IoT brings huge operational advantages but the associated cyber risks need to be carefully managed

The oil and gas industry is one of the hardest hit as a result of the COVID-19 pandemic.  Consequently many of the majors are going through significant restructuring and will place greater reliance on technology to deliver efficiencies throughout the value chain.  As new, Internet-enabled technologies emerge to help address the operating challenges in complex geopolitical and physical environments oil and gas companies must consider carefully the emerging risk of significant cybersecurity breaches.  A short term breach or a sustained incident could cause material monetary, reputational, and operational damage.   

A breach on a connected device could allow hackers to steal data, disrupt operations, and impact production. Seasoned adversaries will often seek entry on an unsecured connected device in order to expand their access to sensitive databases and file structures in other locations. Popular IoT device developers claim that the security protocols that their hardware utilizes are fully secure and, in some instances, “future proof”. In reality, without adequate security practices in place to support their use, these devices may actually be easy to compromise.

It is likely that many organizations have not adequately quantified the risk resulting from their growing reliance on IoT (Internet of Things) devices. Data breaches are in the news far too often, and companies are suffering major impacts to their stock value, reputation, or operating earnings as a result. These impacts are particularly acute in industries that require an always-on, always-functioning infrastructure, where any disruption can cost hundreds of thousands, if not millions, of dollars per incident.

What can organizations do to mitigate the risk stemming from this growing reliance on IoT devices?  As technological capabilities evolve to more fully automated monitoring of operating conditions and to more advanced analytics and machine learning capabilities, security programs must also mature and enforce the concept of “security by design.”  IoT devices supporting communication and storage facilities should have appropriate security layers in place. Sensitive data must be segmented from less secure networks, and any transmission of data over any network should be end-to-end encrypted. Security can’t be locked into the firmware, future-proofing requires upgradeable measures to address currently inconceivable new threats. Additionally, ongoing, real-time monitoring and automated incident alerting on IoT devices can enable timely response to any suspected compromise. Proper security testing, mimicking real-world scenarios, must include assurances that IoT devices and their supporting infrastructure are regularly scanned for vulnerabilities and upgraded when necessary. All these defensive measures need to be defined and documented, while driven by a security policy that aligns to both business and security objectives of the organization.