• The scale and impact of cyber attacks is rising exponentially due to an expanding network of digital platforms.
  • Without adequate preventative strategies the energy industry is vulnerable to future threats.
  • A new playbook from the World Economic Forum defines a set of industry guidelines to enable a sustainable, resilient digital future.

Imagine a cyberattack knocks out a major North American pipeline supplying the east coast of the US during one of the busiest commercial weeks of the year. Or, hackers gain access to gas distribution systems during one of the coldest snaps in Western Europe in recorded history, shutting down heat to about 100 million households. Or, cyber criminals penetrate an offshore rig’s computer system causing pressure sensors to malfunction, crippling production and risking a full evacuation.

Though these are all hypothetical worst-case scenarios batted around by crisis prevention teams, the more disturbing reality is that it’s not a matter of if any of these situations will come to pass it’s when.

We are living in a time where digitalization is on an exponential growth curve. And as digital platforms connect an ever-expanding virtual network of households, vehicles, offices, factories, energy grids and oil rigs, we see an increasing number of attack attempts like these.

While online attacks are nothing new, what is different now is the scale of the risk and impact, which is directly related to the scale of digital connectivity and the massive ecosystem changes resulting from digitalization, decentralization and energy transition. Our cyber adversaries are more agile and sophisticated in their abilities to wreak great havoc from a distance with little to no risk. This needs to change.

Before we can move the needle on these challenges, we need to first ask ourselves some important questions.

  • Do we have the understanding, the digital resilience and the general wherewithal to employ a systematic approach to the new threat and risk landscape across our companies and institutions?
  • What will it take to fight from a place of strength?

How to avoid playing defensively

The threat and risk landscape in heavy asset industries, in particular in the oil and gas industry, is developing at the speed of light with increased complexity, compounded by a reduction in situational awareness.

Barring any action on our parts, we will very soon be left with little choice but to try to close the gaps and play from a position of weakness. Rather than proactively mitigating vulnerabilities and pre-empting attacks, we will react defensively. There are existing opportunities and strengths inherent to industries which can prevent this outcome, and we still have time to take full advantage of them.

As one of the world’s most sophisticated and complex industries makes a multifaceted transition – from analogue to digital, centralized to distributed and fossil-based to low-carbon – managing cyber risk and preventing cyberthreats are quickly becoming critical to company value chains.

—Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers White Paper, World Economic Forum, 2021.

A century of experience deployed at the speed of light

The first category of strengths and opportunities lies in the centuries of experience industrial companies have as operators of high profile, high value, physically complex assets, and knowing how to keep such infrastructure physically safe and secure.

This knowledge and experience is baked into the industrial DNA and spans the entire ecosystem. It will continue to play an important role as a springboard to industrial cybersecurity, but alone it is not enough.

The defences needed for tomorrow must combine industrial knowledge with the power of digital capabilities.

"The more you sweat in peace, the less you bleed in war"

If an organization already has the industrial experience in securing massive physical assets, along with ground-breaking digital platforms, security software, and teams of technology experts, what else can they do be cyber resilient?

Wars, including this new kind of cyber war, are not won with brilliant military strategists, the best trained soldiers and most experienced special ops personnel alone. To win, you need secure supply lines, the best intelligence operations, committed allies, and informed and engaged citizens.

Thus, establishing a diverse, vibrant, sustainability-minded, security and safety-first culture is critical not only to building cyber resilience, but also enabling industry’s digitalization. Running relevant, up to date, and engaging awareness programmes builds robust defensive layers. Culture and awareness efforts should not be perceived as small nor simple. They might very well be what tips the scale in our favour.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

The increasing nature of culture and awareness can help us today, and more importantly, create necessary organizational capabilities for tomorrow. We need to prepare the board of directors to treat the new risk landscape as its bottom line. We need to equip the domain experts and frontline remote workers with a deeper understanding of the new hybrid reality and associated risks that our industries now operate in, along with its ever-changing stakeholders and dependencies.

This isn’t a simple undertaking, but as the old wartime adage goes, “The more you sweat in peace, the less you bleed in war.”

We need to do the hard work to build a culture where all the layers are working together, sharing knowledge and information. We need to transform our security function from a central, poorly scalable one to a distributed defensive structure, primed to support and protect people, environment, and assets.

Building a resilient future

There is a growing understanding of the massive changes that are in motion and the systemic risks that follow. The new risk landscape will require a different approach to security and safety, a more holistic and integrated approach tailored to the challenges at hand.

The World Economic Forum has invited some of the leading experts and companies to work on how to address our challenges and identify our opportunities. The white paper, Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers, aims to set the stage through the definition of principles, use of real-life examples, and last but not least implementation guidelines.

The success of any such work is dependent on organizational adoption, and the width, breadth and sustainability of the safety and security programmes.

In the future, and in order to play from a position of strength, it will be of critical importance that industry leaders take the opportunity now and use it to set clear expectations and goals for the security and safety of the digital industrial future.

A sustainable future powered by data and algorithms, informed by centuries of industrial knowledge and built on a strong culture of safety, the environment and critical assets. A future where sharing of knowledge and competency is used to build culture and increased resilience.