How oil and gas security leaders can smooth the transformation path

To support transformation, CISOs need to build bridges, embed security-by-design, and get used to the reality of an evolving value model.

The issue is not a lack of understanding of cybersecurity per se, but uncertainty about the company’s exposure to the new and evolving risks when entering new markets, partnerships and products.

The executive management teams are typically seasoned professionals from the field and have a strong understanding of risks across the traditional value chain, but they are less clear about information security in the context of nontraditional markets. There is a gap in their knowledge when they are entering into new domains, which is compounded by the changes in how the business operates on a digital level. It is very complex. This is not your typical IT operation. We are talking here several orders of magnitude higher.

2. Cybersecurity teams are cut out of planning

Oil and gas businesses are digitizing their operations, despite the challenges this presents from a cybersecurity perspective.

Executives have good reason for worrying about the security of their technology systems. A single security flaw gives hackers an opportunity to bring down a whole network. So it is concerning that many oil and gas companies are investing in technology without ensuring they have built in the appropriate security resilience, with fewer than half (48%) of respondents saying they are brought in at either the planning or design stage of a new business initiative (see figure 2). This is further complicated by the fact that a significant percentage of business expansion relies on large turnkey third-party engineering contracts. The ownership of the risk is at times unclear and lacks accountability.

If you mention remote operations to oil and gas executives, they won’t sleep that night because the risks are so high. But they are aware that many businesses, such as the operators of North Sea rigs, are successfully reducing the number of onsite employees, which has a direct impact on the bottom line. In the end, they digitize because their competitors are doing it.

More than 6 in 10 (65%) oil and gas respondents admit the business rolls out new technology to timescales that do not allow time for suitable assessment. They also flag that the most challenging aspect of their role is supporting new technology-driven initiatives. 

One explanation for the lack of cybersecurity oversight is that the nature of the technology investments has changed in recent years. Formerly, when the bulk of IT investments were made in a centralized, enterprise setting, it was more straightforward to check that the cybersecurity team was included and providing security by design. As IT merges with OT, spanning a much larger network and ecosystem of partners, it becomes more difficult to ensure governance and oversight.

3. Regulation is still out of sync

More than half of oil and gas cybersecurity leaders (54%) complain about the burden of regulation, flagging that achieving compliance can be the most stressful part of their job.

There is a good reason why regulation is becoming more time-consuming. Given that oil and gas infrastructure forms part of a country’s critical national assets, and as several countries have suffered high-profile cyber attacks in recent years, governments recognize the need to protect these entities through regulation.

Compared with other sectors, however, regulation on information security in oil and gas is less mature. “The regulations are relatively new, still evolving and out of sync with requirements,” says Clinton Firth, EY Energy Leader for Cybersecurity. “Compliance is putting more stress on a system that is behind in other respects, but will eventually help the industry to move forward. Cyber regulation in the sector is coming into its adolescence.”

It’s true that oil and gas companies are unsure about the value of compliance. Just one in four (27%) respondents believe that compliance drives the right focus and behaviors, compared with 42% more broadly.

The situation will improve over time, as rules become more sophisticated and responsive to the new business models being developed in the sector. Today, however, 6 in 10 (61%) oil and gas respondents believe regulation will only become more fragmented, and therefore time consuming, in the years to come.

How oil and gas CISOs can excel as strategic enablers

CISOs in oil and gas have an opportunity to increase their influence and ensure their operations have the resilience needed to sustain cyber-secure growth. Faced with the challenges of a rapidly changing sector, they need to act decisively.

Become an expert in the new business models

New revenue streams mean a larger and more complicated risk exposure. As outlined above, the board may not have personal experience of the investment levels needed to contain all the elements of this risk. In turn, we can expect them to look to the CISO for insight.

The research suggests, however, that cybersecurity teams may need to enrich their own understanding of new oil and gas business models, and the accompanying technologies, before they can provide guidance to others. Currently, for example, just 27% of respondents believe that senior leadership would describe the cybersecurity team as being “commercially minded.” Cybersecurity professionals in oil and gas are much more likely to be described as protecting the enterprise, responding quickly to crises, and working collaboratively with others. All of these attributes are admirable in themselves but, in today’s sector, they need to be balanced with a deeper understanding of how the threat is changing in parallel with new value creation. 

By broadening their knowledge beyond the established remit of cybersecurity, CISOs will be better placed to articulate the risks to the board or executive management committee and outline what is required to ensure resiliency in a changing commercial environment.

Build stronger relationships outside the traditional sphere of influence

To embed security by design, oil and gas CISOs need to develop stronger relationships with operations teams and with the organization’s equipment owners and strategic partners. By seeing the reality of field operations first hand, cybersecurity teams can anticipate where their interventions might encounter resistance from business partners.

Cybersecurity teams should also recognize that the OT development life cycle is much longer, with less frequent maintenance windows, than that of enterprise IT. OT changes can’t be made at the 11^th hour. Network change happens over several weeks, if you’re lucky, and some change can’t happen at all. So oil and gas CISOs must be understanding when they look at security by design and start by saying "How can we work together to layer security around those assets and protest them?"

Approach compliance as a benefit

Our findings indicate that oil and gas CISOs are pessimistic about regulation and the time it takes them to achieve compliance. International oil majors are likely to be the most affected by changes to regulations, as they struggle to comply with regional as well as transnational standards, but changing regulation will impact all.

Cybersecurity leaders are looking into automation, new skills and centralization as ways to make the process more efficient, but the first step is a change in mindset. The sector has no choice but to evolve and protect itself against these new risks and broader threat landscape, as opposed to saying that the requirements are too difficult. Moving away from regulations as a burden, and toward regulation as an essential pillar of evolving sector, will help oil and gas companies overcome the long-term challenges they face and seize new opportunities. Adopting sound HSE principals over the years has become part of the ethos of the sector. Good cybersecurity should be no different.

The oil and gas sector has changed significantly in recent years, but its transformation journey will only increase as the world turns away from fossil fuels and energy companies respond with innovative new strategies for growth. As they do so, the cyber threat will continue to grow, and well-positioned CISOs stand to become ever-more critical to long-term business success.