Skip to main content

Oil and gas cyber security

Hydrocarbon Engineering,

Below are findings from a recent EY report on cyber security titled, ‘Global Information Security Survey 2014.’

  • 61% of oil and gas organisations believe it is unlikely or highly unlikely that they would be able to detect a sophisticated attack.
  • 13% believe that their information security function is fully meeting the organisational needs.>
  • 29% have no real time insight on cyber threats.

Security budgets

  • The majority of current spend is being allocated simply to maintain existing security capabilities.
  • Many organisations have not historically seen their cyber security posture improve as spend has increased.
  • IT security budgets are staying relatively static.
  • Security departments invest the latest security tools rather than seeking the root cause of security challenges.
  • Budget constraints are often compounded by a separation of roles and responsibilities for operational technology security and cyber security.

Security metrics

  • Security departments tend to report lag indicators to provide information of likely cyber threats.
  • Cyber threats continually evolve along with the factors that influence them.
  • Oil and gas companies need to look at integrating leading indicators with their lag indicators.

Recognising the breach

  • There is growing evidence that the majority of large organisations have been breached.
  • In some cases, investigation has shown that the breach occurred months earlier than discovery.
  • It is often only at the point when data is tampered with that companies identify malicious behaviour and respond.
  • Oil and gas organisations have the broad experience necessary to manage and support complex operations linked to large scale networks and with many points of ingress and egress.

Working together

  • The oil and gas sector needs to recognise the value of joining resources together.
  • The industry needs to use working groups to share and disseminate threat intelligence.
  • The experience and capability of consultancies needs to drive change and improvement programs.
  • Leveraging security vendor technology to underpin different aspects of cyber threat monitoring, alerting, defence and response would help the industry.

Edited from report by Claira Lloyd

Read the article online at:


Embed article link: (copy the HTML code below):