trending Market Intelligence /marketintelligence/en/news-insights/trending/rrt2wgbjsth4czstwc4rdq2 content esgSubNav
In This List

Refining executive: Oil, gas industry behind on cybersecurity risks

Podcast

Next in Tech | Episode 49: Carbon reduction in cloud

Blog

Using ESG Analysis to Support a Sustainable Future

Research

US utility commissioners: Who they are and how they impact regulation

Blog

Q&A: Datacenters: Energy Hogs or Sustainability Helpers?


Refining executive: Oil, gas industry behind on cybersecurity risks

As the world becomes more digitally dependent, the oil and gas industry may be facing a dangerous situation where it is playing catch-up on cybersecurity, according to executives at one of the nation's top refining companies.

Andeavor Chief Information Security Officer Jed Young said the industry is moving rapidly to make up ground when it comes to cybersecurity but is not where it needs to be. "Fundamentally, the vendors and the commercial market is catching up," he said while speaking at KPMG's Global Energy Conference in Houston. "Industries that are behind are making up for bad decisions in the past."

The major concern for information security experts in the oil and gas sphere is not the prospect of hackers stealing proprietary secrets. Instead, Young said it is the idea of a hacker breaking into a system and doing actual physical damage that keeps him up at night. Andeavor operates 10 refineries in the U.S. with a combined capacity of about 1.2 million barrels per day.

"The implications of something going wrong is no longer loss of property, it's loss of life," he said. "At the tail end of 2017 ... there was an announcement that a Saudi refinery had their safety systems targeted. We're not looking at business systems, but the safety system that was monitoring that physical process was targeted."

The cyberattack against a plant in Saudi Arabia was designed to sabotage industrial control systems and trigger an explosion. According to an investigation by The New York Times, the only thing that prevented an explosion at the plant was a mistake in computer code.

When it comes to defending computer systems against hacking, Young said companies should act with the assumption that they have already been compromised and continue to act vigilantly even if that is not the case. "You have to be ready to respond."

Young said oil and gas companies should already be making a large investment in monitoring cyber risks and protecting against them. The more the industry relies on connected technology, the more it needs to defend against online threats. "If you're going to tie yourself to the industry, you have to know the industry is going to digitize," he said. "There has to be some level of investment [in cybersecurity] knowing that there are adversaries out there gathering information about us."

In late April, Marathon Petroleum Corp. announced a $23.3 billion deal to acquire Andeavor and create the largest U.S. refinery ranked by capacity.