Study: Majority of Oil and Gas Orgs Are Highly Vulnerable, Few Have Plans to Fix It

- February 16, 2017

Two days ago House Homeland Security Chairman Rep. Michael McCaul, R-Texas, took the stage to deliver a keynote address about the nation’s state of cybersecurity and painted a rather bleak picture.

Industry players and government agencies, McCaul said, are not sharing enough information about threats. The “cyber outlaws” are outnumbering the “sheriffs.” And the speed, adaptability and technology of attackers is outpacing the “outdated bureaucracy” that is fighting back.

He also rebuffed President Donald Trump’s idea to put the Department of Defense in charge of protecting “critical infrastructure” and U.S. networks. Instead, he said, protection efforts should be headed by a civilian agency.

He also added that critical infrastructure should be built with cybersecurity in mind, which is currently not the case.

In fact, a new study from the Ponemon Institute that looks at the state of cybersecurity readiness in critical infrastructure—specifically oil and gas—environments finds pretty much the opposite. According to the study’s findings, cybersecurity measures are not keeping pace with the digitization in the operations of oil and natural gas infrastructure. And the slow pacing is leaving networks and the equipment that runs those environments incredibly vulnerable.

The study’s respondents—377 industry professionals “responsible for securing or overseeing cyber risk in the OT environment”—make it clear that the risk to their operations is increasing. Sixty-seven percent of respondents expressed that the risk level of industrial controls has “substantially increased” in recent years. Yet, only 35 percent of those who participated rated their readiness level as high.

The study also asked participants about their experience with security breaches, finding that 68 percent of those surveyed have had at least one compromise of their organization. A further 61 percent noted that their current protections and security for industrial controls are not adequate.

In addition to shortcomings in encryption of traffic in motion, participants also cited behavior and incident monitoring as an area of improvement. In fact, nearly 46 percent of all cyber attacks in the OT environment go undetected.

This coincides with recent findings from Cisco’s Annual Cybersecurity Report that as many as half of all security alerts within a IT security environment.

Feature image: Patryk Grądys,