Information security has always been important in the Oil & Gas sector but has not been given as much attention as political, safety, and environmental risks. Upcoming legal changes are however likely to push information security squarely into the centre of the risk radar.

Information security

When talking about information security, the ambit of risks extends from the forgetful employee leaving papers on a train to a full blown cyber-attack on key infrastructure and facilities. 

Although online attacks attract the high-profile headlines (see Box 1), a review of recent decisions by the Information Commissioner's Office (ICO) shows that people, process and training failures are still the most common cause of problems.

In the doomsday scenario, outside hackers could gain control of infrastructure, taking it offline, or worse blowing up a pipeline or other equipment.  In reality, the risk is less dramatic but as commercially painful.  A virus shutting down your email or telephone systems can force a business to stop functioning; losing a memory stick containing well or reservoir data could give away your competitive advantage; and not maintaining the privacy of your employees' information can make recruitment difficult.

Cyber attacks

In 2012, Saudi Aramco was struck by a virus that infected as many as 30,000 of its computers. Despite its resources as Saudi Arabia’s national oil and gas firm, Aramco, according to reports, took almost two weeks to recover from the damage. 

In the same year, the Qatari natural gas company commonly known as RasGas was hit with a virus that shut down its website and e-mail servers.  The attack was targeted at its infrastructure control systems but was stopped before it could do any harm.
In October 2015, the Department of Energy in the US confirmed that its networks had been infiltrated 150 times, with blueprints to the oil and water pipelines and power grid of the United States being among the data stolen.

Current legal framework

Information security in the Oil & Gas sector has generally been driven by best practice and has been left largely untouched by legal obligations.  The principal obligation has been to maintain security around the personal data of individuals as required by the Data Protection Act (DPA).

Until now, the DPA has been relatively benign.  Companies were only required to take "adequate" security measures.  There was no mandatory reporting of problems to the regulator, being the ICO, and penalties for non-compliance were capped at £500,000.

Over the next couple of years, this is going to change with the introduction of a new Data Protection regime for personal data and a new general cyber security obligation for critical infrastructure providers.

Data Protection Regulation

A new Data Protection Regulation is currently being drafted and is expected to be in force some time during 2018.  This will create a universal law across Europe for managing personal data.  While the final text is yet to be agreed, it is likely that the new Regulation will turn a number of current "best practices" into statutory obligations, including:

  • Data Protection Officer: large organisations or those with risky processing activities must have an appointed DPO.  What amounts to a "large" or "risky" organisation is still to be determined
  • Privacy Impact Assessments: these will now be required for any "high risk" use of personal data
  • Privacy by design: organisations will be required to take privacy into account when designing any new business process.

The really significant change however is in the enforcement regime.  The current proposals include:

  • Mandatory reporting of security breaches to the regulator
  • Much higher penalties with figures up to EUR 100m or 5% of annual worldwide turnover being discussed.

The exact cap on penalties is still being debated but even at a few percent of global turnover, the cost of a major data security breach could now be so significant that it will impact balance sheets and overall profitability of even the largest companies.

Cyber Security Directive

Also under consideration is a general cyber security directive to create a uniform base level of protection across Europe's critical infrastructure.  The theory behind the new law is that hackers go after the weakest link in the chain and that all IT systems are interconnected to some extent.  There is therefore no point in some putting in place excellent safeguards for others to leave the backdoor open.

In the current draft Directive, a critical infrastructure provider means an "operator of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health".  This clearly covers a lot of the activities conducted in the Oil & Gas sector (see box 2).

The current draft of the directive states that critical infrastructure providers must:

"take appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations."

The big difference from the new Data Protection Regulation is that the Cyber Security Directive will apply to all networks and systems, not just personal data held on those systems.

Attached to this new obligation is also an enforcement regime that includes:

  • An obligation to notify the regulator without undue delay about incidents having a significant impact on the continuity of core services.
  • A power for the regulator to inform the public about individual incidents.
  • Financial sanctions where a breach is intentional or as a result of gross negligence.

The Cyber Security Directive, which is expected come into force in around 2017, will in effect make information security more than just best practice, but a legal imperative.

The Cyber Security Directive sets out a non-exhaustive list of persons that are considered to be critical infrastructure providers including:

  • Electricity and gas suppliers
  • Electricity and/or gas distribution system operators and retailers for final consumers
  • Natural gas transmission system operators, storage operators and LNG operators
  • Transmission system operators in electricity
  • Oil transmission pipelines and oil storage
  • Electricity and gas market operators
  • Operators of oil and natural gas production, refining and treatment facilities

Actions

The Cyber Security Directive, which is expected come into force in around 2017, will in effect make information security more than just best practice, but a legal imperative.

One may be thinking that these legal changes are several years off and not an issue for today.  However, the changes at a business level could be significant and it may take several years of planning and investment in order to meet the new standards.

Key areas to consider are:

  • Do you have clear picture of all the IT systems that you use as a business and all the data that you hold?  If not, how do you know where your vulnerabilities may be?
  • Do you have a clear governance structure for security matters that brings together IT, security, legal and commercial teams and allows risks to be escalated promptly?
  • Are you using vulnerable IT systems that need overhauling and what is the investment cost and lead time in making those changes?
  • Are you using subcontractors and do they have adequate security controls in place?  Most industry standard contracts do not say anything about cyber security – do you need to be updating your contact terms to include obligations about maintaining security safeguards?
  • Should you be considering taking out specialist cyber-risk insurance against high-risk activities?