There are two fronts in the Russian invasion of Ukraine: one is the physical fighting and airstrikes and the other is in cyberspace, where cybersecurity experts are battling disinformation, psychological warfare and cyberattacks. Cyberattacks of this nature can and have led to power outages, railway disruptions, interruption of electoral polling systems and, in the case of the war in Ukraine, a disruption of its biggest fixed-line telecommunications network and the ever-present threat of a cyber catastrophe.
The oil and gas (O&G) industry is not immune to these kinds of vulnerabilities. The May 2021 Colonial pipeline hack in the US not only compromised the business’ networks and shut down its operations but also deprived the East Coast of a pipeline that supplied nearly half the region’s fuel. Russia’s invasion of Ukraine on both the physical and cyber fronts have exacerbated fears of future cyberattacks by malicious actors on critical energy infrastructure to gain financial, criminal or geopolitical advantage. Findings from the State of Ransomware 2021 revealed that 43% of energy, O&G and utility firms have admitted to paying ransom for ransomware assaults. Another 23% of these firms expect to be affected by ransomware in the future.
Furthermore, innovation, increased competition and sizeable economic interests make O&G companies a prime target for cyber exploitation. However, according to a study conducted by Accenture in 2017, most O&G firms see cyberattacks as a black box — most were unaware when or how cyberattacks may harm them.
The Malaysian government, via the Malaysia Cyber Security Strategy 2020-2024, has identified 11 critical national information infrastructure (CNII) sectors — including the energy/O&G sector — that are to be protected and preserved to ensure the security of the nation, its economy and the public’s health and safety.
There are several reasons to believe that cybersecurity should be of concern to the O&G industry in Malaysia. The O&G sector is a key economic sector for the country and a significant GDP contributor, hence any disruption would have a significant impact on national and public security. In recent years, increasing market pressure and business competitiveness have also led to a convergence of IT systems and other digital revolutions that increase the connectivity of systems, data and people within the sector. And as more O&G companies move towards cloud-based systems, applications and infrastructure, there is an increase in cybersecurity vulnerability, as echoed by almost a quarter of offshore O&G leaders surveyed in a Journal of Marine Science and Engineering study. In the age of interconnected business operations, such as in O&G supply chain and payment systems, technology governs most business operations, emphasising the critical role of cybersecurity.
The Covid-19 pandemic has also accelerated digital transformation and normalised remote work arrangements. This has unfortunately created a surge in cybercrime. Next, geopolitical cyberattacks in the region are also on the rise, with sovereign claimants to the resource-rich South China Sea experiencing cyberattacks, according to security reports by FireEye and Recorded Future Insikt Group, among others. As Malaysia is one of the claimants in the territorial dispute, there is an urgent need for the country to protect its critical national information infrastructure.
It is also important to note that most players serving Malaysia’s O&G industry are small and medium-sized O&G services and equipment (OGSE) players. Studies have shown that small businesses are easy targets of cyberattacks as these firms lack the resources that larger companies have to invest in cybersecurity. Threat actors also target SMEs that have partnerships with larger corporations to gain easier access points to carry out security breaches.
However, with investors increasingly considering robust cybersecurity as a core component of environment, social and governance (ESG) frameworks — given the ability of cyberattacks to affect the value of companies and, ultimately, the stability of societies — this could pave the way for building a more cybersecure O&G and OGSE industry globally, including in Malaysia.
On the national front, Malaysia has made significant progress in tackling cybersecurity issues with strong international alliances and by putting in place a national cybersecurity strategy. According to the ITU Global Cybersecurity Index 2020, Malaysia is ranked fifth globally and second in Asia-Pacific, trailing both South Korea and Singapore, which are tied for first position. However, there is still room for improvement in the ecosystem, cooperation with the industry to build awareness and capability, the streamlining of responsibilities and coordination among agencies, as well as the need to enhance existing laws to address the ever-changing landscape of cyberspace.
In terms of efforts in the O&G private sector, Petroliam Nasional Bhd has made huge investments and operationalised many cybersecurity initiatives and awareness campaigns such as the Human Firewall Campaign, which attempts to improve cyber awareness and inculcate a sense of responsibility surrounding cybersecurity risks. However, there seems to be limited indication that others in the O&G supply chain prioritise cybersecurity in their operations, showing that there are areas that need improvement.
The O&G industry involves an integrated and complex upstream and downstream supply chain, which could result in a ripple effect if or when vulnerabilities in cyberspace occur. In the World Economic Forum’s 2021 white paper Cyber Resilience in the Oil and Gas Industry: Playbook for Boards and Corporate Officers, the criticality of accessing and evaluating third parties as part of cyber risk management was laid out. Organisations carry out an end-to-end evaluation of their supply and value chains to identify blind spots and high risks associated with cyber threats.
Third-party expansions bring major cyber and operational risks, such as the mishandling of confidential information, inability to meet corporate operational and compliance objectives, and a lack of effective cybersecurity safeguards. The paper suggested critical questions to reflect on — for example: do the third parties have logical and physical access to critical IT systems, operational technology (OT) systems or sensitive information?
While some may assume that the responsibility for the protection of the O&G sector rests with the government, the private sector plays a critical role in the planning and execution of practical and meaningful cybersecurity measures using emerging technologies such as blockchain technology. Used in emerging cryptocurrencies, blockchain technology is increasingly seen as another measure to mitigate cybersecurity threats. It is also important to investigate asset ownership when it comes to partnerships, to make sure appropriate cybersecurity frameworks are in place to secure the asset. From the government side, efforts to encourage companies to invest in cybersecurity and play their part in creating a safe, secure digital ecosystem were laid out in the Malaysia Digital Economy Blueprint, launched in 2021.
Considering the industry’s readiness, or lack thereof, awareness and empowerment of the industry to embrace cybersecurity is critical. Focus should be placed on the need for adequate cybersecurity training, awareness among employees to increase the understanding of risk mitigation, how to reduce exposure, cloud security awareness and OT/IT vulnerabilities that could lead to cyber incidents. Other solutions include retiring ageing systems, deployment of the most effective security technologies, expertise to manage cyber threats and the sharing of threat intelligence with industry peers such as the Singapore-based OT Cybersecurity Information Sharing and Analysis Centre.
Cyberattacks usually target company systems, company data as well as customer and employee data, leading to fraud and unauthorised transactions, among others, which would impact the company’s reputation. While cyberattacks may merely inflict inconvenience at times, they frequently have serious implications, including severe financial impacts, privacy and security vulnerabilities through data leaks and destroyed systems, threats to state sovereignty and may even cost lives.
The O&G industry in Malaysia should increase cybersecurity efforts to mitigate these issues and to prepare for ESG and sustainability reporting in this space. Further, O&G companies must make sure cyber risk mitigation progress occurs at the same pace as technology adoption and innovation, continuously improving cyber resiliency as well as evaluating new and existing risks. While there can be a tendency to downplay cybersecurity, it is important to be reminded that the cyber threat is very real. No one, no organisation and no state is free from cyber risk — it would be naïve to pretend otherwise.
Dr Moonyati Yatid is the senior manager of corporate strategy and research at Malaysia Petroleum Resources Corp