PESA Allied Member PwC shared the overall state of cybersecurity for oil and gas companies. They focused on areas of weakness, global threats and recommended critical focus during a webinar for PESA members August 11.
Cybersecurity & Privacy Partners Harshul Joshi and Brad Bauch focused on understanding risks and identified actions to protect the security of this critical infrastructure.
Operational Technology vs. Information Technology
Operational technology (OT) is different than traditional information technologies (IT) as it involves physical devices, processes or assets, Joshi said. This includes production systems such as refineries and pipelines. Security of these systems is imperative. Where previously these systems were stand-alone facilities that didn’t communicate with others, they have become increasingly connected as companies actively manage their supply chains.
Joshi and Bauch said PwC is concerned with the availability and integrity of these increasingly connected systems. OT systems now act like IT systems with vulnerabilities that can be exploited by external parties, Joshi said.
As OT and IT systems become continue to integrate it’s important that each segment understand the other’s culture. In some cases, IT departments don’t fully realize the importance of the 24-hour, critical business impact of operations. Those in OT are having to learn about risks presented by increased connectivity, which is a byproduct of digitalization.
Boards and Cyber Resilience
Bauch emphasized that OT cybersecurity is of critical importance and is a board-level issue. Leadership needs to understand how a cybersecurity breach can disrupt the company, be aware of third-party risks and have a real-world view of the external landscape. Boards are challenging management to have risk-based discussions so it’s an important issue for executives to understand.
Joshi and Bauch both discussed the importance of improving and sustaining third-party risk management. This is especially true in the OFS sector where companies source from third-party companies or are a third party to customers through partnerships. Third-party security incidents have increased in recent years and have brought major players to a halt and damaged company reputations. Focusing on due diligence and monitoring for potential vulnerabilities is key.
Joshi and Bauch closed by recommending actions OFS companies could to protect the cybersecurity of their operational technologies. Primarily, organizations need to adopt proactive holistic security measures to manage cybersecurity risks. This includes focusing on third-party risk management. Enhancing resilience is crucial, and companies should stress test operations to improve response times and preparation for possible disruptions.
For more information on PESA’s ESG Committee contact PESA VP Government Affairs Tim Tarpley.LISTEN TO THE WEBINAR DOWNLOAD THE PRESENTATION