Global oil and gas CEOs vow collective action to build cyber resilience

A global collective of 18 organisations from the oil and gas industry, including some of the world’s largest energy providers and industrial cybersecurity firms, have adopted a unified approach to mitigate growing cyber risks and pledged to promote cyber resilience.

The Cyber Resilience Pledge, announced during the World Economic Forum (WEF) in Davos, brings together companies such as Aramco, Aker BP, Dragos, Eni, Occidental Petroleum and Suncor, and aims to forge global approaches to boosting cyber resilience, adopting consensus-based principles and sharing cyber security lessons.

“First endorsed by key CEOs in the oil and gas value chain, the Cyber Resilience Pledge is a landmark step as it signals recognition of the complexities of building a cyber-resilient industry ecosystem and a commitment towards collective action to achieve it,” Alexander Klimburg, Head of Centre for Cybersecurity, World Economic Forum, said in a statement.

“The World Economic Forum Centre for Cybersecurity is proud to have led this effort in conjunction with our partners. We look forward to scaling the pledge to other industries in the future,” he added.

What was the need for the Cyber Resilience Pledge?

The initiative follows major security breaches across the oil and gas industry in the past two years that have highlighted the vulnerability of critical infrastructure, including cyberattacks on the Colonial Pipeline in the United States in May 2021 and on European oil facilities in February 2022 – which forced the facilities to operate at limited capacity, causing huge economic and social disruptions.

The companies that have taken the pledge so far are: Aker ASA, Aker BP, Aramco, Check Point Software Technologies, Claroty, Cognite, Dragos, Ecopetrol, Eni, EnQuest, Galp, Global Resilience Federation, Maire Tecnimont, Occidental Petroleum, OT-ISAC, Petronas, Repsol and Suncor.

“Cyber-attacks on industrial sectors are becoming more common, complex, and creative as critical infrastructure becomes increasingly networked and connected,” Trond Solberg, Managing Director, Cyber Security, DNV, told Energy Connects in a statement.

“Energy companies have been tackling IT security for several decades. However, securing operational technology (OT) – the computing and communications systems used to manage, monitor and control industrial operations – is a more recent and increasingly urgent challenge,” he added.

How has the oil and gas industry been affected by cyber attacks?

The World Economic Forum initiative puts the spotlight on the oil and gas industry becoming a major focus of criminal ransomware and nation-state threat actors looking to extort millions in ransomware payments as well as disrupt critical energy supplies.

“As the world deepens its digital footprint, cyber threats are becoming more sophisticated. But one company, working alone, is effectively like locking the front gate while leaving the back door wide open,” Amin H. Nasser, CEO of Saudi Aramco, said in a statement.

Companies must work together if they want to truly protect the critical energy infrastructure that billions of people around the world depend on, he added.

What is the average cost of a cybersecurity breach for energy companies?

According to a WEF survey, the average cost of a data breach incurred by organisations resulting from destructive cyberattacks stood at a staggering $4.62 million. The survey found that 87% of senior energy executives plan to improve cyber resilience in their organisations, while 41% believe cyber resilience is an established business priority. More than 13% of cyber leaders surveyed said that cyber resilience was integrated in their business strategy.

According to Solberg, as operational technology becomes more networked and connected to IT systems, attackers can more easily access control systems operating critical infrastructure.

“Life, property and the environment are at stake. It is now possible for attackers to disrupt energy supply in a power grid, shut down a wind farm, and ultimately disable the safety systems in pipelines, refineries or oil and gas platforms,” Solberg said.

How has digitalisation of the industry impacted the cybersecurity outlook?

An Ernst & Young study conducted in 2021 found that as the entire operating systems of oil and gas companies go online and connect seamlessly with the Internet of Things (IoT), their vulnerability and susceptibility to cyberattacks increase exponentially. Digitalisation must be simultaneously implemented with a robust cybersecurity framework, the study recommended.

“The oil and gas industry is going through a digital revolution that has been a catalyst to the energy transition and sustainability. Cyber resilience is key in this revolution, as staying ahead of vulnerabilities is fundamental to our business,” Felipe Bayón, CEO of Ecopetrol, told the WEF gathering.

“The pledge is a step further by developing a collective effort to embed cyber-resilience and a cyber-risk aware culture across the energy industry,” he added.

How has the energy industry responded to threats so far?

According to Solberg, DNV’s latest research on the state of cyber security in the energy industry revealed that the sector was waking up to the rapidly emerging cyber threat, but defensive action was lagging.

“The challenge with managing new industrial cyber security risks is that there is not enough best practice available to guide operators, manufacturers and regulatory authorities in building an effective force of defence against emerging threats – particularly for older industrial infrastructure that doesn’t have cyber security built into it by design,” he added.

Apart from mobilising global commitment towards strengthening cyber resilience across industry ecosystems, the WEF initiative will also help participating companies collaborate and take collective action on cyber resilience across their industry.