The latest cyber-attack to hit the world is yet another example of how the nature of security threats facing businesses across the globe has evolved.
In the past, the media spotlight has largely shone on major consumer brands falling victim to cyber criminals; in May the Wannacry ransomware attack wreaked havoc on the NHS, and similarly the recent Petya attack demonstrates the indiscriminate nature of today’s hacker.
Thus, those operating in the oil and gas sector must not be complacent. The high-value and high profile nature of the sector, coupled with the complex layers of supply chains, processes and industrial controls, makes the industry a potentially high value target for hackers. The attack could be for financial gain, to steal intellectual property, data, or to cause operational disruption.
The recent financial pressures as a result of the oil downturn have left cyber security functions for many firms considerably underfunded and out of date, which creates a wealth of opportunity for cyber criminals to test their capabilities.
It’s therefore easy to appreciate why our 2017 global CIO survey found that confidence in cyber security has steadily fallen, with only one in five IT leaders feeling well prepared to respond to an attack. Meanwhile the number of serious cyber-attacks has continued to rise, with one in three businesses reporting a major attack in the past two years, 45% higher than four years ago.
In the oil and gas sector, CIOs face a huge task in ensuring all systems are updated with the latest security patches. Today’s operations use increasing levels of automation – complex and interconnected sub-systems – from operational, hydraulic, mechanical, to electrical. System monitoring, inventory control, and information and business systems all link together from the business to function. A problem in one system can have a cascading failure effect on the entire operation, so all of these must be secure.
In addition on 25 May 2018 the new EU General Data Protection Regulation (GDPR) comes into effect, which will directly impact any organisation in the UK and worldwide which has dealings with consumers and businesses in EU member states. This will fundamentally alter the scale, scope and complexity of the way personal information is processed, and the threat of fines for businesses who fail to comply will create a step change in the digital landscape. While GDPR will inevitably play a major role in bolstering cyber security defences by forcing businesses in oil and gas to reflect on their own digital systems, and how they handle data, the preparation will require significant investment.
Fortunately, with confidence growing in the sector and investment returning, now is the time for firms to take a serious look at how effective existing security arrangements are, what has changed in the threat landscape in recent years, and what level of investment in cyber security and privacy will be needed to keep risks at an acceptable level. It’s essential for boards to examine how time is being spent on cyber risk and do those accountable have a clear enough and well explained view of the risk they’re accepting, consciously or otherwise.
If successful, a cyber-attack could prove catastrophic in the oil and gas sector. In light of recent attacks, cyber security must now firmly be taken seriously. GDPR means organisations now have a legal obligation to act. Combined, there is no excuse for complacency.
George Scott is director for KPMG’s cyber and privacy practice in Scotland.