US Oil and Gas Industry unprepared to mitigate risks in operational technology (OT) environments

A study commissioned by Siemens revealed that US oil and gas industry is unprepared to mitigate cybersecurity risks in operational technology environments.

A new study commissioned by the engineering firm Siemens revealed that oil and gas industry in the United States is largely unprepared to mitigate cybersecurity risks in operational technology (OT) environments.

The survey was conducted by the Ponemon Institute and involved 377 individuals who are responsible for securing or overseeing cyber risk in the OT environment. Sixty-eight percent of respondents admitted having suffered at least one cyber incident in the past year that caused OT disruption or loss of confidential information.

Only 41 percent of respondents admitted to continually monitor all infrastructure to prioritize threats and attacks. The worrying data emerged from the survey is that an average of 46 percent of all cyber attacks in the OT environment goes undetected, this means that organizations have to improve their security posture by adopting systems for threat detection.

20% one in five of respondents admitted that their organizations were compromised by a sophisticated strain of malware such as Duqu and Flame.

Exploratory information and production information are the most vulnerable areas in the oil and gas value chain.

“Exploratory information is the area most vulnerable in the oil and gas value chain to a cyber attack. When asked to identify the top seven areas of greatest risk, 72 percent of respondents say it is exploratory information and 60 percent of respondents say it is production information” reads the study.

The majority of respondents rate their organization’s OT cyber readiness as low to medium cybersecurity readiness, only 35 percent believe they are resilient to cyber attacks

67 percent believe cyber threats have had a significant impact on the risk to industrial control systems (ICS).

Sixty-nine percent of individuals who participated in the survey are concerned about the risks associated with third-parties in the supply chain.

“Cyber risks, especially across the supply chain, are difficult to address. Sixty-nine percent of respondents believe their organization is at risk because of uncertainty about the cybersecurity practices of third parties in the supply chain and 61 percent say their organization has difficulty in mitigating cyber risks across the oil and gas value chain.” continues the report.

Negligent and malicious or criminal insiders are considered the principal threats to the U.S. oil and gas industry.

“Together negligent and malicious or criminal insiders pose the most serious threat to critical operations. Sixty-five percent of respondents say the top cybersecurity threat is the negligent or careless insider and 15 percent of respondents say it is the malicious or criminal insider.”

Let’s close with a look at the factors that pose the major risks to the organizations. Roughly 60 percent of respondents pointed out outdated and aging control systems or vulnerable IT products used in production environments.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  operational technology,  security)