Oil and gas companies are among the largest, most valuable, and most powerful organizations in the world, but also lag behind in addressing application security threats. They generally use a broader technology portfolio than other industries, including varying operating systems, web servers, and development frameworks. The sheer scale of the companies, combined with the size of their technology stack, means that they are slow to evolve in their technology.
Adding to the complexity of their portfolios is their tendency to purchase the majority of their applications instead of developing them in-house. As Aaron Merrick, vice president of information technology at Apache Corporation, said: “We write very little software. We purchase and implement tools that help Apache employees get their job done.”
Since it is difficult to manage risk and ensure security compliance across such a large portfolio, oil and gas companies have more potential than most for developing application security vulnerabilities. The perfect storm of a slow-moving sector and a la carte technology puts these companies at a high risk for cybersecurity attacks — risks that are only continuing to grow as hackers become more sophisticated and as oil and gas targets become more attractive.
“If you went to bed last night as an industrial company, you’re going to wake up this morning as a software and analytics company.” — Jeffrey Immelt, Former CEO and Chairman of GE (2014)
Unprecedented risk
The context in which this risk is growing is not conducive to confronting or mitigating it. The oil and gas industry currently has no regulatory standard for security. Additionally, recent studies have shown a lack of preparedness across the board.
- In a recent study by the Phenom Institute entitled The State of Cybersecurity in the Oil & Gas Industry: United States, more than 65% of respondents stated that their operations have experienced at least one compromise in security in the past year.
- However, according to the same study, a third of managers at U.S. oil and gas companies would rate their cyber-readiness as “high.”
- Additionally, according to Tripwire’s study, Cyber Attackers Successfully Targeting Oil and Gas Industry, 82% of respondents have experienced an increase in successful cyberattacks year over year.
Unforeseen costs
Not only are oil and gas companies a large and growing target for hackers, but damage caused by security incidents is higher than in any other sector; oil and gas lose an estimated average of $8.4 million for each day of halted operations. Once operations have resumed, the average cost of remediation for an incident is still $300,000, and if confidential information is exposed during the breach, the expense could reach even higher.
However, not all costs from a cyberattack can be measured in dollars and cents. As noted by a report from Deloitte, oil and gas companies are particularly vulnerable to attacks that could have deleterious environmental outcomes. “If a cyber attacker were to manipulate the cement slurry data coming out of an offshore development well, black out monitors’ live views of offshore drilling, or delay the well-flow data required for blowout preventers to stop the eruption of fluids, the impact could be devastating.”
Unprepared companies
Finally, companies in this sector are wholly unprepared to mitigate this risk. Only a third of respondents to a Siemens survey thought that their information technology networks and operations technology were fully aligned to prevent cybersecurity threats, and nearly half of all OT attacks go completely undetected. Companies cannot be prepared for a potentially costly incident they cannot even detect.
In a McAfee report on network security, the most frequently cited challenge to ensuring the security of critical networks was cost. But in the oil and gas sector, something more insidious took first place; the chief perceived challenge was, “Lack of awareness of the extent of the risk.”
A bold response: an expert system for security and compliance.
Oil and gas companies can manage, mitigate and eliminate application security vulnerabilities by using Security Compass’s policy-to-execution platform, SD Elements. As an expert platform, SD Elements is crucial for companies with a broad technology portfolio.
For applications created in-house, the platform helps developers ensure they are building security compliance into programs from the start, reducing the need to detect vulnerabilities later with SAST and DAST tools or penetration testing. For purchased applications, the platform allows companies to conduct automated threat modeling and assess the risk profile of applications. The security requirements in SDE Elements can also be used as acceptance criteria when sourcing off-the-shelf applications, or engaging with 3rd party developers. Now, with the recently released operational security capability, the platform can help ensure the security of 3rd party application deployments to environments such as Amazon Web Services (AWS).
Oil and Gas companies bring a high level of risk to the table, but SD Elements can help holistically manage that risk and ensure compliance across a broad technology portfolio.