In a world where accessing resources is key to national and international competitiveness, the Oil & Gas sector has found itself at the centre of a 21st century battle for economic power being played out in cyber-space.
Companies in the sector have had, and continue to have, their cyber-security compromised. This ranges from attacks by hacktivists or a counterparty during mergers and acquisitions to steal high-value intellectual property, to the theft of sensitive data during critical negotiations. Attacks can be detrimental to the industry and there have been instances where the damage to IT infrastructure is to such an extent that companies in the sector have been close to being shut down.
The threat of state-sponsored cyber-warfare is not inconceivable particularly for an industry providing critical national and global infrastructure. Hostile nations and terrorist organisations could attack the sector to bring production to a halt at times of political tension or war – made possible by the high levels of automation by network connectivity and remote access now used in operations. Given the fact that the majority of oil and gas production is controlled by a relatively small number of organisations, the impact of disruption of this kind is heightened further.
There are already many examples of countries using cyber-espionage to benefit their national companies, and given that this has been seen to be successful, many analysts will see the use of cyber-espionage spreading. Last year’s attack on the world’s largest exporter of crude, Saudi Aramco, highlighted the potential impact a virus could have had on global hydrocarbon markets. More than 30,000 computers were compromised or affected. The attack on Aramco points to an escalation in cyber-attacks, with the adversaries constantly upping their game in a cyber arms race.
Fundamentally, boards need to be on the front foot and devise a robust strategy to combat cyber-crime, with a focus on creating better agility and providing the capabilities needed to counter threats as they evolve.
The reality is that many businesses have a long way to go in catching up with the hackers. Inevitably, as cyber-attacks on the Oil & Gas industry increase, it is estimated it will spur a significant investment in cyber-security by 2018, including spending on IT networks, industrial control systems and data security; counter measures; and policies and procedures.
Many businesses in the sector are taking this issue seriously and making significant investments strategically and financially, trying to stay ahead of the criminals. KPMG has helped firms transform their information risk and IT security functions to deal with the new world. We have discouraged the ‘whack-a-mole’ approach to tackling security flaws in favour of a more forward-thinking method.
Those who do not act now and invest to transform how their IT infrastructure is secured and managed could be taking a significant risk with the value of their businesses.
In its analysis of the state of security in 2,000 top private businesses around the world, KPMG’s Publish And Be Damned, Cyber Vulnerability Index 2012 reveals that across the sample group (with combined assets of over US$31 trillion), rudimentary methods of accessing public data could glean an average of 210 usernames, 52 network folders and 171 email addresses at a business.
Partner, Head of Information Protection and Business Resilience, KPMG
+44 (0)20 73115456