As I mentioned in my previous blog, Baringa’s recent study that the OGTC commissioned identified risk management as the industry’s biggest challenge.
In my experience, being able to explain, articulate and quantify an organisation’s cyber security risks to senior leaders is critical for making the right decisions on the types of mitigations and the budget required. One of the main challenges lies in the standard risk matrices that organisations use, as they tend to fall short when assessing cyber risk. They use standard impact versus likelihood approaches, which in the case of cyber security can be challenging to apply consistently. Potential impact is easier to understand due to various high-profile cases that inevitably end up in the media, but can still be challenging. Security leaders can be accused of scaremongering!
Likelihood is even more challenging. Typically, on a normal risk register a score is associated with frequency of likely event (once a year or many times a day). For most cyber risk that can be challenging as companies will never have had a major attack on the offshore control systems (that they know of), versus having their firewalls attacked thousands of times a day. So, what do you choose? High or low frequency? Furthermore, there are ever changing external factors that will have an impact.
It is worth having a look at the different elements that make up a cyber risk profile…
Cyber threat landscape
When assessing the risk profile of the UK oil and gas industry, it is important to consider the cyber threat landscape. It is one of the most challenging factors to quantify, with developments in technology and politics persistently changing the potency of threat groups and their tactics. Threat actor capabilities and motivations vary, from nation state actors carrying out cyber warfare, through to opportunistic hackers who have less motivation beyond achieving kudos.
Threats to operational technology
Cyber security is highly emotive when it relates to operational technology (OT). The number of attacks targeting Industrial Control Systems (ICS) is steadily increasing. The UK oil and gas industry has seen an increase in attempted attacks of this nature, with the priorities of certain threat groups shifting towards more Western targets, and the methods and tools becoming more broadly utilised by other threat actors.
Threats to information technology
Alongside the targeted attacks on OT are a multitude of threats centred on IT estates. The potential impact of these threats is more challenging to quantify, relative to the distinct impacts associated with a compromise of ICS, and may have information security as well as broad operational impacts associated with it, such the 2017 NotPetya attack on Maersk. This incident is commonly cited across the UK oil and gas industry, with many organisations having had direct interaction with Maersk.
Understanding and managing cyber risk
The OGTC cyber study identified four challenges, of which the greatest was understanding and managing cyber risk. The study found that organisations struggle to determine and quantify their exposure to cyber risk and that security leaders are restricted in their ability to report on exposure to influence senior stakeholders. There appears to be a limited quality of data to inform analysis and treatment of cyber risk and security leaders are often considered ‘scaremongers’ due to the imprecise and intangible risks they report on.
The mains findings of the study were:
• The language of cyber reporting is often too technical and unclear for the audience, with limited focus on business impact. This leaves business leaders disinterested in cyber security and uninformed on relevance to its operations.
• The reported impacts of cyber risks are deemed either insignificant (e.g. lost mobile phone), or catastrophic (e.g. loss of life from OT compromise). Whilst risks to health and safety are the most concerning, such events are unlikely, and this can limit the ‘so what’ factor in conversations with senior leaders.
• Benchmarking data is not consistently collected or shared to enable organisations to compare themselves against peers and the overall industry. Cyber security is often considered ‘intellectual property’ (e.g. valuable and/or sensitive) and organisations are reluctant to share information.
• The health and safety culture within the oil and gas industry is strong and enables dialogue on the topic across the industry. A similar culture for cyber security is not yet established but can be achieved by incorporating some of the established processes and lessons-learned related to health and safety.
The study also looked at the most critical types of impact. Perhaps unsurprisingly, the protection of health and safety is considered the absolute priority while regulatory breaches (and resultant fines) were ranked last of the possible options.
In terms of what influences investment in security, despite being a low priority impact area regulatory compliance is the second most influential factor in security investment, which highlights the importance of the regulator.
The industry is beginning to recognise the genuine need for collaboration and knowledge sharing across the industry. As cyber security risk management appears to be a common challenge across organisations there is an opportunity for the industry to collaborate on an integrated approach to cyber risk management. The OGTC would be happy to support industry-wide efforts, please let me know if you and your organisation would like to be involved.