Earlier this year the Financial Times reported that cyber attacks on the energy sector, including oil and gas, are becoming much more common. Cyber security experts Security Intelligence have described the sector as “easy prey” thanks to its reliance on legacy Operational Technology (OT). OT refers to hardware and software systems that are used for monitoring and controlling industrial processes and can be found in oil refineries, pipelines, drilling rigs and other essential areas for oil and gas (O&G) processing and refinement. The issue is that these systems weren’t designed with modern cybersecurity threats in mind, which makes them vulnerable to attacks.
And the idea that a major attack being successful isn’t unprecedented – high-profile incidents include the Colonial Pipeline shutdown, which was caused by a ransomware attack in 2021, and Saudi Aramco’s hacker data leak, which happened in the same year.
With the IMF reporting that the risk of extreme losses from cyber attacks is rising, it is more important than ever that companies ensure that they are doing everything they can to invest in developing their cybersecurity provision.
With the risk of an attack on energy companies being so high, we’ve looked at what’s driving the need for cyber security innovation within O&G. We also explore potential areas of research and development for this crucial sector.
Drivers for cyber security R&D in oil and gas
The IMB’s X-Force Threat Intelligence Index 2024 highlights energy companies’ enormous cyber security challenges. It’s the fourth most targeted industry worldwide, and Europe is the region most affected by these attacks. Worryingly, it’s the UK that’s the most targeted European country. IBM’s research also reveals that malware and ransomware are the most likely attack methods, with hackers often gaining access by exploiting public-facing applications and using real accounts to log in.
It’s no surprise that the UK is such an attractive target. It’s the base of several multinational O&G companies, such as BP and Chevron. If these were attacked, it could have a global impact.
Furthermore, as O&G is an essential service in the UK, so any threat to an individual company could have a knock-on effect on the rest of the UK’s economy. As such, O&G companies are subject to the government’s NIS regulations, making a high level of cyber resilience mandatory. As part of these regulations, O&G operators must take measures to ensure the security of their networks and information systems and they must also report any incidents to regulators.
The regulations are meant to boost the energy industry’s ability to prevent and mitigate against cyber attacks – but they also act as a catalyst for R&D as new innovations are needed to meet the potential threats.
Opportunities for cyber security R&D in oil and gas
One of the biggest issues facing the O&G sector is its reliance on legacy Operational Technology (OT). Developing better ways of integrating IT and OT, making sure that these systems are fit for modern security requirements, is a clear area for innovation within the whole energy sector. This work might typically involve researching and identifying vulnerabilities in legacy systems and then creating modern security enhancements that can be retrofitted for use on older OT.
Another key area for R&D advancement is in monitoring, detecting and reporting. Any form of threat intelligence and detection will be beneficial as the earlier an attack is caught, the better the chance of mitigating the impact of any breaches. As reporting attacks is mandatory for the O&G sector, most sophisticated threat intelligence and detection methods, such as using artificial intelligence to spot anomalous activity, is an important area of ongoing development.
The O&G sector is a likely target for state-sponsored terrorism, making highly sophisticated attacks also a real concern. One of the most troubling scenarios would be a hack powered by quantum computing. Recent advances in quantum computing – where the potential of quantum mechanics can be used to drive exponentially faster computing power – present a profound and increasingly real threat to the cyber security of essential services. The fear is that these super computers could easily break through traditional methods of encryption, rendering current cyber security defences useless. In response, there must be an equally powerful drive to develop quantum encryption, or quantum cryptography to create unhackable systems to protect vital data.
As O&G companies, especially larger companies, have significant resources to invest in R&D for the future, they can play a leading role in helping to advance our whole nation’s cyber security.
R&D Tax Credits are available for cyber security innovations in the oil and gas sector
If an O&G company is investing in R&D to boost its cyber defences, it’s possible that their work could qualify for an R&D Tax Credit. The credit is a government incentive designed to encourage innovation to support companies who are making scientific and technological advances. Projects that seek to improve or create new types of cyber security solutions are very likely to be eligible.
Many O&G companies may not realise that their work is eligible for an R&D credit, potentially because they’ve subcontracted the work to a cyber security specialist consultant – but even subcontracted work may still be eligible for claiming a benefit from HMRC.
How Leyton can help
At Leyton, we have dedicated industry specialists with years of experience within oil and gas, software and cyber security R&D.
Their knowledge can help to assess your innovations, identifying eligible projects and activities that qualify for R&D Tax Credits. Most businesses underestimate how much they can claim.
Our tax experts are fully versed in the latest tax relief legislation, regularly consulting with HMRC, ensuring that claims are compliant and that you’re able to claim for all of your eligible work.
Has your company been delivering innovations in cyber security? Speak to one of our consultants to find out how we can support your R&D efforts.
If you enjoyed this article, you might also like:
