Digitization is on the rise in the conservative oil and gas industry as companies wake up to the cost and operational efficiency boost that sensors and algorithms can offer them. Meanwhile, cybercriminals are keeping ahead of the learning curve, forcing oil and gas to play catch-up.
Energy companies—including pipeline operators and utilities—spend less than 0.2 percent of their revenues on cybersecurity, two security consulting firms have calculated. This compares with three times this portion of revenues spent on cybersecurity by financial services providers and banks.
Cyber-attacks against the industry have been growing in frequency. Symantec is tracking as many as 140 cybercriminal groups that target the energy industry. That’s up from 87 in 2015.
Energy networks are especially vulnerable to cyber-attacks, say security tech experts. Hackers can cause widespread power outages, undermining critical security and defense infrastructure and endangering millions of citizens. Because hackers can gain control from close range or from long distances, they have the ability to access nuclear facilities, power grids, and power generation facilities around the world. Natural gas pipelines in both the U.S. and Canada are regularly targeted, and researchers in Oklahoma discovered that their wind-turbine facility could be hacked in less than one minute through a single lock on the door to gain access to their servers.
Last year, Deloitte reported that the energy industry was the second most popular target for cyberattacks in 2016. Almost three-quarters of U.S. oil and gas companies, the consultancy said, had a cyber incident in that year, yet only a tiny majority cited cyber risk as a major concern in their annual reports. As the industry struggled to adapt to the lower-for-longer oil prices with cost cuts, oil companies put investment into boosting cybersecurity on the back burner during the worst of the oil price plunge in 2015 and 2016, while hackers grew increasingly inventive and bolder.
In these uncertain times in the oil and gas industry, it is time to refocus on cybersecurity before a serious attack takes place. Oil and gas pipelines are, after all, critical infrastructure, and they deserve due attention from their operators.