Physical security is a major concern for the oil and gas industry, and addressing it adequately is a major challenge. Not only does the industry have valuable resources to protect, but those resources are spread across a variety of sites – some of which are huge and some of which are difficult to access. 

To address those challenges, the oil and gas industry invests heavily in physical security devices. But because these security devices are not typically managed adequately, in many cases oil and gas companies do not actually get the benefit they need. Worse yet, these devices can present a serious cybersecurity risk.

Oil and gas companies face serious physical security risks, and their connected devices need more attention

Oil and gas companies know they need to protect themselves from a variety of dangers, ranging from environmental hazards and risks to workers’ safety to intentional threats like vandalism, theft, sabotage, and even terrorism. And because of the scale and critical importance of their infrastructure, companies need to actively minimize the risk that they could be targeted by state or non-state actors in a way that could risk a major national security incident.

These risks are particularly serious because of the dangers associated with extracting, refining, and transporting oil – as well as the potentially huge financial fallout of a major incident such as an oil spill. Mitigating the risk of an oil spill involves not only taking preventive measures, but also having technologies in place to rapidly detect a spill. And last year’s Nord Stream pipeline explosions highlight the damage that an apparent act of sabotage can cause. 

To stay safe from these physical security threats, oil and gas companies invest heavily in security devices including various types of cameras, access control panels, and sensors. The problem is that in far too many cases those devices do not actually deliver sufficient security to the oil and gas industry. 

That’s because after the oil and gas industry’s physical security devices are purchased and installed, they are not typically managed properly – through no fault of the manufacturers, systems integrators, or physical security teams that operate them. 

Without operationally managing its physical security devices adequately, oil and gas companies face a real risk that a device could be offline when it’s really needed – in other words, that it won’t do its job in a moment of crisis. The danger of downtime is especially significant given the importance of rapidly discovering incidents such as oil spills and attacks or acts of sabotage against oil and gas facilities. And our data shows that in a typical physical security environment, an average week sees 4% of IP cameras get disconnected from their network at some point – while 6% get disconnected from their video management system for some amount of time in an average week.

The status quo creates risks going well beyond physical security

Perhaps even more concerning are the cybersecurity risks facing the oil and gas industry, especially in light of the state of its physical security devices. Because most oil and gas companies do not adequately harden and maintain their physical security devices, they face a real risk that those devices could become a vector for hackers to carry out a data breach or cyberattack. 

How serious are the cyber risks facing oil and gas companies? The most notorious example to date of what’s at stake was the Colonial Pipeline ransomware attack, which was carried out by threat actors using a stolen password. That incident massively disrupted the energy industry on the East Coast of the U.S. two years ago, causing widespread gasoline shortages and a spike in prices. The attack only ended after Colonial paid a ransom of approximately $5 million, although much of that sum was later recovered. 

Notably, the Colonial Pipeline attack is far from the only cyberattack causing major harm to oil and gas companies around the world in recent years, as cybercrime poses an increasingly alarming threat to them. In fact, a report issued by the U.S. Government Accountability Office last year underscored the widespread and growing cybersecurity risks facing offshore oil and gas facilities – especially in light of the threat landscape, the increasing reliance on connected operational technologies, and the potentially far-reaching consequences that could result from a cyberattack on oil and gas companies. 

Adding to the risk, nearly 40% of security cameras have cybersecurity vulnerabilities as a result of using outdated firmware, according to Genetec. And that should concern oil and gas companies, especially considering that last year IBM estimated that the average data breach affecting the energy industry costs $4.72 million – up from $4.65 million in 2021.

So what’s holding oil and gas companies back from taking the necessary steps to improve the operational management of their physical security devices? The answer is that it is simply too massive and time-consuming of a task to be feasible through the conventional, manual approach to managing these devices. That’s not just because of the scale and geography of oil and gas companies’ operations, but also because of the variety of steps involved in operationally managing physical security devices properly – including password rotations, firmware upgrades, certificate management, monitoring devices, and replacing those that are past their end of life.

The oil and gas industry needs a more reliable and efficient way to manage its physical security devices

Given the physical and cyber risks facing oil and gas companies, how can they make sure their connected devices provide the security they need?

Simply doing more of what they’re already doing won’t remove the risks posed by inadequately managed physical security devices, and it certainly won’t offer them an efficient path forward. Instead, the oil and gas industry needs an innovative approach to managing its connected devices – and automation is the key. 

An automated approach to the operational management of physical security devices can empower the oil and gas industry to minimize the chances that a device could be offline when it’s really needed, such as in case of a serious accident or intentional attack. At the same time, this kind of approach can help those companies harden and maintain their security devices efficiently and reliably – protecting them from the cybersecurity risks they face. 

This way, oil and gas companies can improve their overall security posture, helping them stay safe from both physical and cyber dangers. 

For a look at how one major global energy company has used SecuriThings to automate the operational management of its physical security devices, check out our oil and gas case study.