Trend Micro conducted a study on the state of industrial cybersecurity in the oil and gas, manufacturing, and electricity/energy industries in 2022. Based on the results of a survey of over 900 ICS business and security leaders in the United States, Germany, and Japan, we discuss the characteristics of each industry, the motivations and environmental factors that will drive future cybersecurity improvements. We will also introduce Trend Micro's proposals based on the current state of the industry. This time we will focus on the Oil & Gas industry.
News of the cyber attack on the US Colonial Pipeline in May 2021 has had a major impact on the oil and gas utilities industry. The IT accounting system was forced to shut down their OT system. This six-day suspension of pipelines disrupted the lives of citizens. In response to this incident, the government proceeded with the development of laws one after another and established new evaluation criteria for security management systems. There is a similar movement in Europe, and there is a lot of discussion in Japan about the next cybersecurity strategy, including the protection of critical infrastructure.
Here is for the manufacturing
Here is for the electricity
Agenda
1 Characteristics and Considerations of the Oil & Gas Industry Regarding Cyberattacks
1-1 Long downtime
1-2 “Malware infection due to legitimate web browsing” was the most frequently cited attack that forced the system to stop operating while dealing with cyber-attacks.
1-3 Difficult to take measures to prevent recurrence of cybersecurity improvements
1-4 Drivers of enhanced security are requests from partners and customers and compliance with regulations
2 Trend Micro Proposal
1 Characteristics and Considerations of the Oil & Gas Industry Regarding Cyberattacks
1-1 Long downtime
It was found that the oil and gas industry averaged 6 days for system outages due to cyberattacks, one day longer than the five days for other industries. In addition, 65% of respondents said that the system stopped for more than four days, which is a very large number compared to 50% for manufacturing and 56% for electricity.
The reason why the downtime is longer than in other industries is that once a process automation system is stopped, it is necessary to discard the products in the process of manufacturing and clean the production equipment. This takes because it requires chemical processing. If processing stops midway, proper chemical synthesis will not occur and the products will have to be discarded. As a result, the amount of production decreases and the loss amount increases. In fact, the average loss amount is calculated to be about 1.8 times that of the manufacturing industry.
1-2 Malware infection due to legitimate web browsing was the most frequently cited attack that forced the system to stop operating while dealing with cyber-attacks.
In response to a question about how they dealt with various cyberattacks, we analyzed the types of attacks that answered, "We were unable to stop this type of attack and had to respond to the incident”. As a result, the oil & gas industry had the highest number of malware infections during web browsing, followed by "Compromise of internet accessible device". In addition, the vulnerability to phishing is prominent, and compared to other industries, especially compared to Electricity, there is a difference of more than 10 points.
Q4_1 ~ Q4_7 How has your organization dealt with the following types of cyber attacks? (NB: Multiple choices allowed)
This result suggests that the office terminals used in the IT area or OT area became an intrusion point. Instead of implementing measures for IT and OT individually, measures that assume that attacks on IT (email, web) will reach ICS are necessary. A mechanism for network segmentation, appropriate access control, and detection of anomalies in internal routes is required.
1-3 Difficult to take measures to prevent recurrence of cybersecurity improvements
Despite these circumstances, when asked if their organizations have improved their cybersecurity after incidents, only 43% of respondents answered that they "always/usually make improvements." Lower than the overall average of 52%, this trend is common to the US, Germany, and Japan, and Japan has a gap of 19 points from the TOP manufacturing industry. In addition, 4% of respondents answered that “We rarely make improvements”, which is higher than other industries.
Q10:Thinking about the last 12 months, post-incident, does your organization make cybersecurity improvements in order to minimize the risks of future attacks? (N=829)
Compared to other industries, the disrupted time during cyberattacks is longer and the amount of damage is large, but the result is that they appear to be reluctant to improve cybersecurity. As mentioned above, it is difficult to stop the system, and even maintenance is required once a year, assuming continuous operation.
Considering the priority of the manufacturing process, there is a possibility that business risks (quality deterioration, decrease in production volume, unstable supply) are avoided by not taking security measures. But the idea of dealing with damage after it happens means that you are underestimating the risk. Such industries have limited opportunities to introduce countermeasures, and when introducing them, careful consideration and careful and short-term introduction are required. Achieving this requires strong leadership from management.
In the oil & gas industry, there is an overwhelming need for enhanced security from partners and customers, and immediate measures are required.
1-4 Drivers of enhanced security are requests from partners and customers and compliance with regulations
We analyzed how the reasons for implementing cybersecurity measures have changed by dividing them into "past*" and "next 3 years", focusing on the items with the largest rate of change.
We found that business partner/client/customer demand was the strongest driver, with the highest GAP of 6.5 points over the past and next three years. Japan and Germany have increased by 12.0 points and 5.3 points respectively, indicating that external requests are extremely high.
*As of the survey (February to March 2022)
The percentage of cloud systems implemented or scheduled to be implemented also increased by 5.4%. This is 4.2% higher than the industry average of 1.2%, which is larger than other industries. Here too, Japan and Germany show high percentages.
Although the points will drop three years from now, the 5G implementation/implementation plan was selected as the number one initiative so far and received a high score, especially in Japan, the score was very high at 38.6%.
In the US, on the other hand, 31.6% of drivers cited “to comply with industry regulations” as the highest driver, a gap of 11.2% between the past and the future. Germany, on the other hand, fell in priority.
Q19. Until now, what have been your organization’s top two reasons for implementing cybersecurity measures to protect your ICS/OT systems?
Q20.What do you believe your organization’s top two reasons for implementing cybersecurity measures to protect your ICS/OT systems are over the next three years?(NB: Multiple choices allowed)
Although there are variations from country to country, the following can be said as common across the industry:
- Since the number of actual damages and attacks is expected to increase in the future, the government is tightening regulations, and compliance with various guidelines is strongly required.
- Partners and customers will have stricter security requirements for business partners in order to reduce the impact on their own companies due to the increase in attacks and to establish supply chain security.
- It can be seen that the company is trying to rapidly take on the challenges of new technologies such as cloud computing and 5G implementation. In the midst of intensifying competition, we believe that the background is the challenge of DX support in order to increase the profitability of the business.
2 Trend Micro Proposal
Below is an outline of the current status of the oil & gas industry, as well as Trend Micro's proposals to address them, as revealed by this survey and its analysis:
Current status of the oil & gas industry | Trend Micro Proposal |
Despite the high financial impact of security incidents, it is difficult to implement security countermeasures due to reasons unique to the manufacturing process. | Strong leadership of management is required |
Office terminals used in IT or OT are often subject to cyberattacks, causing system outages. | Regardless of whether it is existing or new in the IT/OT environment, implement security measures that match the characteristics of each. On top of that, in light of the expanding Attack Surface and the presence of attacks that cross environments due to the ever-changing company environment, we will develop risk visualization and threat detection/response capabilities across the entire environment without blind spots. |
Ambitious to challenge new technologies such as cloud and 5G to survive intensifying competition |
The details of IT/OT security in the oil & gas industry and Trend Micro's proposal are described in detail here.
A full version of these findings can be downloaded here. It details the challenges faced by manufacturing, power, and oil and gas companies, their causes, and the state of industrial cybersecurity.
Want to know more about trends? Contact us.