Cyber Risks Haunt Energy and Natural Resource Sector
This blog was originally published by KPMG here.
Written by Ronald Heil, KPMG.
Imagine connected sensors that dispatch a repair crew to a fraying pipeline, laser ‘guard rails’ that prevent tanker trucks from backing off piers, and smart systems that prompt the power company to recharge your electric vehicle overnight. This sampling of operational technology hints at both the potential benefits — and the corresponding cyber security risks — that the fourth industrial revolution can bring to the Energy and Natural Resources (ENR) sector.
While it’s still early days in the adoption of embedded technology across the ENR landscape, now is the time for enterprises and governments to strengthen their awareness, and take proactive steps, to encourage such advancements and prudently manage the emerging risks.
The pace of Industry 4.0 in ENR
There’s no shortage of opportunity to transform the historically physical and manual character of ENR through Industry 4.0, from internet-connected devices to AI and machine learning, enabled by the cloud, data analytics, and new communication technologies like 5G networks, and so on.
In recent years, many industry players have taken considerable steps forward — including horizontal (local) digitization of their internal operations — but now a cadre of leading organizations are incorporating vertically connected systems (e.g. bringing clusters of process control data to the cloud), to really optimize their data usage, automation and digitization.
These early adopters are found across continents, from Europe, where environmental interest is high, to the Middle East, with its strong levels of investment capital, to Asia, where much technology invention is percolating. The leaders range from traditional local companies that are improving the efficiency and safety of select processes, to multinationals that are creating seamless integration across their supply chains, to operate smarter, faster, more sustainable and more profitably.
And although the global pandemic may have stalled some technology investment, many companies are exploring opportunities, often through new ventures or subsidiaries with supportive cultures to nurture this innovation in a controlled scope.
This measured pace towards a connected ENR ecosystem is a good thing, for the industry to build awareness of — and the capabilities to manage — the accompanying cyber security risks. For instance, growing connectivity increases organizational exposure to cyber and safety risks, arising through direct hacker attacks on internal systems, or through ‘chain effect’ vulnerabilities if a company’s suppliers are targeted. This musters images of corporate supply chains being disrupted, or shutdowns of power grids or other critical infrastructure.
Building understanding in boardrooms
As corporate boards discuss the potential adoption of Industry 4.0 technologies, there remains limited understanding of the cyber security risks at stake. It’s important to have quality boardroom discussions about the potential benefits and risks of Industry 4.0 adoption. However, these debates can be difficult since the question still looms, 'could this happen to us?' Perhaps it's due to limited awareness resulting from under-reporting by companies and authorities, particularly on the industrial side, and the belief that industrial environments are isolated.
The result is that, board members might dismiss the cyber threats and overlook important security investments. Or, conversely, board members might reject proposed Industry 4.0 investments because they over-estimate the potential risks.
The answer, naturally, lies in carefully balancing the risks and rewards. Boards must build a solid understanding of the actual risks and containment (survival) strategies available. Then, they can make strategic choices regarding ‘right-fit’ new technologies that offer proven value to their business.
Boards and senior leadership should not ask, “Can’t we just address this problem ‘if’ it occurs?” In reality, experience in other sectors shows that such incidents are not a matter of ‘if’ but ‘when.’ Thus, organizations must take action now, both to defend against attacks, and to ensure they can respond effectively after a breach occurs.
Fortunately, there are several organizations, like major Oil & Gas, embracing this approach and bringing change, whether by exploring new technology in controlled environments, or implementing stringent third-party risk management, perhaps with in-depth due diligence of supply chain partners or pro-active monitoring of each other’s systems.
This speaks to the importance of digital trust in ENR, since companies will increasingly scrutinize the partners they deal across the ecosystem, just as consumers switch among energy service providers who they believe they can trust and rely upon.
Cooperating over walls and borders
Creating the right conditions for a smooth, secure roll-out of the fourth industrial revolution depends on complementary and coordinated actions by enterprises, national governments, and inter-governmental bodies.
At the national level, there is a growing awareness and activity. While many authorities must still develop a fuller appreciation of the risks to their critical infrastructures, solid programs are coming into force in many jurisdictions. These range from strict regulatory regimes in the US, under several national agencies, to the United Kingdom’s Government Communications Headquarters (GCHQ), an intelligence and security organization that is both safeguarding state assets and supporting cyber resilience in the private sector and industry (critical infrastructure).
Though there is need to increase cooperation and communication at the trans-national level, it’s notable that Europe is modernizing its 2016 Network and Information Systems Directive (NIS), by which the NIS 2 will require member states to increase their supervision and enforcement of cyber security risk management practices in key sectors, including energy and digital infrastructure.
There is much opportunity for further collaboration, supported by the United Nations, the World Economic Forum or other international bodies, to promote international guidelines and standards to secure critical infrastructure. For example, the new ISA/IEC 62443 series of standards were drafted with the input of industrial automation and control system security experts from across the globe, to develop consensus standards applicable to all industries and critical infrastructure. Such frameworks can be adapted to the specific requirements of ENR at the national or regional level.
Although the looming cyber risks are real, the combination of preventative measures — alongside smart technology choices and controls by ENR companies — will bring powerful innovation and growth to oil and gas fields, ports and, refineries. Industry 4.0 is a challenge.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.