Perspectives
An integrated approach to combat cyber risk
Securing industrial operations in oil and gas
Critical infrastructure relies on industrial control systems (ICS) to maintain safe and reliable operations. Making operational processes secure, vigilant, and resilient is a challenge and requires oil and gas companies to harmonize and align two cultures: engineering and IT.
Explore content
- An integrated approach to combat cyber risk
- Protecting the connected barrels
- Refining at risk: Securing downstream assets from cybersecurity threats
- Cyberattacks and ICS
- Improving cyber security
An integrated approach to combat cyber risk: Securing industrial operations in oil and gas
The oil and gas industry is making its way to the next level of digital evolution, embracing and integrating robotics, digitization, and the Internet of Things (IoT) into the operational environment. This has led to new opportunities to improve productivity and drive down costs. However, the convergence of operational and business systems has also opened up the company to a whole new array of cyber risk.
This report shares the insight gained from our extensive field experience, including lessons learned in helping oil and gas companies to go beyond safety in securing their ICS. This report examines how cyber threats impact the oil and gas value chain.
Protecting the connected barrels: Cybersecurity for upstream oil and gas
Oil and gas might not seem like an industry that hackers would target. But they do—and the cybersecurity risks rise with every new data-based link between rigs, refineries, and headquarters. In an increasingly connected world, how can upstream oil and gas companies protect themselves?
Refining at risk: Securing downstream assets from cybersecurity threats
Pipelines, refineries, and tank farms all rely heavily on industrial control systems to maintain smooth, safe operations. This combination of engineering and IT makes the downstream industry vulnerable to cyber threats. What can downstream companies do to create a more secure, vigilant, and resilient enterprise?
The third report in our oil and gas cyber security series: Refining at risk
More from Deloitte InsightsCyberattacks and ICS
Engineers have successfully designed and deployed ICS with safety and reliability in mind, but not always security. Why? Originally, there was little need for it. Fit for purpose, isolated operational systems were the order of the day.
Since these operational systems were not integrated to enterprise systems or even to each other, the risk of a large scale cascading failure due to an attack, cyber or otherwise, was extremely isolated.
Fast forward 20 years, and the ubiquitous connectivity of the IoT has turned the most basic assumptions about operational security upside down. Today, all sorts of industrial facilities, including oil fields, pipelines, and refineries, are vulnerable to cyberattacks. Regardless of their location, operational systems can now be compromised by external or internal risks, causing safety or production failures and increasing commercial risk.
Although ICS are typically designed to fail safe, the increasing sophistication of cyber criminals heightens the risk of catastrophic incidents, along with the magnitude of the impacts in terms of cost, safety, reputation, and commercial or financial losses.
While the industry has escaped a major operational catastrophe thus far, this good fortune may not last unless companies expand their cyber security programs.
Improving cyber security
Like other industries, the oil and gas sector has been working to improve cyber security, which is a priority concern among senior leadership and boards of directors.
While the industry has escaped a major operational catastrophe thus far, this good fortune may not last unless companies expand their cyber security programs.
To date, oil and gas companies have been primarily focused on protecting corporate, as opposed to operational, systems and data. That’s because IoT—where production can be controlled from an iPad or a smart phone, for instance—is relatively new, gaining momentum over the last decade. Also, operational systems are inherently different, requiring engineering know how, and not just IT expertise, in order to secure them appropriately.
Today, an approach that brings together IT and engineering is needed to address cyber security programmatically and sustainably.
