Cybersecurity

Keeping up with Hackers: What CEOs Lose Sleep Over

A new survey shows oil and gas CEOs are most worried about cybersecurity and the speed of technological change.

jpt-2017-06-pwcsurvey-hero.jpg
Getty Images

When we asked oil and gas CEOs about their biggest causes for concern in today’s environment, the results in our annual CEO Survey of Oil & Gas Companies shows a significant shift from the typical concerns over geopolitical uncertainty and over-regulation that we have seen in the past 5 years. According to PwC’s 20th CEO Survey, two interrelated threats keeping leaders up at night are the speed of technological change and growing cyber threats.

jpt-2017-06-pwcsurvey-fig1-1.jpg

 

This underlines similar findings from a 2017 report sponsored by Siemens on The State of Cybersecurity in the Oil & Gas Industry, which found that “the deployment of cybersecurity measures in the industry isn’t keeping pace with the growth of digitalization in oil and gas operations.” Consequentially, 68% of the survey’s 377 cyber risk individuals claimed to have had at least one security compromise in the past year.

Speed of Technological Change

Just 30 years ago, no one owned a personal computer. Today, nearly two-thirds of Americans own a smartphone, according to a 2015 report by Pew Research Center. The evolution of technology over the span of just a few decades has been exponential, and keeping up with this pace can be a daunting task, making it difficult for oil and gas executives to predict what is coming next or make long-term commitments and decisions.

The industry downturn at the end of 2014 forced oil and gas companies to adapt to lower oil prices, and for many, this meant using more automated technology and making better use of data and analytics to drive down costs. Since 2014, the industry has also looked to the internet of things (IOT), big data, artificial intelligence, edge computing, and even blockchain technology to explore new ways of connecting man with machine, streamlining and automating processes, and ultimately establishing a new, lower, break-even cost—one based on maximizing efficiencies across the entire energy value chain. While some technology is still in its infancy, oil and gas CEOs are bearing the pressure of digital change, as they look to move as fast as a start-up, but with the stability of a Fortune 500 company.

The CEO survey also revealed that 18% of respondents prioritize strengthening innovation in order to capitalize on new opportunities and remain competitive. This means executives are paying more attention to how much money is invested in R&D projects and what kind of skills and talent will be needed to support these investments. While technology is a key catalyst for innovation, 64% of oil and gas CEOs are worried about skills shortages, especially as they relate to protecting intellectual property (IP) for new technologies from cyber-attacks.  

Cyber Threats

Cyber threats continue to play into CEO nightmares, and with good reason, as the rate of cyber-attacks has increased across the globe with some targeting the energy industry. February 2016, we learned of weaknesses in our own government agencies, when 10,000 U.S. Department of Homeland Security employees and 20,000 FBI employees had their contact information stolen. And most recently, in May 2017, an unprecedented ransomware hack, dubbed WannaCry, affected more than 200,000 victims in 150 countries.

Oil and gas companies are particularly vulnerable to environmental hacktivists that could attack critical infrastructure to inflict damage on key assets. These attacks could be aimed at disrupting drilling and oil production processes and safety controls to cause a hazardous spill or gas leak, or a power outage that disables systems needed for monitoring, measuring and controlling temperature or pressure levels. Hackers targeting oil and gas companies could also be profit-motivated, seeking to exploit and extort energy companies through ransomware attacks, competitively-motivated, seeking to steal trade secrets or other critical IP, or politically-motivated, seeking to use cyberattacks to manipulate relations between a country and its foreign energy producers and investors.

Cyber attacks can pose a risk for energy companies in terms of safety issues and stolen proprietary data, but the biggest motivator for oil and gas CEOs to make cyber security a priority still comes down to the bottom line. In a 2016 report on the Cost of Cyber Crime in which the Ponemon Institute analyzed 237 public and private U.S. organizations, researchers found that the US ranks highest against other nations in its cost of cybercrime, at an annual average of USD 17.36 million per company. That’s an amount we cannot ignore.

Threat Management

In order to make use of this freely flowing knowledge and best practices, oil and gas CEOs will need to ensure they have the right people with the right expertise in place to effectively execute cybersecurity programs. This means hiring talent with expertise in four key areas:

  1. Ingesting and surfacing meaningful, validated intelligence in real time.
  2. Assessing the organizational impact of that intelligence.
  3. Identifying actions to mitigate threats.
  4. Taking prompt technical, legal and operational action.

These four distinct skill sets require no small sum of technical expertise and resources. As such, oil and gas organizations will need deep cybersecurity expertise as well as a multidisciplinary team that includes stakeholders from IT, legal counsel, risk, privacy and business units. This team would be responsible for creating custom processes to integrate activities across systems and the enterprise.
Along with these talent and team structure considerations, oil and gas companies should also aim to adopt a digital-first approach to their business models. For example, cloud computing services are foundational to the integration and management of the many moving parts of a threat-management program. They can deliver computational power to monitor and analyze all digital interactions, as well as create a unified repository of information to generate actionable intelligence in real time.

Yet, a cloud-centric solution may not be the best choice for all energy companies. Some may opt to implement an on-site threat-management solution at the rig-level, where the E&P company owns the on-site solutions and can fully customize and integrate systems to accommodate individual business needs, or better protect proprietary drilling and production data by storing it on servers in house.

Whether in the cloud or on-site, an integrated threat-intelligence and information-sharing platform can be a great unknown for even the most cyber savvy of executives. However, the need for operational efficiency, coupled with maturing technologies, represents an inflection point for disruption, where the traction of technology trends in analytics, robotics, sensors and control systems offer companies the opportunity to accelerate field automation in a pervasive manner. It should come as no surprise, then, that oil and gas CEOs are concerned about keeping up with this pace of technological change to stay competitive and profitable, and simultaneously protecting their innovations along the way.

To overcome these fears, oil and gas CEOs must shift their forward-thinking perspective from linear to exponential, to better factor in the speed of exponential changes in technology, take a digital-first approach to their business models, and bring on more talent with the skills and expertise to proactively monitor for cyber threats, identify compromises, and quickly respond to incidents. Together, these capabilities will allow energy companies to build their competitive advantages in a safer, more secure environment—one that gives CEOs better peace of mind for pushing the boundaries of innovation without comprising the company’s proprietary data or reputation.