Cyber security in the Oil and Gas industry has to look a lot like safety. O&G companies have a much better grip on safety than on Cyber. That’s because most companies don’t treat Cyber like they do safety.
Cyber has to be addressed top down and bottom both. The CEO has to be the driver; and the organization has to instill Cyber security so that it reflects in the behavior of EVERY employee.
A few key points I’d like to address:
- Cyber cannot be just about firewalls and servers, it has to also be about passwords and personal devices.
- Cyber defense has to consider not only keyboard access but also physical office access.
- The Cyber plan should be comprehensive and codified. If the Cyber defense program is not as voluminous as the safety program, it’s not good enough.
- Just as any employee should have stop-work authority for safety, they should also have it for Cyber defense.
- Companies must know how many devices they have on their systems, the software they run and the updated patch/version installed.
- Individuals must know that their devices are equipped with the most recent patch, version and standard.
- Assumptions that SCADA systems are separated from enterprise/business systems must be abandoned because this is simply untrue.
- The number of Cyber officers should rival the number of safety officers.
- The number of Cyber defense meetings should reflect monthly and daily tailgate safety meetings.
If Cyber is just a tack on thought, a misplaced policy or disregarded concern, sooner or later there will be a huge loss. Systems will get damaged, productivity shattered and thousands of dollars lost. Cyber must be as culturally embedded and practiced as safety.