Oil and gas operators have reaped the benefits of widespread digitisation which has created more efficient ecosystems from the rig to the refinery, through to ground administrative operations. The increasing use of automated technologies such as artificial intelligence in the oil and gas industry has been extremely beneficial in improving operational productivity and efficiency.
However, with this increased digitisation and reliance on technology, comes greater vulnerability. Research from Accenture's Ninth Annual Cost of Cybercrime Study has revealed cybercrime is costing the oil and gas industry US$13.7 million annually. Many companies are regularly suffering from malicious malware and web-based attacks, and the increasing incidence of denial of service attacks are creating a myriad of operational issues that are costing companies millions.
In 2018, a cyberattack on a shared data network in Texas forced four of America's natural gas pipelines to shut down for a week. This incident uncovered vulnerabilities in existing national cyber security solutions and served as an important wakeup call for Australia's own energy systems.
Most critically, Accenture's research revealed the techniques behind cyberattacks on oil and gas operators are rapidly evolving and becoming more sophisticated, heightening the need for greater resource allocation towards improving cyber resilience. The recent drone attacks on oil operators in the Middle East are evidence of exactly how these emerging digital warfare tactics are causing chaos for global energy security, threatening international supply chains and driving up oil prices. Such attacks are an urgent reminder for Australian oil and gas operators of the importance of covering all possible avenues to protect their critical assets.
To secure the future of Australia's oil and gas industry, businesses must adopt a ‘Triple Zero' approach. This is ensuring zero harm, zero loss and zero waste across the business - all of which are paramount in protecting critical information systems from cyber criminals. For oil and gas operators achieving zero harm must begin with evaluating and improving existing their cyber security systems.
The true cost of cybercrime
Accenture's research revealed that over the last year, the cost of cybercrime has increased by 12%, with the incidence of attacks also increasing by 11%. Information loss resulting from malware is on the rise and remains the most expensive consequence of cyberattacks, wiping US$2.6 million from the oil and gas industry every year. Globally, across all industries, the total value at risk from cybercrime is set to peak at US$5 trillion over the next five years.
By adopting data loss prevention technologies and using cryptographic technology which encrypts data to prevent theft and alteration, operators in the oil and gas industry can greatly reduce the cost of cybercrime.
It is important for oil and gas operators to remain proactive. They can do so by focusing their resources towards investing in encryption as the first step to protecting their critical assets and clearing out any sleeping threats.
Time is money
One of the most significant findings from the research is that it takes oil and gas operators an average of 60.1 days to recover from a malicious insider attack, 51.7 days for malicious code attacks and 33.4 days for ransomware-based attacks. This concerning revelation suggests oil and gas operators are ill-equipped to deal with the extensive operational disruptions of cybercrime.
The focus must shift towards investing in preventative enabling technologies such as security intelligence and threat sharing.
The data breach at Australian National University which occurred in late 2018 but was not detected until May 2019, demonstrates why preventative technologies are so critical. This example serves a salient lesson for all oil and gas operators to remain vigilant and prepared as they - along with all other Australian businesses and organisations - are not immune from cybercrime.
Humans are the weakest link
Whilst detection technology has come a long way, employees remain the second greatest cause of security breaches in the oil and gas industry, second only to hacker attacks.
The recent example of fund management company Landmark White where as many as 15 IT and senior management employees were aware of a weakness in the company's valuation platform but failed to rectify it, exemplifies the urgency for ingraining a security mindset.
Fostering a culture of vigilance remains the most underfunded defence against cyberattacks in the oil and gas industry, but one of the most important, especially given the use of external contractors is common practice.
Prioritising security intelligence and threat sharing technology offers a solution for oil and gas operators to protect their critical assets from human intervention and provides significant savings of US$2.26 million every year.
Prioritise to protect
Operators must remain hyper-vigilant if they are to protect their critical assets and the natural environment from malicious cyberattack.
In 2000 a cyberattack on Australian soil caused 800,000 litres of untreated sewage to flood waterways in Maroochy Shire, Queensland. If a pipeline, refinery or oil rig was hacked in Australia, the impact on the environment could be catastrophic.
A further finding was the underuse of automation, AI and machine learning technologies in identifying cyber-attacks and being on the front foot. These technologies were found to reap cost savings of US$2.09million but are only being taken up by 38 per cent of operators in the oil and gas industry. This represents a significant lost opportunity for many oil and gas operators, and one that they cannot afford to sacrifice given the rapid transformation of cybercrime in Australia.
Moving forward - what can the oil and gas industry do?
As we've explored, digital technologies are becoming more commonplace across the industry, increasing the threat scape, and cyberattack techniques are continuing to evolve and diversify.
Australian oil and gas operators are recognising the evolving complexity of cybercrime and Accenture research shows investment in cyber resilience by oil and gas companies is expected to increase by more than 30 per cent over the next three years. Cyber resilience is now becoming part of a wider set of responsibilities for oil and gas companies as they work to maintain both their licence to operate and their commitment to stakeholders.
Moving forward, it is therefore imperative that preventing cybercrime remains a top priority for all oil and gas operators in Australia - but what can they do?
THREE KEY STEPS TO CYBER RESILIENCE
- Stay informed - consistently evaluate and improve existing cyber security systems and proactively invest in current technologies that strengthen organisational resilience
- Secure and protect information - adopt behavioural analytics, intelligent encryption and threat detection technology to secure your most critical assets
- Build a strong foundation - prioritise your people by ensuring security diligence and a ‘zero harm' mindset remains a top priority across all internal and external relationships
Technology has become the fabric of a new reality in the oil and gas industry, evoking a whole new world of threats and vulnerabilities. Managing exposure to attacks can no longer be just a matter of protecting reputation and share price. It must become part of a greater responsibility for protecting our nation.
If the Australian oil and gas industry is to move towards ensuring a zero harm, zero loss and zero waste future, operators simply cannot ignore the growing costs and consequences of cybercrime. Proactivity is paramount and the time for action is now.
Christophe Bourdeau is Accenture's Industry X.0 lead in APAC; Raymond Griffiths, Operational Technology Security Lead, Accenture Australia and New Zealand.