Safety, Integrity and Availability, are clear priority risk considerations associated with the Oil and Gas sector.
As such, the safety of people, the environment and Oil and Gas operational assets is typically ensured by a combination of mechanical and computerised (i.e., operational technology/industrial control systems) based controls. Combined they are expected to provide process control, safeguarding, dependable real-time data integrity and near-continuous availability to support business operations. With the continued prevalence of digitalisation, convergence and connectivity with popular mainstream technologies, these priority risk considerations are being exposed to a wider range of cyber threats.
With the above in mind and also adding increasing regulatory compliance scrutiny into the mix, it is now more apparent than ever that a structured OT cyber security risk management strategy/programme is in place to effectively manage risk.
Complex and high-impact cyber attacks which target operational industries, such as Oil and Gas, are increasing. Many types of OT cyber attacks are being seen, from malware attacks targeting control and safety systems, to ransomware locking companies out of their core IT systems resulting in operational process shutdowns.
In the context of an organisation with no or limited OT cyber security risk management, CNB Tel recommends a holistic approach when defining an effective OT cyber security risk management strategy/programme.
The first step in this journey is to understand risk and consequences to the organisation. At a basic level, this means identifying the most critical OT functions essential to fulfilling the organisation’s business operations, and the potential consequences of a cyber attack against them. The knowledge of an organisation’s system custodians and engineers should be leveraged to identify methods an adversary could use to compromise critical OT functions. This valuable knowledge includes technical system architecture details, procedural and ways of working insights, like logical user access, third-party service provider scope, supply chain considerations, physical security etc. Real-world cyber scenarios seen across industries should be considered, of course, not all will be applicable, but to ensure completeness and due diligence they should be considered.
The ultimate aim of this initial analysis is to identify and prioritise risks that result in high-consequence events for the organisation. It also provides a high-level snapshot of current risk exposure and whether this exposure is within or out of organisational risk appetite/tolerance. Any subsequent OT cyber security strategy/programme and risk mitigations should be aligned accordingly with this analysis to ensure tangible risk reduction that is outcome focused. This approach helps organisations justify OT cyber security improvements and the associated costs by being armed with better information and understanding of “What, Why and How?”
The second stage in the journey sees the definition and establishment of an overarching OT Cyber Security Framework (OT-CSF) that delivers formalised policies, procedures, datasets, work instructions and best practice guidance designed for OT cyber security risk management. The OT-CSF should be aligned accordingly with guidance provided within industry frameworks such as:
Operating an Oil and Gas asset without an appropriate OT cyber security strategy/programme and relevant controls is high risk. To help you discover your level of risk exposure and to illustrate how we can support effective OT cyber security return on investment, get in touch for a free 30-min consultation.
By producing quality and innovative products, this company has greatly contributed to the growth and development of the technology industry in Hong Kong and the Asian region. Also, this company has boosted Hong Kong's economy by creating job and investment opportunities.
All Rights Reserved By PowerTech©