石油和天然气行业的网络复原力

1、Cover: Zora Zhuang, Getty Images Inside: Getty Images, UnsplashContentsForewordExecutive summary1 Introduction2 How to use this playbook3 Cyber-resilience principles for oil and gas industry boards134 Implementing the oil and gas principles5 ConclusionAppendix A: General cyber-resilience principles

2、for boardsAppendix B: How to operationalize the principlesAppendix C: TaxonomyAppendix D: Cyber Resilience in Oil and Gas Strategy and Culture Working GroupContributorsEndnotes 2021 World Economic Forum. All rights reserved. No part of this publication may be reproduced or transmitted in any form or

3、 by any means, including photocopying and recording, or by any information storage and retrieval system.May 2021Cyber Resilience in the Oil and Gas Industry:Playbook for Boards and Corporate OfficersForewordLeo SimonovichVice-President and Global Head, Industrial Cyber and Digital Security, Siemens

4、Corporation, USABasim Al-RuwaiiChief Information Security Officer, Saudi Aramco, Saudi ArabiaFilipe BeatoLead, Centre for Cybersecurity, World Economic ForumThe digital revolution and the energy transition have jointly transformed the oil and gas industrys decades-old business model in just a few sh

5、ort years. Today, companies control physical energy assets by linking operational technology with information technology networks that leverage big data, artificial intelligence and automation. These new, pervasive linkages serve as the lynchpin to a more efficient, resilient and lower-carbon operat

6、ing model for the energy sector.As one of the worlds most sophisticated and complex industries makes a multifaceted transition from analogue to digital, centralized to distributed and fossil-based to low-carbon managingcyber risk and preventing cyberthreats are quickly becoming critical to company v

7、alue chains.Executive board members, corporate leaders and cybersecurity managers must evaluate and ensure cyber risk is addressed in all aspects of their business from connected physical assetsdeployed in remote field environments to business software used in corporate headquarters in some of the l

8、argest cities in the world.To stay ahead of cyberattacks, vulnerabilities and insider threats in this rapidly evolving industry,oil and gas companies must make sure cyber- risk mitigation progresses at the same pace asinnovation. This means executives must continually improve their organizations cyb

9、er resiliency, evaluate new and existing risks, and create a dialogue between board members, corporate officers and key security professionals. To helpthe energy industry advance this crucial task, the World Economic Forum has convened a group of more than 40 senior executives from the oil and gas i

10、ndustry with the goal of establishing a blueprint for evaluating cyber risk and enhancing cyber resilience across the industry.This publication, Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers, is the result of community members leading in-depth discussions t

11、o illuminate the industrys best practices and create new solutions that help corporate leaders address cyber risk.We encourage community members and other companies in the oil and gas ecosystem to adopt these principles and pledge their commitment to addressing cyber risk so the industry can continu

12、e to meet customer needs and deliver safe, affordable and low-carbon energy for decades to come.Executive summaryThe oil and gas sectors future relies on digitalization to manage a vast network of global energy assets and operations to maximize profits, improve safety and efficiency, and minimize em

13、issions in themidst of a volatile market. The new wave of digital solutions integrates operational technology (OT) and information technology (IT), leveraging the power of emerging technologies (e.g. automation and artificial intelligence), to help the oil and gas industry innovate for the energy tr

14、ansition. This shift exposes critical infrastructure and entire supply chains to cyber risks, making cybersecurity a core requirement of the business model.Within this integrated digital ecosystem, it is now the responsibility of the corporate leadership to take cyber risk into account when assessin

15、g stability and security. Not only must the leadership manage cyber risks at the executive level, but these leadersmust also ensure that cyber risk is a core aspect of the operational and corporate culture starting at the top, and cascading and implementing clear policies across vast, global organiz

16、ations.To effectively manage risk in this new operating environment, boards need the tools to ensure their organizations develop and maintain appropriate cyber-resilience measures. Leading executives must build cyber resilience and collective defence systems across the industry that uphold common st

17、andards and protect partner supply chains, and collaborate on risk-based approaches to ensure the oil and gas sectors overall security.This playbook for boards and corporate officers provides guidance to those responsible for implementing cyber resilience to improve the industrys readiness to mitiga

18、te cyber risks.1IntroductionCybersecurity failure, including cyberthreats and vulnerabilities, are identified as a top short-term (0-2 years) business challenge for most organizationsin the World Economic Forum Global Risks Report 2021.1 To address cyber risk across the oil and gas industry, board m

19、anagers and senior corporate leaders must act to secure industrial operating environments from the increasing threat of cyberattacks with new policies, processes and attention from corporate officers. Today, boardmembers must balance the competitive advantage associated with digitizing their company

20、s industrial operating environment with greater exposure to malicious cyberthreats seeking to disrupt operations for financial gain or other nefarious motivations, such as geopolitical conflict or terrorism.To overcome market pressures, adapt to the energy transition and succeed in this new operatin

21、g environment, the industrys futureincreasingly depends on digitally connected OT to control physical energy assets such as gas compressors and offshore drilling equipment with IT applications to optimize data that turns a companys operations into an interconnected network. Board-level executives, c

22、orporate managers and industry stakeholders view the widespread use of digital technologies to run, manage and collect data from physical energy assets and plant operations as the key enabler to reduce costs, improve efficiency and reduce emissions.As the oil and gas industrys digital transformation

23、 exposes all aspects of its businesses to increased cyber risks, the companies become increasingly more vulnerable to widespread cyberthreats.2 Cybersecurity becomes even more difficult to ensure in an expanding digital threat landscape and complex global industrial environment.The oil and gas secto

24、rs expanding digital threat landscapeWith industrial device connections expected to reach 37 billion by 2025,3 digitalization is rapidly transforming the oil and gas industry from a commodity-based business run on analogue equipment into an automated, remotely controlledand artificial intelligence (

25、AI)-driven industry that makes risk-based decisions with internet-like speed. This rapid pace of digitalization comes at a cost, however; as oil and gas companies digitize operations, they simultaneously expose their companies to cyber risks.Malicious actors increasingly view the energy industry as

26、a ripe target to launch cyberattacks for financial, criminal or geopolitical gain. Recent studies show the volume of attacks against OT- connected assets increased over 20 times from 2018 to 2019.4 Meanwhile, the average energy- sector data-breach cost has risen more than 13%since 2019, to $6.39 mil

27、lion a higher cost than the global average of $3.86 million.5 Yet, even with expanding cyberattacks threatening the industry, two-thirds of oil and gas executives state that digitization is benefiting their business and will remain essential for their companys success.6As companies decide that conti

28、nuing to incorporate digital technologies across their enterprises outweighs the increased risk of cyberattacks, they should make cybersecurity a core competency of their organization and place it at the centre of the future oil and gas business model. Yet, most oil and gas companies are not accusto

29、med to thinking of themselves as digital companies and therefore lack the cybersecuritytechnologies, systems, personnel and protocols to protect industrial operating environments.The complexities of securing global industrial operating environmentsCybersecurity in the oil and gas sector is inherentl

30、y challenging due to the complexity of running a vast organization with different businesses, assets and personnel located all over the world, as well as working with a complex supply chain of customers and suppliers. Without robust cybersecuritytechnologies and protocols, companies slow to prioriti

31、ze the deployment of monitoring and defence solutions for vulnerable devices as well as proper cyber hygiene will find themselves unable to compete with cyber-protected peers offering products and services that are reliably and efficiently delivered.The industrys key cyber challenges in a global ope

32、rating environmentIn many cases, companies face challenges with internal cyber hygiene as systems areinterconnected but responsibility is siloed or shared across many partners with diverse priorities.Companies also face challenges with aligning IT and OT departments, managing interoperability with p

33、roprietary technologies and engaging with trusted third parties so that every connected device from wellhead to corporate computer is protected.While this continuity is necessary to achieve an ecosystem-wide cybersecurity approach, it is difficult to execute.Many organizations find cybersecuritys co

34、mplexity overwhelming, and this is particularly true whenneeding to secure both OT and IT environments. Companies with deeply integrated OT and IT assets need strategies to proactively manage risk today and mature cybersecurity with an eye towards their future risk environment.This document sets out

35、 six principles to help boards at oil and gas companies mature their approach to cybersecurity (Figure 1). They are designed to guide board members through the process of cultivating a corporate culture that assesses and manages cyber risk. Ten broad cyber-resilience principles developed by the Worl

36、d Economic Forum that can be applied to any organization supplement this knowledge (see Appendix A).Principle 4. Integration of cyber resiliencePrinciple 3. Accountable officerPrinciple 2. Command of the subjectPrinciple 1. Reponsibility for cyber resilience10 general cyber-resilience principlesFIGU

37、RE 1Cyber resilience principles for the oil and gas industry6 oil and gas industry-specific cyber-resilience principlesOG1. Cyber-resilience governanceOG2. Resilience by designOG3. Corporate responsibility for cyber resilienceOG4. Holistic risk-management approachOG5. Ecosystem-wide collaborationOG6

38、. Ecosystem-wide cyber-resilience plans Principle 10. EffectivenessPrinciple 9. ReviewPrinciple 8. CommunityPrinciple 7. Resilience plansPrinciple 6. Risk assessment and reportingPrinciple 5. Risk appetiteSource: World Economic ForumCASE STUDY The importance of operational technology to guard agains

39、t cyberattacks (an experience from Dragos)Scenario: From 2014 to 2017, a malicious adversary breached the cyber defences of an oil and gas refinery using OT specific malware called Trisis or Triton to target the safety systems used for oil and gas production.After going undetected for three years by

40、 the oil and gas companys security team, the attackers activated their malware to disrupt the refinerys safety instrumented systems. But when the attack was deployed in the summer of 2017, an error in the malware caused the plant to shut down instead of causing significant physical damage and killin

41、g or severely injuring company workers as intended. Little did investigators know at the time that this failed attack was the first known cyberattack specifically aiming to kill people.Immediately following the attack, plant security personnel and their third parties did not consider the sudden shut

42、down to be a direct result of a cyberattack and, thus, did not investigate this possibility as a root cause in their analysis. Yearsof investing in IT security but without taking a specific approach to OT cyber protection left the organization unprepared to deal with the attack or conduct the invest

43、igation. Having failed to correctly recognize and block the ongoing cyber-breach threat, the plant went back into operation with the malicious actor still present.With the malware still active, a month later attackers made a second attempt to disrupt therefinerys safety system, but this time attempt

44、ed to shut down even more critical infrastructure; fortunately, the attackers again failed due toa different error. This time the plants security team requested support from OT specialists to investigate the shutdowns in greater depth.After the second investigation, security experts found that the p

45、lans OT systems were being manipulated. They discovered that attackers were maliciously manipulating OT network activity and took steps to secure the breach. Recovering from the incident and then restoring the refinery to full operation took over 70 days and cost tens of millions of dollars. This at

46、tack could have been detected with an OT-specific approach and witha rehearsed incident-response plan in place. Had these measures been deployed, the time lost and the impact of the OT-specific attack would have been significantly reduced.Key takeaways: Adversary errors prevented casualties in this

47、incident, but board governance can and should make organizations more resilient against OT cyberthreats to critical safety infrastructure by taking an OT-specific approach to cybersecurity where appropriate. Attacks will happen as they cannot all be prevented, butorganizations can also detect and re

48、spond, making themselves more resilient. After incidents, sharing information and lessons learned from past threats helps other organizations in the oil and gas value chain prepare.The six principles above will help businesses in incidents like this consider how they could apply them to increase the

49、ir cybersecurity awareness and advance the overall level of cybersecurity at the company.2How to use this playbookThis playbook outlines six principles for the oil and gas industry that will help board directors govern cyber risk. It provides guidance for corporateofficers and other leaders to stren

50、gthen their organizations cybersecurity posture and ensure broader ecosystem cyber resilience.Are you a board member?Boards of directors are the ultimate entity accountable for the safety and security of a companys financial, legal, strategic and ethical decisions. Increasingly, executive board memb

51、ers are focusing on new and emerging digital technology issues that threaten the resilience of their organizations operations. In todays digitally connected global economy, cybersecurity is acomplex and critical discipline in itself; it requires meticulous technical and operational oversight to keep

52、 pace with ever-evolving cyber risks and threats.This playbook provides board members with guidance to help execute their oversight role and obtain actionable insights to improve cyber resilience.Are you a corporate officer or manager responsible for cyber resilience?Corporate officers and managers

53、responsible for cyber resilience must clearly explain to boards why cyber resilience matters for the current and future security, and success, of their organization. They must also be able to articulate their strategy for managing cyber risks.The corporate officer or manager responsible for cyber re

54、silience is often a senior executive with essential cybersecurity responsibilities, including overseeing a cyber-resilience strategy and reporting to and advising a board of directorson the cyber risks facing a company. In many organizations, this role is called the chief information security office

55、r (CISO). This title emphasizes the responsibility and accountability that this individual holds within an organization, regardless of the specific job title.This playbook provides corporate officers and managers with recommended activities to help implement cyber-resilience principles and facilitat

56、e communication on the risks with executive board members.3Cyber-resilience principles for oil and gas industry boardsThe following six principles are specific to the oil and gas (OG) industry and complement the HYPERLINK /whitepapers/advancing-cyber-resilience-principles-and-tools-for-boards genera

57、l cyber-resilience principles7 to address vitalcyber-resilience challenges.8,9 These principles are designed to enable board action in advancing systemic cyber resilience.Principle OG1 - Cyber-resilience governanceThe board should require management to establish a comprehensive cybersecurity governa

58、nce model. This includes oversight into IT, OT, physical security, health and safety environment, and digital transformationto ensure interoperability within the organization and drive alignment across the ecosystem.Boards acting on cyber resilience should consider the following questions: How does

59、the governance model create a collaborative relationship between IT, OT and physical security functions? What effective mechanisms are in place for this?Which roles and responsibilities for cyber resilience have been established, integrated and adhered to across IT, OT and physical security function

60、s?What are the existing incentives for best practices to secure operational and safety environments?How is the cyber-resilience governance model reviewed? How is alignment with the evolving ecosystem and associated cyber risks ensured?CASE STUDYSaudi Aramco sets oversightScenario: Saudi Aramco took