Cyber risks haunt energy and natural resource sector

Imagine connected sensors that dispatch a repair crew to a fraying pipeline, laser ‘guard rails’ that prevent tanker trucks from backing off piers, and smart systems that prompt the power company to recharge your electric vehicle overnight. 

This sampling of operational technology hints at both the potential benefits — and the corresponding cyber security risks — that the fourth industrial revolution can bring to the Energy and Natural Resources (ENR) sector.

While it’s still early days in the adoption of embedded technology across the ENR landscape, now is the time for organisations and governments to strengthen their awareness, and take proactive steps, to encourage such advancements and prudently manage the emerging risks.

There’s no shortage of opportunity to transform the historically physical and manual character of ENR through Industry 4.0, from internet-connected devices to AI and machine learning, enabled by the cloud, data analytics, and new communication technologies like 5G networks, and so on.

In recent years, many industry players have taken considerable steps forward — including horizontal (local) digitisation of their internal operations — but now a cadre of leading organisations around the globe are incorporating vertically connected systems (e.g. bringing clusters of process control data to the cloud), to really optimise their data usage, automation and digitisation.

These early adopters are found across continents, from Europe, where environmental interest is high, to the Middle East, with its strong levels of investment capital, to Asia, where much technology invention is percolating. The leaders range from traditional local companies that are improving the efficiency and safety of select processes, to multinationals that are creating seamless integration across their supply chains, to operate smarter, faster, more sustainable and more profitably.

In Australia we are seeing similar adoption to accelerate this revolution: IoT adoption, sustainable energy (blockchain backed solar energy companies), acceleration to the cloud with a major mining company announcing their move to AWS, etc, to name a few. The industrial revolution is moving from a capital expense to encompass more innovation and hybrid cloud offerings.

And although the global pandemic may have stalled some technology investment, many companies are exploring opportunities, often through new ventures or subsidiaries with supportive cultures to nurture this innovation in a controlled scope.

This measured pace towards a connected ENR ecosystem is a good thing, for the industry to build awareness of — and the capabilities to manage — the accompanying cyber security risks. For instance, growing connectivity increases organisational exposure to cyber and safety risks, arising through direct hacker attacks on internal systems, or through ‘chain effect’ vulnerabilities if a company’s suppliers are targeted. This musters images of corporate supply chains being disrupted, or shutdowns of power grids or other critical infrastructure.

As corporate boards discuss the potential adoption of Industry 4.0 technologies, there remains limited understanding of the cyber security risks at stake. It’s important to have quality boardroom discussions about the potential benefits and risks of Industry 4.0 adoption. However, these debates can be difficult since the question still looms, 'could this happen to us?' Perhaps it's due to limited awareness resulting from under-reporting by companies and authorities, particularly on the industrial side, and the belief that industrial environments are isolated.

The result is that, board members might dismiss the cyber threats and overlook important security investments. Or, conversely, board members might reject proposed Industry 4.0 investments because they over-estimate the potential risks.

The answer, naturally, lies in carefully balancing the risks and rewards. Boards must build a solid understanding of the actual risks and containment (survival) strategies available. Then, they can make strategic choices regarding ‘right-fit’ new technologies that offer proven value to their business.

Boards and senior leadership should not ask, “Can’t we just address this problem ‘if’ it occurs?” In reality, experience in other sectors shows that such incidents are not a matter of ‘if’ but ‘when.’ Thus, organisations must take action now, both to defend against attacks, and to ensure they can respond effectively after a breach occurs.

Fortunately, there are several organisations, like major Oil & Gas, embracing this approach and bringing change, whether by exploring new technology in controlled environments, or implementing stringent third-party risk management, perhaps with in-depth due diligence of supply chain partners or pro-active monitoring of each other’s systems.

This speaks to the importance of digital trust in ENR, since companies will increasingly scrutinise the partners they deal with across the ecosystem, just as consumers switch among energy service providers who they believe they can trust and rely upon.

Creating the right conditions for a smooth, secure roll-out of the fourth industrial revolution depends on complementary and coordinated actions by enterprises, national governments, and inter-governmental bodies.

At the national level, there is a growing awareness and activity. While many authorities must still develop a fuller appreciation of the risks to their critical infrastructures, solid programs are coming into force in many jurisdictions. These range from strict regulatory regimes in the US, under several national agencies, to the United Kingdom’s Government Communications Headquarters (GCHQ), an intelligence and security organisation that is both safeguarding state assets and supporting cyber resilience in the private sector and industry (critical infrastructure). In Australia, the amendments made to the Security of Critical Infrastructure (SOCI) Act in 2022 demonstrate how this is being driven and recognised as a national security issue across all industry verticals including energy and natural resources.There is much opportunity for further collaboration, supported by the United Nations, the World Economic Forum or other international bodies, to promote international guidelines and standards to secure critical infrastructure. For example, the new ISA/IEC 62443 series of standards were drafted with the input of industrial automation and control system security experts from across the globe, to develop consensus standards applicable to all industries and critical infrastructure.

In Australia, the Australian Energy Regulator (AER) and Australian Energy Market Operator (AEMO) along with energy providers have developed the Australian Energy Sector Cyber Security Framework (AESCSF) which more and more power and utilities clients are aligning to as a strong framework for cyber security adoption in this sector.

Although the looming cyber risks are real, the combination of preventative measures — alongside smart technology choices and controls by ENR companies — will bring powerful innovation and growth to oil and gas fields, ports and, refineries. Industry 4.0 is a challenge.