A robust cybersecurity culture is critical to the energy industry's resilience. Here's why

Imagine a cyberattack knocks out a major North American pipeline supplying the east coast of the US during one of the busiest commercial weeks of the year. Or, hackers gain access to gas distribution systems during one of the coldest snaps in Western Europe in recorded history, shutting down heat to about 100 million households. Or, cyber criminals penetrate an offshore rig’s computer system causing pressure sensors to malfunction, crippling production and risking a full evacuation.

Though these are all hypothetical worst-case scenarios batted around by crisis prevention teams, the more disturbing reality is that it’s not a matter of if any of these situations will come to pass – it’s when.

We are living in a time where digitalization is on an exponential growth curve. And as digital platforms connect an ever-expanding virtual network of households, vehicles, offices, factories, energy grids and oil rigs, we see an increasing number of attack attempts like these.

While online attacks are nothing new, what is different now is the scale of the risk and impact, which is directly related to the scale of digital connectivity and the massive ecosystem changes resulting from digitalization, decentralization and energy transition. Our cyber adversaries are more agile and sophisticated in their abilities to wreak great havoc from a distance with little to no risk. This needs to change.

Before we can move the needle on these challenges, we need to first ask ourselves some important questions.

The threat and risk landscape in heavy asset industries, in particular in the oil and gas industry, is developing at the speed of light with increased complexity, compounded by a reduction in situational awareness.

Barring any action on our parts, we will very soon be left with little choice but to try to close the gaps and play from a position of weakness. Rather than proactively mitigating vulnerabilities and pre-empting attacks, we will react defensively. There are existing opportunities and strengths inherent to industries which can prevent this outcome, and we still have time to take full advantage of them.

The first category of strengths and opportunities lies in the centuries of experience industrial companies have as operators of high profile, high value, physically complex assets, and knowing how to keep such infrastructure physically safe and secure.

This knowledge and experience is baked into the industrial DNA and spans the entire ecosystem. It will continue to play an important role as a springboard to industrial cybersecurity, but alone it is not enough.

The defences needed for tomorrow must combine industrial knowledge with the power of digital capabilities.

If an organization already has the industrial experience in securing massive physical assets, along with ground-breaking digital platforms, security software, and teams of technology experts, what else can they do be cyber resilient?

Wars, including this new kind of cyber war, are not won with brilliant military strategists, the best trained soldiers and most experienced special ops personnel alone. To win, you need secure supply lines, the best intelligence operations, committed allies, and informed and engaged citizens.

Thus, establishing a diverse, vibrant, sustainability-minded, security and safety-first culture is critical not only to building cyber resilience, but also enabling industry’s digitalization. Running relevant, up to date, and engaging awareness programmes builds robust defensive layers. Culture and awareness efforts should not be perceived as small nor simple. They might very well be what tips the scale in our favour.

The increasing nature of culture and awareness can help us today, and more importantly, create necessary organizational capabilities for tomorrow. We need to prepare the board of directors to treat the new risk landscape as its bottom line. We need to equip the domain experts and frontline remote workers with a deeper understanding of the new hybrid reality and associated risks that our industries now operate in, along with its ever-changing stakeholders and dependencies.

This isn’t a simple undertaking, but as the old wartime adage goes, “The more you sweat in peace, the less you bleed in war.”

We need to do the hard work to build a culture where all the layers are working together, sharing knowledge and information. We need to transform our security function from a central, poorly scalable one to a distributed defensive structure, primed to support and protect people, environment, and assets.

There is a growing understanding of the massive changes that are in motion and the systemic risks that follow. The new risk landscape will require a different approach to security and safety, a more holistic and integrated approach tailored to the challenges at hand.

The World Economic Forum has invited some of the leading experts and companies to work on how to address our challenges and identify our opportunities. The white paper, Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers, aims to set the stage through the definition of principles, use of real-life examples, and last but not least implementation guidelines.

The success of any such work is dependent on organizational adoption, and the width, breadth and sustainability of the safety and security programmes.

In the future, and in order to play from a position of strength, it will be of critical importance that industry leaders take the opportunity now and use it to set clear expectations and goals for the security and safety of the digital industrial future.

A sustainable future powered by data and algorithms, informed by centuries of industrial knowledge and built on a strong culture of safety, the environment and critical assets. A future where sharing of knowledge and competency is used to build culture and increased resilience.