As I have stated numerous times when discussing cyberwarfare and cyberterrorism, key infrastructure like energy is always a major target for any nation-state. As this is the case, one would expect that the various energy companies around the world would have rigorous cybersecurity standards. Alas, this is not the case, at least not here in the United States.
This can be said definitively thanks to a newly released study by Ponemon Institute. The study, entitled "The State of Cybersecurity in the Oil & Gas Industry: United States," seeks to "understand how companies in the oil and gas industry are addressing cybersecurity risks in the operational technology (OT) environment." The findings were disturbing from an InfoSec expert's perspective, especially to this InfoSec expert, who is a United States resident.
Of the various organizations that took part in the study, the vast majority indicated a lack of preparedness for a major attack. According to the study, roughly 68 percent of the respondents experienced at least one security breach in 2016, yet the incidents were not enough to develop a more cohesive security plan in case of breach. Additionally, while 62 percent of the participants recognized the need for more advanced technology (for encryption, etc.), upper management at these organizations have ignored the requests for implementation of said technology.
These statistics are just a few of the many that are pointed out in the study. The overall recurring theme is that there seems to be a disconnect between the security divisions and the suits that sign off on the actual security policies. From obsolete technology to an overall lack of employee training in recognizing security risks, America's energy infrastructure is in deep trouble.
As the study states, only 35 percent of the respondents reported a truly holistic and effective security strategy for multifaceted threats. The rest reported either low or medium security operational technology readiness. Whether threat actors try to attack via social engineering, an inside source, malware, or numerous other hacking strategies, most oil and gas companies are not prepared for attack defense or incident response post-attack.
My hope is that this study, and others like it, force the hand of the individuals in charge to fully commit to a secure future. We as a nation will not be able to handle a full-scale cyberattack on energy as it currently stands.
For all our sake's, hopefully this changes soon.
Photo credit: 20th Century Fox