest of an individual per se”, states the Saudi Arabian cybersecurity leader. “[It’s a question of] widespread awareness”

Mind the cyber-skills gap

A cyber-aware workforce will also ease the pressure of  plugging an ever-widening cybersecurity skills gap. While dedicated departments are being created to manage organisations’ cybersecurity, there is still an estimated shortage of more than 4 million workers in the field. Business leaders need to be aware of their virtual vulnerabilities and the specific skills needed to address them. And in the new digital workplace, a basic understanding of cyber-risks could become a part of every employee’s remit.

New developments, new risks

Digital acceleration shows no sign of slowing, and with each new development comes new risks. According to the World Economic Forum, there will be 215 million electric passenger vehicles on the road by 2030. This is a whole new hyperconnected network for the energy industry, with both vehicles and their charging points vulnerable points of attack.

Virtual refineries too have raised the cybersecurity stakes, as the convergence of OT and IT raises issues of outdated legacy technology and infrastructure, and disconnect between the speed of automation and related manual processes.

A strong cybersecurity infrastructure means a workforce which has digital risk ingrained into every aspect of its culture, at every level. When every device is a potential target, every employee is a digital guardian, and awareness is their best weapon of defense.

Read more: