There are two fronts in the Russian invasion of Ukraine: one is physical combat and airstrikes and the other is in cyberspace, where cybersecurity experts fight disinformation, psychological warfare and cyberattacks. Cyberattacks of this nature can and have resulted in power outages, rail disruptions, disruption of electoral voting systems and, in the case of the war in Ukraine, disruption of its largest fixed telecommunications network and the threat ubiquity of a cyber disaster.
The oil and gas (O&G) industry is not immune to these types of vulnerabilities. The May 2021 Colonial Pipeline hack in the United States not only compromised the company’s networks and shut down its operations, but also deprived the East Coast of a pipeline that provided nearly half of the region’s fuel. Russia’s invasion of Ukraine on the physical and cyber fronts has heightened fears of future cyberattacks by malicious actors on critical energy infrastructure to gain financial, criminal or geopolitical advantage. Results from the 2021 State of Ransomware study revealed that 43% of energy, oil and gas, and utility companies admitted to paying ransom for ransomware attacks. 23% of these companies expect to be affected by ransomware in the future.
Additionally, innovation, increased competition and sweeping economic interests make oil and gas companies a prime target for cyber exploitation. However, according to research conducted by Accenture in 2017, most oil and gas companies see cyberattacks as a black box – most did not know when or how cyberattacks could harm them.
The Malaysian government, through the Malaysia Cyber Security Strategy 2020-2024, has identified 11 critical National Information Infrastructure (CNII) sectors – including the energy/O&G sector – that need to be protected and preserved to ensure the security of the nation, its economy and the health and safety of the public.
There are several reasons to believe that cybersecurity should be of concern to the oil and gas industry in Malaysia. The oil and gas sector is a key economic sector for the country and a significant contributor to GDP. Therefore, any disruption would have a significant impact on national and public security. In recent years, increasing market pressure and business competitiveness have also led to a convergence of IT systems and other digital revolutions that increase the connectivity of systems, data and people within the industry. And as more oil and gas companies move to cloud-based systems, applications and infrastructure, there is an increase in cybersecurity vulnerabilities, as echoed by nearly quarter of offshore oil and gas executives surveyed in a Journal of Marine Science and Engineering study. In the era of interconnected business operations, such as in supply chain and O&G payment systems, technology is driving most business operations, highlighting the essential role of cybersecurity.
The Covid-19 pandemic has also accelerated digital transformation and normalized remote working arrangements. This has unfortunately created an upsurge in cybercrime. Next, geopolitical cyberattacks in the region are also on the rise, with sovereign claimants in the resource-rich South China Sea experiencing cyberattacks, according to security reports from FireEye and Recorded Future Insikt Group, among others. As Malaysia is one of the claimants in the territorial dispute, there is an urgent need for the country to protect its critical national information infrastructure.
It is also important to note that most of the players serving the Malaysian oil and gas industry are small and medium-sized oil and gas service and equipment companies (OGSE). Studies have shown that small businesses are easy targets for cyberattacks because these businesses lack the resources that large corporations have to invest in cybersecurity. Threat actors also target SMBs that have partnerships with large enterprises to gain easier access points to perform security breaches.
However, investors increasingly view robust cybersecurity as a core element of environmental, social and governance (ESG) frameworks – given the ability of cyberattacks to affect company value and ultimately the stability of companies. companies – this could pave the way for building a more cyber-secure O&G and OGSE industry globally, including in Malaysia.
Domestically, Malaysia has made significant progress in addressing cybersecurity challenges through strong international alliances and by putting in place a National Cybersecurity Strategy. According to the ITU Global Cybersecurity Index 2020, Malaysia is ranked fifth globally and second in Asia-Pacific, behind South Korea and Singapore, which tied for first. However, there are still improvements to be made to the ecosystem, cooperation with industry to build awareness and capacity, streamlining responsibilities and coordination between agencies, and the need for improving existing laws to deal with the ever-changing landscape of cyberspace.
In terms of efforts in the O&G private sector, Petroliam Nasional Bhd has made huge investments and implemented numerous cybersecurity initiatives and awareness campaigns such as the Human Firewall campaign, which tries to improve cyber awareness and inculcate a sense of responsibility in the face of cybersecurity risks. However, there appears to be little indication that other O&G supply chain players are prioritizing cybersecurity in their operations, showing that there are areas that need improvement.
The oil and gas industry involves an integrated and complex upstream and downstream supply chain, which could lead to a ripple effect if or when vulnerabilities in cyberspace occur. In the World Economic Forum’s 2021 white paper Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers, the importance of third-party access and assessment as part of cyber risk management has been exposed. Organizations conduct an end-to-end assessment of their supply and value chains to identify blind spots and high risks associated with cyber threats.
Third-party extensions lead to major IT and operational risks, such as mismanagement of confidential information, inability to meet business operational and compliance goals, and lack of effective cybersecurity safeguards. The document suggested critical questions to think about – for example: Do third parties have logical and physical access to critical IT systems, operational technology (OT) systems, or sensitive information?
While some may assume that the responsibility for protecting the O&G sector lies with the government, the private sector plays a vital role in planning and executing practical and meaningful cybersecurity measures using emerging technologies such as blockchain technology. Used in emerging cryptocurrencies, blockchain technology is increasingly seen as another measure to mitigate cybersecurity threats. It is also important to investigate asset ownership when dealing with partnerships, to ensure that appropriate cybersecurity frameworks are in place to secure the asset. On the government side, efforts to encourage businesses to invest in cybersecurity and play their part in creating a safe and secure digital ecosystem have been outlined in the Malaysia Digital Economy Blueprint, launched in 2021.
Given the state of industry readiness, or lack thereof, raising awareness and empowering industry to embrace cybersecurity is critical. Emphasis should be placed on the need for proper cybersecurity training, employee awareness to increase understanding of risk mitigation, how to reduce exposure, cloud security awareness and OT/IT vulnerabilities that could lead to cyber incidents. Other solutions include retiring aging systems, deploying the most effective security technologies, expertise to manage cyber threats, and sharing threat intelligence with industry peers such as the Sharing Center and OT cybersecurity information analysis company based in Singapore.
Cyberattacks typically target corporate systems, corporate data, and customer and employee data, leading to fraud and unauthorized transactions, among other things, which would impact corporate reputation. . Although cyberattacks sometimes only cause inconvenience, they often have serious implications, including severe financial impacts, privacy and security vulnerabilities due to data leaks and destroyed systems, threats to the sovereignty of state and can even cost lives.
The oil and gas industry in Malaysia should step up its cybersecurity efforts to mitigate these issues and prepare for ESG and sustainability reporting in this space. Additionally, oil and gas companies must ensure that progress in cyber risk mitigation occurs at the same pace as technology adoption and innovation, by continuously improving cyber resilience and assessing new and existing risks. While there may be a tendency to downplay cybersecurity, it’s important to remember that the cyber threat is very real. No one, no organization and no State is immune to cyber risk – it would be naive to pretend otherwise.
Dr. Moonyati Yatid is Senior Director of Corporate Strategy and Research at Malaysia Petroleum Resources Corp.