When the OGTC was developing its technology roadmaps, it became clear that automation and remote control are critical to delivering a digital transformation of the industry - including a major impact on efficiency and emissions reduction. However, for us to realise the potential value of these approaches we have to make sure our cyber security approach is strong, in order to avoid the potential for an attack.
Energy organisations operate nationally critical infrastructure and have been involved in some of the most significant cyber incidents in history. They remain likely targets for similar attacks in the future, which is recognised by the regulators who are now applying stricter requirements. Operators and suppliers alike are reacting to these threats with significant investment in cyber security initiatives.
The Oil and Gas Technology Centre (OGTC) commissioned Baringa to deliver a study to better understand activity across the UK’s upstream oil and gas industry, specifically identifying the major challenges currently faced. The intent is to support the oil and gas industry in effectively balancing the management of cyber security risk and business innovation, and, where possible, bring consistency to the approach to mitigate cyber security risk. The report has now been published and can be found here.
The study involved working with representatives from a cross-sector of organisations, across the UK oil and gas industry, to determine where there is momentum and high-impact initiatives in place within cyber security. This has enabled us to make observations on the current status and future trajectory of cyber security within industry. In doing so, the report also identifies common challenges.
Centred around understanding the current landscape across 8 areas of focus, the study looked at: cyber risk management; cyber in the supply chain; convergence of IT and OT; securing the digital transformation; staffing and skills; current and emerging threats; operating model and strategy; and standards and regulations.
Within this, four themes have been identified, which I’ll look at in further detail through a series of blogs:
- Understanding and managing cyber risk – Organisations struggle to determine and quantify their exposure to cyber risks. Security leaders are restricted in their ability to report on exposure to influence senior stakeholders.
- Securing the supply chain – Supply chains are getting bigger, more complex and more essential to critical business processes. This trajectory is increasing cyber risk in the supply chain and restricting organisations’ ability to manage those risks.
- Sustaining a high performing security team – Skill gaps are present across the industry and the pipeline for future talent is not strong enough to support the increasing demand for these skills.
Keeping pace with the rate of business change – Security is struggling to keep pace with business initiatives aimed at delivering new digital technologies.
Cyber risk management stood out as the most prominent theme the participants felt needed to be prioritised by the industry. While the UK oil and gas industry has made significant progress in defining and mitigating the cyber security risks that are present, there is a growing cultural awareness of security across the industry, and organisations are making progress to reduce vulnerabilities across their own estates.
But operators and suppliers are also beginning to recognise the genuine need for collaboration and knowledge sharing across the industry. Commonalities are seen across organisations in the challenges they face, and the methods applied in managing those challenges.
There are several opportunities for the industry to share insights and mutual benefit through an integrated approach to solving the identified challenges. I’m going to explore the themes further in subsequent blogs – watch out for them!
In the meantime, do you have an insight to share? Or a particular challenge you’re keen to collaborate on? The OGTC would be happy to support industry-wide efforts, please let me know if you and your organisation would like to be involved.