The World Economic Forum (WEF) has brought together industry and cybersecurity experts from companies and organizations such as Siemens Corp, Saudi Aramco, Royal Dutch Shell, the Cyber Security Agency of Singapore, the U.S. CISA, industrial cybersecurity company Dragos and many others to compile a blueprint for enhancing cyber resilience across the oil and gas industry.
A blueprint for boards and corporate officers
Cyber attacks targeting organizations in the oil and gas (and the rest of the energy) industry are a daily occurrence, though they seldom lead to high profile outcomes and real-world effects like the recent Colonial Pipeline attack.
“Cybersecurity in the oil and gas sector is inherently challenging due to the complexity of running a vast organization with different businesses, assets and personnel located all over the world, as well as working with a complex supply chain of customers and suppliers,” WEF notes.
“In many cases, companies face challenges with internal cyber hygiene as systems are interconnected but responsibility is siloed or shared across many partners with diverse priorities. Companies also face challenges with aligning IT and OT departments, managing interoperability with proprietary technologies and engaging with trusted third parties so that every connected device – from wellhead to corporate computer – is protected.”
The white paper outlines principles that will help board directors govern risk and help corporate officers and other leaders strengthen their organization’s cybersecurity posture with recommended activities.
Aside from 10 general cyber-resilience principles, the blueprint points out six additional ones specific to the oil and gas industry: cyber-resilience governance, resilience by design, corporate responsibility for cyber resilience, holistic risk-management approach, ecosystem-wide collaboration, and ecosystem-wide cyber-resilience plans.
Each of these principles is defined and accompanied by examples of how some of the participating businesses implemented / are implementing it.
In addition to this, the paper explains how to operationalize the principles:
“Establishing and aligning cybersecurity practices across the industry enhances our collective resilience efforts and allows us to present a united front against cybercrime and other critical security threats,” commented Basim Al-Ruwaii, Chief Information Security Officer at Saudi Aramco and a contributor to the paper.