Professional Documents
Culture Documents
Foreword 1
Introduction 2
Understanding the risks4
Conduct amaturity assessment 6
Build aunified program 8
Implement key controls 9
Embrace good governance 10
Conclusion 11
Contact us 12
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
Foreword
The oil and gas industry is moving into the Solving these challenges requires aclear
next stage of evolution, whereby robotics, understanding of both the engineering
digitization, and the Internet of Things and IT disciplines as well as leading
(IoT) are rapidly being integrated into the sectorspecific cyber security practices.
operational environment. Theinterest of Thispaper shares the insight gained from
cyber criminals in industrial operations has our extensive field experience, including
increased over the last decade resulting in lessons learned in helping oil and gas
cyberattacks that have compromised both companies to go beyond safety in securing
production and safety. Theseattacks have their industrial control systems (ICS).
made cyber security ahot discussion topic Wehope you find thisreport to be both
in boardrooms around the world, and now, thought provoking and useful.
agrowing number of organizations are
developing large transformation programs Regards,
to address these new operational threats.
1
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
Introduction
Critical infrastructure relies on industrial Like other industries, the oil and gas While the industry
control systems (ICS) to maintain safe sector has been working to improve cyber
and reliable operations. Engineershave security, which is apriority concern among has escaped amajor
successfully designed and deployed ICS senior leadership and boards of directors. operational catastrophe
with safety and reliability in mind, but not
always security. Why? Originally, there was While the industry has escaped amajor thus far, this good fortune
little need for it. Fitforpurpose, isolated operational catastrophe thus far, this good may not last unless
operational systems were the order of the fortune may not last unless companies
day. Sincethese operational systems were expand their cyber security programs. companies expand their
not integrated to enterprise systems or Todate, oil and gas companies have been cyber security programs.
even to each other, the risk of alargescale primarily focused on protecting corporate,
cascading failure due to an attack, cyber or as opposed to operational, systems
otherwise, was extremely isolated. and data. Thats because IoTwhere
production can be controlled from an
Fast forward 20years, and the ubiquitous iPad or asmart phone, for instanceis
connectivity of the Internet of Things (IoT) relatively new, gaining momentum over the
has turned the most basic assumptions last decade. Also, operational systems are
about operational security upside down. inherently different, requiring engineering
Today,all sorts of industrial facilities, knowhow, and not just IT expertise, in
including oil fields, pipelines and order to secure them appropriately.
refineries, are vulnerable to cyber attacks.
Regardlessof their location, operational Today, an approach that brings together
systems can now be compromised by IT and engineering is needed to address
external or internal risks, causing safety cyber security programmatically and
or production failures and increasing sustainably. Thefollowing discusses
commercial risk. AlthoughICS are typically the goals of such an approach as well
designed to fail safe, the increasing as practical steps for getting started.
sophistication of cyber criminals heightens First,lets take acloser look at the types of
the risk of catastrophic incidents, along cyber risks facing the oil and gas industry,
with the magnitude of the impacts in terms how they can disrupt the value chain, and
of cost, safety, reputation, and commercial what the consequences could be.
or financial losses.
2
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
Upstream
Exploration Production
Midstream
Transportation
Downstream
Refining Marketing
Risk: Failure to meet business commitments Risk: Unsafe operating conditions and
and reputation damage downtime, leading to supply disruption and
revenue loss
3
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
4
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
Figure 2. Exampleof a Cyber Risk bowtie analysis for an oil and gas company
Threat actors
Consequences
Vendor Threat or confidential
Employees management intelligence information
Threats
Event
Contractors Information Incident Financial loss
and vendors protection response
and encryption
Emergency
Identity management response Reputational
Hackers damage
Network segmentation
Physical security
Regulatory fines
Activists
Malware and patch and penalties
management
Source: Information adapted from Talbot, J, and Jakeman, M, 2008, Security Risk Management Body of Knowledge, RMIA, Carlton South
5
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
6
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
4
Optimized
3
Managed
2
1
Defined
Repeatable
Initial
Behaviors
Dependent primarily Adhoc approach Clearly defined Established security Risk sensing and
on individuals and with some tools strategy supported capability, with predictive analytics
isolated practices and documented with tools and methods defined processes and used to model threats
procedures to manage risk measures
New or relatively Highly automated
inexperienced security Established security Security processes Focused on risk
Five plus years
team function defined and in place management and
operating without
business enablement
Established security asignificant failure
function with Two plus years
integrated systems operating with
designed to predict, defined processes and
prevent, detect, and practices
respond
Key controls
General awareness ICS cyber security Inventory of all Industrial control Cyber threat
of ICS cyber security strategy and policy cyberassets systems secured intelligence/sensing
needs but not established according to security
Security standards Data loss prevention
considered apriority standards
Awareness and developed
Behavioral analytics
education Identity and access
Annual vulnerability
management for
Segmentation of testing
provisioning and
ICS and corporate
24/7security authentication
networks
monitoring
End point security
Annual risk assessment
Incident response plan
with identified gaps Mobile protection
developed and tested
and remediation plan
Third party security
Virus and malware
Physical security
protection
7
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
8
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
Threat
Incident
Analytics
Security
Business Continuity
Policies & Standards Encryption Security Event Monitoring
Management
Identify Lifecycle
Management
Network Security
Infrastructure Protection
Physical Security
System Security
Malware Protection
9
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
10
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
Conclusion
In the past few years, the oil and gas Theplace to start is assessing the maturity Thecall to bridge the
industry has seen the traditional of the cyber security controls environment.
boundaries between corporate IT and ICS Goingbeyond traditional operational safety cyberreadiness gap has
largely disappear. Today,the evolution considerations to implement asecure, never been louder, with
continues with the digitization of the oil vigilant, and resilient program is not only
and gas field. Asthis interconnectedness essential for enhancing an oil and gas growing public awareness
marches on, so does the frequency companys ability to protect operational of cyber crime and the
and sophistication of cyber attacks. integrity amid agrowing range of cyber
However,most companies have not kept threats, but also to achieve operational potentially disastrous
pace in terms of their preparedness. excellence by taking advantage of the impact it can have on
productivity benefits offered by adigitized,
fully integrated ICS environment. critical infrastructure.
11
An integrated approach to combat cyber risk| Securing industrial operations inoil and gas
Contact us
Deloitte can assist you in conducting acyber security maturity assessment.
Formore information, contact one of our risk management professionals below:
Authors
Paul Zonneveld Andrew Slaughter
Global Energy & Resources Executive Director
RiskAdvisoryLeader Deloitte Center for Energy Solutions
Deloitte Canada Deloitte US
+14035031356 +17139823526
pzonneveld@deloitte.ca anslaughter@deloitte.com
Global contacts
Rob Hayes
Risk Advisory Director
Deloitte UK
+44 20 7007 2606
rjhayes@deloitte.co.uk
12
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK
private company limited by guarantee (DTTL), its network of member firms,
and their related entities. DTTL and each of its member firms are legally
separate and independent entities. DTTL (also referred to as Deloitte Global)
does not provide services to clients. Please see www.deloitte.com/about for a
more detailed description of DTTL and its member firms.