Cyber Security – Energy - KPMG Global
close
Share with your friends

Cyber Security – Energy

Cyber Security – Energy

The research was conducted with participation of 163 global Energy CEOs from Australia, China, India, Italy, Germany, Japan, France, Spain, UK and US.

1000

Related content

Within the Energy sector, respondents consider their organizations to be more prepared and confident. There are perhaps reasons for the degree of confidence. They have been more actively targeted than many over the last 5–10 years, and therefore their maturity is more advanced than within some others such as construction, retail or large parts of transport for example. However we see an interesting dynamic between the level of understanding of the risk, the maturity of the organization and the continued levels of investment. We find that many of those organizations that have the deepest understanding – often after living through severe incidents in the past – and that as a result have the most mature cyber security capability are often those that continue to invest on an ongoing basis; they understand that getting to a tolerable position is going to take many years and significant investment, and that even when they are at that tolerable position there will still be an ongoing requirement to work to maintain it.

 

This is because the cyber landscape is constantly changing. Beyond the IT cyber threats that organisational security departments have become familiar with a new threat is emerging in the Energy landscape - the direct compromise of critical production assets. As the industrial control systems [ICS] used to manage asset’s production processes have evolved companies have been able to reduce costs and improve efficiency by consolidating engineering and IT services. The more mature organisations are also looking to improve effectiveness by adopting sophisticated data analytics on their production data. As a consequence operational and corporate systems are sharing infrastructure and previously standalone control systems are being integrated into corporate intranets or even with the internet. However, in doing so, Energy companies may be exposing previously hidden vulnerabilities on their production assets and the exploitation of these vulnerabilities could have an immediate operational, safety, environmental impact beyond the traditional financial, and reputational impact seen with an IT system compromise. This new threat doesn’t mean that businesses should halt the process of converging systems, but that they need to have the skills to identify and manage the risk - adding yet another cost into already stretched cyber security budgets.

 

Energy companies are already exposed to significant business pressures that compete with Cyber Security for resources, and often increase the cyber risks to the business. Oil & Gas has the obvious pressure from continued low market prices when compared with 18 months ago. Power & Utilities on the other hand are still under post-recession pressure to prevent a rise in their output prices despite significant rises in the input costs over the last 8 years. This often encourages them to choose risk acceptance rather than mitigation, though that is not often a formalized decision and is rarely if ever provisioned. That is not the limit of the problem though. Those conditions often drive other cost reduction exercises within the IT environment that might increase risk such as a deeper and faster push to outsourcing, and the fragmentation of services with the push to the cloud. All in all, the smart operators recognize the heightened importance to ensure every security pound or dollar spent hits its mark and they realize that they will achieve greater success in doing this with help than they would if they did it on their own.

How prepared is your company for a cyber event? Not where we need to be; Somewhat prepared; Fully prepared

Fifty-five percent of CEOs believetheir companies are fully preparedfor a cyber event.

How often have you met with your executive team and/or board of directors on cyber security? 7-10 times; 4-6 times; 1-3 times; Never

CEOs have met 4-6 times 57 percent and never at 4 percent.

Convene multiple meetings with the board about cyber security. Planning to take steps in next 3 years; Have taken preemptive steps; No planned action

Fifty-one percent are planning to take steps in the next 3 years while 7 percent plan to take no action to meet with their board.

Convened multiple meetings with cyber security team. No planned action; Have taken preemptive steps; Planning to take steps in next 3 years

CEOs plan to take steps in the next 3 years toconvene multiple meetings with their cybersecurity team at 60 percent.28 Global

Steps taken to prevent a cyber security breach. Have taken preemptive steps; Planning to take steps in next 3 years; No planned action

Thirty-seven percent of CEOs have taken steps to preempt a cyber security breach, 30 percent report they have no plans.

Hire a cyber security consultant. Have taken preemptive steps; No planned action; Planning to take steps in next 3 years

Fifty-nine percent plan to hire a cyber security consultant in the next 3 years.

Upgrade current technologies. Planning to take steps in next 3 years; No planned action; Have taken preemptive steps

Fifty-two percent of ENR CEOs are planning to upgrade their current technologies in the next three years and 40 percent have already taken preemptive steps.

Deployed new technologies. Have taken preemptive steps; Planning to take steps in next 3 years; No planned action

Eighty-four percent have or plan to deploy new technologies in the next 3 years.

Changed internal processes (data sharing, device use etc.). Have taken preemptive steps; No planned action; Planning to take steps in next 3 years

The majority of companies have changed internal processes.

Changed external processes (data gathering, transaction processing, data sharing etc.). Have taken preemptive steps; No planned action; Planning to take steps in next 3 years

Eighty-three percent plan to or have changed external processes such as data gathering, transaction processing or data sharing.

Connect with us

 

Want to do business with KPMG?

 

Request for proposal