Cyber Compliance is not enough

Forget the myth of unbreakable defences and concentrate on crisis management when it comes to cyber security


The complexity of the cyber threat to oil and gas facilities and critical infrastructure has grown exponentially, and continuous improvement is necessary to protect against cyber hazards. Identity management is a particularly tricky area for companies in the sector, which often have employees, suppliers and third party contractors in various locations requiring various levels of access. It would be naïve to think that any business or organisation is impervious to cyber security breaches, as has been illustrated by the many high profile cases reported in the media over recent months, but there is no excuse for a lack of awareness or preparedness, as Andrew Taylor, Chief Executive of Bronzeye IBRM, argues.

What are the particular cyber security challenges facing the upstream oil and gas industry?

Oil and gas explorers often work in challenging environments, creating enormous quantities of sensitive data that has to be communicated. Industrial Control Systems (ICS) are everywhere. The complexity of the concatenation is astonishing. Criminals exploit this tangle and leverage off a broad lack of understanding – the average executive has no clue of the true extent of their company’s digital risk. Nor, often, do their technical teams.

Potential attack vectors which hackers will seek to exploit are growing exponentially. For the right reward, criminals, terrorists and states will spend months and even years working their way into target systems. To understand our risk, we need to understand what our attackers are looking for and how, which is fiendishly difficult. Motivations mingle and technical defences face an awful lot of known unknowns, to paraphrase Donald Rumsfeld. Therefore, potential targets rarely fully understand their risk and, consequently, cannot fully quantify the threat.

Our defences can only operate efficiently against known threats. Zero Day threats (those threats we don’t know about yet) will defeat current defences. Forget the snake oil sales talk of unbreakable automated defences to keep you safe. The question must be: when a breach happens, are you ready? Will your team be able to switch seamlessly into crisis management?

Should virtual and physical security systems be integrated?

It is critical that all aspects of security – including Human Resources – are integrated. Most serious breaches start with someone doing (or failing to do) something physical.

How effective are the industry-standard regulatory regimes and evaluation systems?

These are better than nothing, but they are only checklists. In most countries, if you ride a motorcycle, the only safety clothing you must have is a helmet; you can be compliant and not the least bit safe. Management must have its own governance regime and actively ensure that it is robustly applied. As with motorcycles, if you only check boxes, you may be compliant, but you won’t be secure. On the other hand, if you are secure, you will be compliant by default. As far as we are concerned, there are three golden rules:


  1. Think human, not cyber;
  2. Think security, not compliance;
  3. Get integrated, get secure.

Andrew Taylor

CEO of Bronzeye IBRM

BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.