Some of the world’s largest petroleum and gas companies will work together to collectively improve cyber security defences, after formally embracing a Cyber Resilience Pledge (CRP) at this month’s World Economic Forum (WEF) annual meeting in Davos, Switzerland.
Designed to mobilise an industrywide response to the increasing cyber security threat against critical infrastructure, the CRP is based around cyber resilience principles and, the WEF notes, targets senior cyber leaders to “take collective action by developing global approaches and improving cyber resilience across ecosystems”.
The eighteen founding members include oil and gas interests including Aker ASA, Aker BP, Aramco, Ecopetrol, Occidental Petroleum, Petronas, Repsol, and others as well as cyber security firms such as Check Point Software Technologies, Claroty, Dragos.
“Companies must work together if they want to truly protect the critical energy infrastructure that billions around the world depend on,” said Saudi Aramco CEO Amin Nasser as the CRP was announced.
“As the world deepens its digital footprint, cyber threats are becoming more sophisticated – but one company, working alone, is effectively like locking the front gate while leaving the back door wide open.”
The pledge is a show of support for the WEF’s ongoing efforts to improve the cyber security of critical infrastructure, which came into sharp focus after last year’s Colonial Pipeline ransomware attack and February’s attacks on European oil facilities in northern Europe.
Ongoing cyber attacks on Ukrainian targets, and hacker campaigns against Russia, have only exacerbated the awareness that the world’s energy networks remain vulnerable due to lingering weaknesses in the SCADA and other operational technology (OT) systems that manage them.
Russia’s invasion of Ukraine had catalysed concerns about the vulnerability of the sector, with two-thirds of respondents to recent research by risk management firm DNV saying the invasion had motivated their companies to make major changes to their security strategies and systems.
Fully 85 per cent of energy-sector executives believe a cyber attack on the industry is likely to cause operational shutdowns and 84 per cent expect damage to critical infrastructure, according to DNV’s survey – in which 57 per cent of the 940 surveyed respondents also warned that a cyber attack will cause loss of life within the next two years.
Facing the critical-infrastructure threat
The newly launched CRP – which is expected to be replicated in other industries over time – is part of the WEF’s Cyber Resilience in Oil & Gas initiative, which has brought together industry stakeholders to develop guidance such as a blueprint for evaluating cyber risk, guidance for improving supply chain risk, and a third-party assessment tool that measures a company’s cyber resilience against 39 cyber security requirements.
Providing industry-relevant benchmarks is crucial in industrial sectors where strategies for protecting IT and OT networks have varied dramatically over the years.
“In IT, we understand where our critical assets are, but in OT it’s a little bit harder,” Jeff Campbell, CISO of Western Australian energy concern Horizon Power said during a recent webinar. “If you speak to most organisations that run a SCADA network, sometimes understanding where their assets are, and the criticality of them, becomes hard.”
Only 47 per cent of respondents to the DNV survey said their OT security is as robust as their IT security, while 35 per cent said it would take a serious incident before they were motivated to invest in their cyber security defences.
“So really bridging that gap between IT and OT, mapping out your threat scenarios, and embedding IT and OT team members in each others’ teams, is crucial,” Campbell said.
“There’s no better way to understand another environment than if you actually start to work as a team together.”
Cybercriminals’ renewed focus on the sector has led to warnings about imminent cyber attacks on Australian infrastructure and new legislation designed to protect it.
Australian energy operators have embraced the Australian Energy Sector Cyber Security Framework (AESCSF), an electricity-industry cyber security maturity framework that was last year extended to gas markets and this year will expand to liquid fuel suppliers as well.
Even as the AESCSF and similar frameworks gain momentum, broader efforts like the WEF’s new CRP will continue to unite a sector where cyber security resilience is more important than ever.
“For these kinds of pledges and initiatives to be successful, leaders must address the fundamental issues that hinder a genuinely effective response,” said Lucia Milică, global resident CISO with security firm Proofpoint, advising that “to contend with the complexities of today’s threat landscape, organisations must bring cyber security expertise directly to the board level.”
“With the prospect of significant downtime, disrupted operations and impacts on business valuations weighing heavily on the minds of the board as the result of a cyber breach, hopefully over the next 12 months we will see this awareness turn into action.”
