Documente Academic
Documente Profesional
Documente Cultură
ASSESSING THE
CYBER READINESS
of the Middle East’s Oil and
Gas Sector
www.siemens.com/middleeast
101
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
Contents
Foreword 04 – 05
Conclusion 32 – 33
Methodology 34–35
1
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
SIEMENS
PO NE MON CYBE R S E CUR I T Y
INS TITUTE P R ACT I CE
The Ponemon Institute conducts consulting to private and public Given that the probability of a This agility is essential to dealing
independent research on privacy, sector organizations interested in cyber attack for any company is effectively with the growing
data protection and information establishing or enhancing their nearly 100 percent, the question cyber threat. Those organizations
security policy. Our goal is to enable privacy, data protection, and security becomes not whether to act, that move proactively to build
organizations in both the private practices. To ensure that their goals but how? Holistic cyber security their capability to detect and
and public sectors to have a clearer are achieved, organizations engage emphasizes not only how to respond will be best positioned
understanding of the trends in us to assess their practices and prevent but also respond to an to meet this challenge. For
practices, perceptions and potential conduct workshops and training attack. Siemens, cyber security is an
threats that will affect the collection, programs.
essential component of our vision
At Siemens, we take our for digitalization and intelligent
management and safeguarding
customers on a cyber security infrastructure.
of personal and confidential Ponemon Institute is the parent
journey that brings maturity to
information about individuals and organization of the Responsible
their cyber enterprise. This means Over the last ten years, we have
organizations. Ponemon Institute Information Management (RIM)
starting with a risk-based strategy invested over $10 billion to make
research informs organizations on Council. The RIM Council draws
that deals in fundamentals, digitalization a core part of our
how to improve upon their data its name from the practice
transforms an organization’s own business transformation.
protection initiatives and enhance of Responsible Information response to the environment, Now we are making this
their brand and reputation as a Management, an ethics-based and most importantly, builds internal cyber capability and its
trusted enterprise. framework and long-term strategy their capacity to monitor and complementary external offerings
for managing personal and sensitive respond, from the oilfields to the available to our customers.
In addition to our research, employee, customer and business control centers to the enterprise
Ponemon Institute provides strategic information. networks.
2 3
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
FOREWORD
Until recently, most cyber attacks have targeted the Information Technology especially in the oil and gas sector, the target of 50 percent of all cyber attacks
(IT) environments, comprised of PCs, work stations, and mobile devices. As in the region, is more significant than in other parts of the world: greater
the process of digitalization has accelerated, so too has the convergence of frequency relative to return on investment (ROW), more expensive relative to
IT and operational technology (OT) connectivity. This provides a wide range ROW and with greater downtime.
of benefits that enable organizations to optimize processes, capture cost
savings and turn data into value. At the same time, connectivity has also To their credit, organizations in the region have been early enthusiasts
created a larger cyber “attack surface” that is harder than ever to secure. for digitalization, ahead of many others in the world in recognizing the
unprecedented business value. They have also recognized the greater cyber
Attackers have identified this convergence of IT and OT as a key opportunity risk associated with greater connectivity. Oil and gas companies in the region
to penetrate an organization. As a result, an emerging trend of cyber attacks are beginning to invest in protecting their assets from cyber intrusions, while
is designed to disrupt physical devices or processes used in operations. lagging behind in terms of awareness and the rate of deploying technology
that can protect their operating environment. In the government sphere,
regulations intended to address the OT cyber threat are being rolled out,
In fact, OT now comprises an estimated
though, admittedly, these are mostly at an early stage.
These trends - accelerating digitalization, the convergence of IT and OT, more Leo Simonovich, Gianluigi Di Giovanni,
frequent, sophisticated cyber attacks, and an energy sector in the crosshairs Vice President and Chief Executive Officer,
– led Siemens, in conjunction with the Ponemon Institute, to delve more Global Head Power Generation Services,
deeply into the cyber readiness of the oil and gas industry in the Middle East. Industrial Cyber and Digital Middle East and North Africa,
Security, Siemens Energy Siemens
The impact of these cyber intrusions against OT assets in the Middle East,
4 5
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
EXECUTIVE
SUMMARY
This report is the result of the second collaboration between Siemens
and the Ponemon Institute. It consists of a survey of 176 individuals in of respondents say the top cyber security threat is
68% the negligent or careless insider.
the Middle East responsible for securing or overseeing cyber risk.
Among the findings from these respondents in the Middle East and discussed
in this report:
of Middle East respondents said that outdated and ageing
42%
of respondents believe they face a greater risk in the control systems pose a serious risk to their organizations.
60% OT than in the IT environment.
of organizations have suffered at least one security respondents say they continually monitor all infrastructures
47% to prioritize threats and attacks.
75% compromise that resulted in the loss of confidential
information or disruption to operations in the OT
environment over the past 12 months.
The process of digitalization is creating benefits for oil and gas companies
(e.g., greater efficiencies, operational insights) but also generating
43% thought they had the internal expertise necessary to
manage cyber threats in the OT environment.
6 7
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
1
Introduction
8 9
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
Systems running older technologies are hard to patch due to their continual
TO INCREASE OUR utilization and integration into wider production chains. The unique features
UNDERSTANDING OF THE OT of OT underscore the importance of purpose-built, multi-vendor solutions in
the operating environment.
CYBER L ANDSCAPE, THIS REPORT
FOCUSES ON: The operating model of some oil and gas organizations in the region often
serves to introduce additional OT cyber risk. We have seen joint ventures
between national and international oil companies with an absence of clear
OT CYBER RISK TODAY ownership of OT cyber risk. This disconnect – between operations and OT
First, we will look at the current OT cyber risk landscape for oil and cyber – can expose dangerous gaps in cyber asset management and detection,
gas companies in the Middle East. This section will provide insights and severely hamper cyber teams attempting to secure the environment.
into the types of risks companies face, where they are most
vulnerable, and the impacts associated with OT cyber risk.
Exploratory information is the area most vulnerable in the oil and gas
value chain to a cyber attack.
READINESS TO ADDRESS THE OT
When asked to identify the areas of greatest risk,
CYBER CHALLENGE
Second, we will evaluate these organizations’ readiness to secure
their operating environments and capture the full benefits of of respondents say say it is production
79% it is exploratory 62% information.
digitalization. information
CHALLENGE
Lastly, we will analyze the survey results to identify the best path
forward for oil and gas companies. Specifically, we will delve into 61% 54% 48% 53% 41%
the strategies, technologies and policies best-suited to help secure
the entire operating environment.
potential financial and operational details on and field
partners and organizational information drilling sites production
acquisition reports information
OT cyber security presents unique challenges to oil and gas targets from sensors
organizations that are different from traditional IT security concerns.
10 11
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
THE OT CYBER
RISK TODAY
Oil and Gas OT environments face significant and mounting cyber There are the critical differences between Operational Technology (OT)
security risk. and Information Technology (IT)
Sixty percent of respondents believe they face a greater risk in the OT than
in the IT environment. Sixty-seven percent of respondents believe the risk
IT OT
INFORMATION OPERATIONAL
level to industrial control systems over the past few years has substantially TECHNOLOGY TECHNOLOGY
increased because of cyber threats.
These perceptions are, in fact, borne out in reality. A heightened risk 10-20 years &
3-5 years
Component legacy systems
environment is being driven by: lifetime
Impact to production,
Loss of data Key health, safety &
concerns environment
INTENSE GEOPOLITICAL COMPETITION
Intense geopolitical competition and aggressive nation-state
actors actively targeting OT in the oil and gas industry Fault tolerance
Recover by reboot Recovery essential
ability
TAILORED MALWARE
The emergence of tailored malware designed to specifically Continuous Intermittent
impact OT Connectivity
12 13
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
CYBER BREACHES
IN THE OT
ENVIRONMENT ARE
WIDESPREAD AND
REGUL ARLY GO
UNDETECTED
of organizations have suffered at least
one security compromise that resulted
75%
in the loss of confidential information
or disruption to operations in the OT
environment over the past 12 months.
14 15
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
This survey highlights the close linkage between digitalization and cyber The prevalence of insider threat risk shows that traditional
security for the oil and gas sector. In order for organizations to capture strategies of “air-gapping” networks are not an adequate
the full benefits of digitalization, it is essential that they rigorously security measure.
address the OT cyber risk.
This approach cannot, for example, prevent the introduction
of compromised transient assets like USB sticks. Instead of
attempting to air-gap networks that cannot ever be truly
Insider threat is viewed as the top threat to OT cyber security.
isolated, organizations can strengthen their cyber defences
by looking to gain visibility into their entire operating
of respondents say the top cyber security threat is the
68% environment. This asset transparency is especially critical
negligent or careless insider
with remote sites like offshore platforms and wellheads.
16 17
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
W H AT R E S P O N D E N T S S AY
01 06
The majority of respondents believe Less than half the respondents say they
that the OT environment is at greater continually monitor all infrastructure to
risk of a cyber attack than that of IT. prioritize threats and attacks.
02
Respondents attribute the cyber risk their
Exploration data is most vulnerable to a cyber attack in
07
organizations face to uncertainty about the cyber
the oil and gas value chain, according to the majority
security practices of third parties in the supply chain
of respondents, followed by potential partners and
and the difficulty in mitigating cyber risks across the
acquisition targets, and product information.
oil and gas value chain.
08
HIGHLIGHTS
Respondents believe the primary reason their
03 Only one in three say their organizations’ organizations are at risk is a lack of cyber security
industrial control systems protection and security awareness and training among employees. Other
are adequate. important factors perceived are a limited cyber security
culture among vendors, suppliers and contractors, and the
04
Three out of four say their organizations have suffered use of standard IT products with known vulnerabilities in
a security compromise that resulted in the loss of the production environment.
confidential information or disruption of operations in the
OT environment in the past year. On average, respondents While acknowledging that digitalization
09
believe half of all cyber attacks in the OT brings benefits, it also generates greater
environment go undetected. cyber risk, according to two thirds of
respondents.
05 Two-thirds say the primary cyber
security threat they face is the negligent
Two in three say security analytics are 10
or careless insider.
essential or very important to achieving
a strong security posture.
18 19
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
2
Readiness to
address the OT
cyber challenge
20 21
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
protect what they have not identified. This lack of visibility is compounded
BEST PRACTICE IN by the reality of multi-vendor environments, full of legacy assets, that have
CYBER SECURIT Y often grown over time without a clear plan to secure them.
Our study finds that oil and gas organizations in the Middle East recognize INDUSTRY NEEDS TO KEEP UP
the growing OT cyber threat, as well as the imperative to strengthen their Despite awareness of rising OT cyber risk, budgets for OT cyber services
cyber readiness. In fact, Middle East organizations have already begun to take and solutions have not kept up with the threat.
critical steps to improve their OT cyber security preparedness. Specifically, oil Oil and gas organizations in the Middle East are today dedicating only a
and gas companies in the Middle East have undertaken crucial steps such as: third, on average, of their total cyber security budget to securing the OT
environment. Given the risk shift we are witnessing in oil and gas – from
the IT to the OT – this suggests that Middle East organizations are not
aligning their cyber investments with where they are most vulnerable. This
Creating dedicated, empowered OT Leveraging security analytics in order OT investment shortfall is all the more alarming as Middle Eastern oil and
security organizations, with a strong to enhance detection capabilities in gas organizations reported smaller average total (IT + OT) cyber budgets
mandate and reporting lines up to their production environments
than their global peers.
senior leadership
22 23
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
Many tasks critical to OT security have not been completed. Companies need experts that understand both cyber security and industrial
control systems, a combination that is hard to find. Fewer than half of
respondents (43 percent) thought they had the internal expertise necessary to
manage cyber threats in the OT environment and, as a result, are increasingly
of respondents say they continually monitor all
47% infrastructures to prioritize threats and attacks.
seeking out external support. In particular, significant talent gaps exist for:
cyber security.
24 25
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
3
Solutions to the OT
cyber challenge
CYBER RISKS TO YOUR ORGANIZATION
Many organizations seem to lack awareness around the
cyber risks to their organization.
While seventy five percent of respondents say their
organization experienced a cyber compromise, only 17
percent say it is very likely or likely their organization will
experience a successful cyber exploit over the next 12
months. This gap, between awareness and detection,
underscores the lack of internal OT cyber know-how, and
the limitations of deploying even the most cutting-edge
technology without the relevant OT expertise.
26 27
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
SOLUTIONS TO ACHIEVE
CYBER READINESS
While our study indicates that oil and gas organizations in the Middle East
MANY COMPANIES ARE NOT INVESTING IN
increasingly recognize the OT cyber challenge, there are fewer signs that
THE MOST EFFECTIVE OT CYBER TOOLS
they are adopting the most effective measures to address OT risk. Many have
not moved past approaches that no longer work in an era of digitalization. Only 39 percent plan to ensure hardened endpoints in the next 12
For example, too many organizations are still attempting to “air gap” their months, and only 20 percent will adopt analytics. The disconnect
operating environment, rather than using smart, secure connectivity to between establishing priorities and placing investments against those
gain transparency. Moving from the mentality of “dig a deeper moat” to priorities highlights the importance for having a rigorous, long-term OT
continuous asset visibility and intelligence is a foundational step in building cyber security strategy.
a robust OT security program. More broadly, we see six, key principles
underlying the most effective OT cyber programs:
MOST EFFECTIVE SECURITY TECHNOLOGIES
Respondents recognize and call for solutions to address insider threat,
1
aging control systems and secure connectivity.
Assign and empower dedicated
ownership for OT cyber Very effective and effective responses combined
2
Overcome the fear of connectivity Identity & access management 76%
and gain continuous visibility into Firewall/DS 67%
your OT assets
Encryption or or tokenization of data
3
65%
Secure control of your Patch management of OT 63%
operating environment all the
Encryption of data in motion 62%
way to the edge
4
Hardened end points / PLC 60%
Leverage analytics to make Multi -factor authentication 58%
smarter, faster decisions
Managed intrusion detection 58%
5
User behavior analytics (UBA) 55%
Demand purpose-built, OT
Public key infrastructure (PKI) 55%
cyber solutions
PLC intergrity / data monitoring 52%
6
Network security monitoring 51%
Partner with OT cyber experts
with real domain expertise Security events monitoring 50%
28 29
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
THE IMPORTANCE OF The majority of respondents believe security analytics technology is essential
or very important.
SECURIT Y ANALY TICS
How important is security analytics technology to achieving a
Security analytics are widely considered to be the most effective strong security?
technology in managing OT cyber risk.
2%
Irrelevant
63% 7%
of respondents say Not important
analytics are very
effective in mitigating
33%
cyber security risks. 27% Essential
62% Important
say hardened
endpoints are
very effective in
mitigating cyber
security risks.
31%
Very important
The survey data shows the importance of addressing the fundamentals
(e.g., hardening endpoints), as well as leveraging advanced technologies
(e.g., analytics) to secure the OT environment. Oil and gas companies can
also build on security analytics data to safeguard and optimize operational
processes. By combining data from the network, controls and asset layer,
organizations are enabled to reap important benefits around, for example,
process safety in refining.
30 31
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
CONCLUSION
Our study reveals that oil and gas companies in the Middle East are
aware of the growing OT cyber risk they face. They also increasingly
recognize the actions they must take to strengthen their defences.
They are investing more resources to develop the capabilities
required, including qualified staff, to close this OT cyber readiness
gap. These signs of leadership are welcome.
Taking the next step in this OT cyber security journey will require a
more holistic strategy. Organizations that adopt both a risk-based
and compliance-based approach to their OT security programs will
be those who close the cyber readiness gap soonest. Those who
show leadership in this challenge will look to leverage security
analytics backed by deep domain expertise. Mature OT cyber
programs will prioritize continuous visibility into their assets and
vulnerabilities, so that they can intelligently, effectively prioritize.
By ensuring asset transparency and rapid detection, organizations
can best manage OT cyber risk and unlock the broader benefits of
digitalization in the oil and gas industry.
32 33
2018 | Assessing cyber readiness of the Middle East’s oil & gas sector Assessing cyber readiness of the Middle East’s oil & gas sector | 2018
Methodology
176
individuals in the Middle East
The majority
of individuals Head of
process
22% surveyed report
17%
to the head of engineering
industrial control
systems
OT security IT security
15% leader 11% leader
34 35
Copyright of Siemens Middle East
Siemens LLC Building B-05
Masdar City
+971 2 616 5100