A new report reveals that 68 percent of oil and gas organizations have experienced at least one digital attack. In the Siemens-sponsored The State of Cybersecurity in the Oil & Gas Industry: United States (PDF), Ponemeon Institute surveyed 377 individuals based in the United States who are responsible for overseeing digital risk to their organization's operational technology (OT) systems. Two-thirds of those heads of industrial control systems (ICS) and other managers said their companies have benefited from digitalization. But not without a cost.
68 percent of respondents stated their organization has experienced at least one digital attack, with many directors saying their enterprise doesn't have a strategy OT digital risk. Indeed, only two-fifths of participants said their organization continually monitors infrastructure to prioritize and respond to threats. Without continuous monitoring, it's no wonder a majority of ICS heads (61 percent) claimed their organization's OT security measures were inadequate. Some companies recognized the benefit of implementing different types of security technologies to try to fill that strategic gap. But many organizations haven't followed through and deployed those solutions. As Ponemon explains in the report:
"Sixty-three percent of respondents say user behavior analytics and 62 percent of respondents say hardened endpoints are very effective in mitigating cybersecurity risks. In addition, 62 percent of respondents say encryption of data in motion is considered very effective. Yet, many companies do not have plans to deploy these technologies. Specifically, in the next 12 months less than half of organizations represented (48 percent of respondents) plan to use encryption of data in motion, only 39 percent plan to deploy hardened endpoints and only 20 percent will adopt user behavior analytics (UBA)."
So how can organizations better protect their OT environments? For starters, oil and gas companies should consider investing in encryption, UBA, and other solutions that are proven to mitigate digital risk to OT environments. More organizations should also participate in the Oil & Natural Gas Information Sharing and Analysis Center. Doing so will improve the quality of information exchanged between all entities in the industry. Even so, Siemens explains in a blog post that organizations must do more to adequately protect themselves:
"... [S]ecurity is only part of the solution. No matter how secure an enterprise is, hackers will still try to break into it. It’s critical to develop comprehensive strategies to stand up operating models to manage risk."
These strategies should focus on merging IT and OT as well as developing holistic incident response protocols. For additional findings, please view Ponemon's survey here (PDF).