Cyber security in the oil and gas sector

Post COVID-19 many organisations are focused on cost reduction, remote operations and improved efficiencies, while ensuring greater business resilience to future events both economic and environmental. The current reality has created rapid change to the way people work, which has resulted in increased instances of fraudulent activity and cyber attacks.

Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place. A breach in industrial control systems could cause a serious occupational health and safety event, which in an industry focused on creating zero harm work environments, could cause serious harm to an individual and an organisation’s ability to operate.

Often cyber security awareness training is isolated to office-based staff, however the oil and gas industry has a hugely diverse workforce, with employees working in roles from truck drivers to engineers to finance officers, and working in very different environments from offices, to mine sites to offshore rigs. Despite the variety of roles and locations, the cyber security threat is there for every individual, so every employee needs cyber security training. Rolling the cyber security awareness into the occupational health and safety awareness will allow all staff to become aware of the implications of a cyber attack, what they need to do to help prevent such an attack, and in the case of such an event how to respond to ensure safety and security.

Cyber attacks can lead to information losses and operational outages – challenges which also have further implications for an organisation’s governance obligations. The Privacy Act requires organisations to report any data breaches if the information leaked could cause serious harm to an individual. Loss of commercially sensitive information, such as past purchases, mining locations and iron ore pricing, could lead to competitive advantages if in the hands of the wrong people.

Ensuring there are plans, mechanisms and technologies in place to cover all aspects of the business is critical. Often cyber security is seen as an IT department function. However, a cyber security event can impact the people, the processes and the technology of a business and cause widespread outages. Including cyber security protection in operational and business resilience plans is essential as it’s a whole of business problem.

The sector is facing a series of challenges in implementing proper cyber security protocols, including:

• it's not considered a core business function
• unsure of what the cyber and risk threat is
• identifying new risks introduced through remote working
• updating legacy systems
• proper training for response to attacks.

Organisations need to identify the critical elements that need to be protected, not just assets, but what information and data should be tightly protected as well.

• Asset visability and threat profiling – before an organisation can adequately protect itself, it needs to have a complete understanding of its current assets, and the threats they are faced with.
• Red teaming and security testing – organisations should perform real world attack simulations. These simulations should involve performing the same activities malicious attackers would perform to test the operating effectiveness of controls in a safe environment. Simulations can range from pure technical testing, through to those that include social engineering and physical access testing.
  

• Security maturity assessment
  Organisations should assess their security maturity and posture against relevant industry leading frameworks, including Australian Energy Market Operator’s Australian Energy Sector Cyber Security Framework and National Institute of Standards and Technology’s Cyber Security Framework so that a clear understanding of the control effectiveness can be established. Develop recommendations for improvement and use benchmark maturity against other comparable organisations to define target state.
  
  
• Cyber strategy and governance
  Develop strategies and governance processes to the business increase its security posture.

KPMG provides a range of services that span the complete range of considerations for an effective approach to cyber security. Strategic partnerships with world class providers ensure our clients have access to the latest technologies and thinking to support robust, and fit for purpose cyber security controls. In addition to our partnerships, KPMG has developed global solutions providing rapid deployment to meet critical needs.

At KPMG, we understand that businesses cannot be held back by cyber risk. Our professionals recognise that cyber security is about risk management – not risk elimination.

No matter where you are on the cyber security journey, we can help you reach the destination: a place of confidence that you can operate without crippling disruption from a cyber security event. We work with you to provide cyber security services for:

• Strategy & Governance
• Cyber Transformation
• Cyber Defence
• Cyber Response

And we don’t just recommend solutions – we also help implement them. Besides helping you set the strategy, we also have deep technical skills in penetration testing, privacy, data security, business resilience and access management to help you every step of the way from concept to delivery.

Learn more about KPMG's Cyber Security Services and capabilities.