Critical Infrastructure Security
,
Governance & Risk Management
,
Operational Technology (OT)
Sector Uses Multifactor, Eschews Cloud, Can’t Afford Cyber Insurance
The oil and gas industry has high levels of cyber awareness and low levels of cyber insurance, says a sectoral assessment from credit rating agency Moody’s.
See Also: From Ancient Myths to Modern Threats: Securing the Transition from Legacy to Leading Edge
Paywalled research from the financial analysis firm published Monday that’s based on a 2023 survey of debt issuers in the nonrenewable energy sector found that more than nine in ten sector corporations employ dedicated cybersecurity staff. The number dips to slightly more than eight in 10 for midstream companies – the subsector responsible for transporting, storing and wholesale marketing of petroleum products. There is no obvious cause and the disparity isn’t meaningful, a Moody’s spokesperson said.
A quarter of surveyed companies also link CEO compensation to the achievement of cybersecurity goals, a figure that surpasses a global corporate average of just 18%. In integrated oil companies – corporations that handle all aspects of the business from exploration to distribution – that number jumps to two-thirds of CEOs.
All survey respondents said they have incident response plans and nine out of 10 said they test the plans at least once a year. More than eight in 10 use multifactor authentication for online resources such as email, a number that jumps to 10 out 10 for large integrated oil companies. Backup is a weaker area, with only 67% of sector respondents reporting that they regularly take backups, a number that’s lower than the corporate average of 81%.
The sector has experienced a clutch of high-profile attacks including a 2021 incident at Colonial Pipeline that resulted in brief gas shortages in the American Southeast. The attack shaped the then-nascent Biden administration’s approach to cybersecurity, catalyzing a multiyear, international effort targeted at disrupting the ransomware underground (see: LockBit and Evil Corp Targeted in Anti-Ransomware Crackdown).
Texas oil service giant Halliburton more recently told U.S. federal regulators that hackers stole data after the firm acknowledged “unauthorized activity” on its networks in late August. Spanish integrated multinational Repsol in September told natural gas customers that an incident at a third-party technology provider resulted in a breach of data including full names, national ID numbers and addresses.
“Energy sectors are particularly at risk for cyberattacks,” said Janko Lukac, a Moody’s vice president focused on the oil and gas sector, in an emailed statement. “Energy production and distribution is key for national security and hence a sensitive topic. If something goes materially wrong, there are potentially direct consequences for end consumers, as the Colonial Pipeline incident showed.”
High levels of cybersecurity awareness in the sector come paired with a cautious attitude toward cloud storage, survey results also found.
Nearly every surveyed company said they are turning to private cloud technology, but also said they are determined to keep It infrastructure on premises. Of those that do use public cloud computing, most tend to stick with one provider, with the exception of oil companies based in Europe, the Middle East and Africa. nearly two-thirds of representatives from those firms told Moody’s they use more than one provider.
Cyber insurance take up in the sector is below the corporate average of approximately 80%. Only half of sector firms carry the insurance – a datum explainable by high confidence in internal security and risk management practices. “The cost and quality of insurance products may also be factors,” Moody’s wrote.
“Based on conversations with the industry, it seems that potential damages can be quite costly (considering potential production losses/environmental damages). Due to the magnitude and severe consequences of some risks, it is often not economically viable to find decent insurance cover,” Lukac said.
Most cybersecurity customers complain about skyrocketing premiums, but rates have grown 315% between 2020 and 2022 in the oilfield services, according to Moody’s data. Overall sector premiums have grown by 70% during that period, a rate that exceeds a corporate average of 50%.