While every sector of the economy experiences cyber attacks, the oil and gas industry is a particularly enticing target because there are inherent weaknesses in its rapidly expanding digital landscape. It's also an industry that can't afford to go offline at any time, which means cybercriminals can force quick action from those they attack.
Threat actors who successfully breach the defenses of oil and gas companies are therefore empowered to demand substantial ransoms that must be paid before organizations can regain control of their infrastructure. 2021 provided a great example of this threat. The Colonial Pipeline attack, which resulted in shortages at gas stations across the East Coast and a $4.4-million ransom payment (of which the US government recovered $2.3 million), showed very clearly how vulnerable the energy sector is to attacks.
Overseas, the story is no different. The NotPetya attack, which years earlier infected a Ukrainian utility and shut down the country's power grid, is another example of what can happen when hackers set their sights on the sector. Of course, it is certainly not the only industry under attack. While estimates vary, some sources forecast that 50 to 60 percent of companies will suffer a breach in the coming year. And when attacks happen, the costs can add up quickly, with the average cost of a breach in the US rising into the millions.
When it comes to ransom payments, the average amount demand by cybercriminals has risen steeply, from $15,000 to $175,000 in the last five years, according to the NetDiligence 2021 Ransomware Spotlight Report. While an outlier, a $50-million ransom demanded from Saudi Aramco indicates that criminals are determined to receive a significant return for their efforts. Until energy sector companies embark on a sustained effort to harden their cybersecurity defenses, we can expect attacks to continue unabated.
Tougher Cybersecurity Regulations on the Horizon
Oil and gas companies were forewarned of these dangerous threats and the need to raise their security postures for some time.
For instance, in March 2018 the Cybersecurity and Infrastructure Security Agency released an alert highlighting the threat of Russian Government cyber activity against energy and critical infrastructure providers specifically.
Fast forward to today, and—given the ramifications of attacks and the potential for attackers to target the energy sector with relative ease— it's only a matter of time before new regulations mandate minimum cyber standards for the oil and gas sector. In fact, it’s already happening.
In May 2021, the Federal Energy Regulatory Commission voiced support for mandatory pipeline cybersecurity standards. Additionally, there's bipartisan support from the House Energy and Commerce Committee to strengthen pipeline and energy security, as proposed in the Pipeline and LNG Cybersecurity Preparedness Act, currently under discussion.
What Oil and Gas Companies Must Do to Protect Themselves from Cyber Threats
To deploy an effective cybersecurity program requires a firm grasp of the cyber threats and risk a business faces, which any preventive action must address. For starters, a risk assessment that examines internal and external threats, as well as the existence of internal controls to prevent their occurrence, is critical to securing the enterprise.
The National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, provides the public and private sector guidance on developing its approach to cybersecurity, including the ways it relates to risk analysis and assessments.
Additionally, the World Economic Forum recommends creating a comprehensive cybersecurity governance model, adopting a security and resilience-by-design culture, and putting a greater focus on third-party risk management. They also recommend frequent testing of an organization's defenses and its ability to mitigate an attack.
The Cybersecurity Talent Gap and Its Implications
The oil and gas sector faces pervasive threats, and the prospect of government legislation may soon force companies to improve the effectiveness of their cybersecurity programs. But that is easier said than done. Many companies will encounter problems expanding their capabilities because there's an acute shortage of available talent. In fact, (ISC)2 estimates there's a global shortage of 2.72 million cybersecurity professionals.
There's a steady stream of people entering the field; 700,000 skilled professionals have been added to the global cybersecurity workforce since 2020. Unfortunately, that's not enough to catch up and fill today’s talent gap. The global cybersecurity workforce must further grow by 65 percent to enable organizations around the world to protect their critical assets. Hiring suitably qualified security professionals is also an expensive proposition, with average salaries in the United States ranging from $85,000 to $130,000.
A shortage of talent not only leaves organizations vulnerable, but it also puts cybersecurity teams under immense pressure and leads to a stressful work environment. They often must combat increasingly sophisticated cyber attacks with insufficient resources at time when the landscape has become harder to defend due to the rise in remote work. No surprise, then, that a survey conducted by the Chartered Institute of Information Security found that 80 percent of security staff reported greater levels of anxiety and stress during the COVID-19 pandemic, while 51 percent had trouble sleeping due to stress.
While these figures are cause for concern, resource-constrained organizations do have alternatives. Given the tight labor market, growing labor costs, and the stresses and strains of running a cybersecurity team, it often makes sense to engage a partner with a fully staffed team of professionals and the ability to monitor the organization on a 24x7 basis.
Prepare for More Attacks and Increased Regulatory Oversight
The attack on Colonial Pipeline is just one recent example of what can happen when determined cybercriminals breach oil and gas cyber defenses. In many respects, the deep pockets of oil and gas companies, their extended physical and information networks, and their importance to the broader economy make them an ideal target for cybercriminals to exploit.
In response to recent high-profile attacks, politicians in the United States may soon require oil and gas companies to significantly harden their cyber defenses. To prepare for this scenario and raise their security posture to better ensure their own protection, energy companies can tap partners to help design a proactive approach that will help mitigate threats and make future regulatory compliance less onerous.
Use Arctic Wolf for a Proactive Approach
Arctic Wolf security operations solutions provide vulnerability management, around-the-clock monitoring and detection, and other incident response planning that help oil and gas companies reduce both the likelihood and the impact of an attack. Leveraging the Arctic Wolf® Platform, the Arctic Wolf Concierge Security® Team helps customers in the energy sector detect evasive threats and mitigate potential damage. We also provide ongoing security training to minimize the risk of breaches through human error.
Get an in-depth view into how we help oil and gas companies, including a detailed discussion of the five fundamental functions of a cybersecurity program.