What are the dangers to the downstream sector from cyberattacks?
There are many, but the introduction of connected technologies (Industrial IoT) is one of the biggest challenges the industry faces when it comes to cyberattack vectors. Just like other industrial sectors, the downstream oil and gas sector relies on industrial control systems to maintain safe and reliable operations. Traditionally these systems have been kept on a separate physical network and operated in relative isolation from IT systems and infrastructure. However, this is changing. As more connected endpoint devices such as smart sensors, analytics and other types of IIoT solutions are being deployed, the need to access real time data and to interconnect facilities increases and thus the potential for cyber infiltration rises exponentially, potentially placing the entire supply chain at risk.

How prepared and aware is downstream sector of the challenges?
Currently the sector is probably less mature then it should be, when it comes to addressing the challenges of cyberthreats. The reason being that originally there was very little need for it. Purpose-build and isolated ICS systems were the order of the day. And since these ICS systems were not integrated to IT systems or even to each other, the risk of a large‐scale cascading failure due to a cyberattack was extremely low. But the convergence of OT and IT systems has turned these assumptions about operational security upside down. And because of the differences between IT and OT management structures there is today a very limited amount of cybersecurity expertise inside the downstream sector.      

What does the sector need to do to ensure its security?
As risks grow, each company will need to adapt its own IT/OT convergence strategy. They will need to take proactive steps to create and implement a customized program tailored to their environment. This program should include key elements such as cybersecurity awareness training, access control management, network security and segmentation as well as incident response policies and procedures. It is also important to specify ownership of ICS security roles and responsibilities Ultimately, there must be a single line of accountability for everyone involved, from managers to process operators to third parties.

What are the best technologies available on the market?
There is no silver bullet - meaning you’ll need a multitude of technologies, depending on the environment, to create a proper cybersecurity solution. One thing to keep in mind is that security solutions/products that have been designed to work in an IT enterprise environment may not be well suited for use in an OT environment. It is therefore important that the downstream sector works with focuses on technologies and solutions that has a background in critical infrastructure. For instance, military and defense.

Are there enough skilled workers to implement and manage a cybersecurity policy?
No. Due to the growing cybersecurity skills gap facing the entire computing industry, the downstream sector is experiencing a lack of security expertise inside organisations. Not only within their own in-house staff, but also with the third-party vendors they outsource their services to. Another issue facing the downstream sector, is that the available security professionals have very little experience with OT environments, which could lead to security problems from the different priorities and cultural values encountered in the IT and OT spheres. IT is dynamic, and OT is deterministic.

How do you see the cyber security landscape changing for the sector over the coming years?
There is no doubt that with the continued digitisation of operational processes in the downstream sector, and as the implementation of more and more connected systems (IIoT) increases, so does the frequency and sophistication of cyberattacks. As the convergence of IT and OT systems evolve so does the need to apply updates, i.e., software updates and software patches. Convergence of itself is not the problem, the profound different priorities between IT and OT are.

What advice would you give to downstream companies looking to improve cybersecurity?
Start by assessing the maturity of your current cybersecurity control environment. The strategies of the IT and OT departments need to be aligned. Responsibilities need to be clarified and there needs to be common and overlapping goals and targets, which will force the departments to work together. This is not a process that will happen overnight, It is a cultural shift that requires time, effort and a progressive plan. It is my experience that complexity is the adversary of security and that management should look towards solutions that minimises room for human error.

Michael Appleby will be talking about why cybersecurity is the backbone of digital transformation at Future Downstream conference in London on 4 December.