Cyber Readiness of U.S. Oil & Gas Sector

By Trellix · April 14, 2022

Concerns over cyber-warfare activity in Ukraine has rekindled discussion of the cyber readiness of government agencies and critical infrastructure in the U.S. The Trellix Cyber Readiness Report released today gauges the adoption of advanced cyber defense technologies and practices, perceptions of public-private partnerships and the role of national government leadership overall among public and private enterprises traditionally and more recently considered as critical infrastructure providers (CIPs).

Notably, the report’s survey found that U.S. government agency respondents lead their regional (state and local) government and private sector critical infrastructure peers in the implementation of four of five solutions required by the U.S. Executive Order on Improving the Nation’s Cybersecurity (EO 14028).

While some may be surprised that the U.S. government would lead private sector organizations in this (or any) technology area, it is important to realize that CIPs, as the U.S. Department of Homeland Security’s Cybersecurity and Critical Infrastructure Security Agency (CISA) defines them broadly today, increasingly include sectors that have under invested in information technology, let alone cybersecurity, for decades.

This blog focuses on the report’s findings from the oil and gas sector, which has traditionally lagged other CIP categories and has been increasingly victimized in the U.S. and Europe over the last year by cyber-attacks. These attacks have driven a public discussion on the need for cybersecurity enhancements across the entire critical infrastructure category.

The State of Cyber Defense Implementation

Only 25 percent of oil and gas sector survey respondents claim to have fully deployed multifactor authentication (MFA), compared to 37 percent of all U.S. CIPs and 47 percent of U.S. government agencies.

Eighty-five percent of sector respondents ranked EDR-XDR as a crucially important or highly important cybersecurity priority to their sector, followed by cloud cybersecurity modernization (83 percent), zero trust (80 percent), MFA (78 percent) and software supply chain management policies and processes (73 percent).

Thirty-five percent of all survey respondents in the U.S. claimed to have fully developed, implemented and deployed EDR-XDR solutions, which is at par with U.S. CIPs but behind U.S. government agencies (38 percent).

Forty-three percent of sector respondents report fully deploying cloud cybersecurity modernization, which appears about normal among U.S. CIPs (41 percent) and is substantially ahead of U.S. government agencies (29 percent).

However, only 20 percent of respondents claim to have fully deployed zero trust capabilities, which is notably behind their U.S. CIP peers (29 percent) and dramatically behind their U.S. government agency peers (40 percent).

Eighty-three percent of sector respondents ranked the implementation of EDR-XDR as a highly or extremely difficult technology to implement, ahead of cloud cybersecurity modernization (80 percent), zero trust (73 percent) and MFA (58 percent).

Lack of staff resources in-house appears to be one of the greatest barriers to implementing new cybersecurity solutions for this sector with 55 percent of respondents identifying it as a critical challenge. This was followed by tender and bidding processes (48 percent), lack of leadership recognition in the need to invest (43 percent), lack of trusted vendors partners (35 percent), lack of budget (30 percent) and lack of implementation expertise (28 percent).

Software Supply Chain Risk Management

Only 35 percent of oil and gas industry respondents claim to have fully implemented appropriate software supply chain risk management processes and policies in this area. Eighty-three percent say these measures are a technical challenge next to implementing EDR-XDR solutions. Seventy-five percent of respondents agree that there has historically been little oversight on how cybersecurity software products themselves were developed and where.

Seventy-three percent of industry respondents believe that if the U.S. federal government demands higher software cybersecurity standards within government agencies, this would play a role in raising standards across the software industry. Ninety-five percent of industry sector respondents believe cybersecurity standards for software development should be mandated by government.

That said, 53 percent of respondents believe government suggestions for higher cybersecurity standards for software development could prove too complex to implement. Forty-five percent believe government timelines may be difficult to adhere to and 40 percent worry about the costs of implementing such standards.

COVID-19 Impact & Legacy

Eighty percent of oil and gas industry respondents reported that the need to secure remote access to their enterprise resources became a more important issue in maintaining their cybersecurity posture during the pandemic. The sector’s respondents are roughly equally divided on the future of the hybrid remote work environment with 38 percent believing it is permanent, 33 percent believing it will pass and 30 percent are taking a wait and see position to see how well the hybrid model serves organizations over the long-term.

U.S. Cybersecurity Safety Board

Ninety-five percent of oil and gas sector respondents see value in the establishment of a U.S. Cybersecurity Safety Board similar to the U.S. National Transportation Safety Board. But 68 percent of sector respondents believe the Cybersecurity Safety Board should only focus on U.S. government infrastructure. Only 33 percent believe the Cybersecurity Safety Board should focus on both public and private infrastructure outside of as well as within the U.S. federal government.

Partnering with U.S. Government

Ninety percent of oil and gas respondents believe there is room for improvement when it comes to the level of partnership between the U.S. government and organizations in their sectors within the context of working together to overcome cyberthreats such as ransomware.

Seventy-five percent of industry respondents believe there is no real consistency as to how organizations respond to cyber incidents, and 45 percent favor improved Federal guidance on best practices.

Forty-three percent favor improved federal funding for cybersecurity, 38 percent favor a combination of incident notification and liability protection to facilitate sharing of attack data between impacted organizations, government partners and industry audiences.

Thirty-five percent argue for greater consequences for those perpetrating cybercrimes, 33 percent favor tighter cooperation on cyber incident management while attacks are in progress and 25 percent favor tighter cooperation on the investigation of attacks following their discovery. Only 15 percent called for more U.S. federal regulations.

Ninety-five percent of respondents said there was room for improvement in the cyber threat data shared by the U.S. government with organizations in their sector.

Nearly two-thirds (60 percent) of sector respondents identified data on cyber-attack vectors used amongst some of the most valuable threat information they could receive from government.

For more information:

• Trellix Cyber Readiness Report
• Cyber Readiness in Europe: France, Germany & the United Kingdom
• Cyber Readiness in Asia Pacific: Australia, India & Japan
• Cyber Readiness in U.S. State & Local Government
• Cyber Readiness in U.S. Healthcare Services