Oil & Gas Regulation complexities
Oil and gas firms have formidable cyber security risks and privacy concerns. Their importance to the global economy overall make them a prime target for hackers and other malicious actors.
Moreover, the design of drilling facilities has become enormously complex, with industrial controls and Internet-enabled systems intersecting. That gives rise to many more possible attack points that must be secured and monitored at all times.
Oil and gas facilities are governed by numerous national security regulations because they qualify as critical infrastructure.
Under the Pipeline Security Guidelines, developed and managed by the Transportation Security Guidelines, oil & gas concerns must inventory their operating technologies (defined as systems that control and monitor physical equipment). All cyber enabled automated controlled systems are deemed critical infrastructure by the Department of Homeland Security, and therefore should implement the NIST Cyber security Framework for Critical Infrastructure.
As employers, oil and gas companies also have all the usual regulatory obligations around personal data (HIPAA, Gramm-Leach-Bliley, GDPR); plus security risks for corporate financial and operational data not related to pipeline operations.
Compliance Objective
Both the pipeline industry guidelines and the NIST critical infrastructure guidance include steps such as risk assessment, response planning, mitigation, training, and protective technology to keep critical assets as far away from threat as possible.
For security officers building a compliance strategy, those obligations translate into several practical steps that a compliance management system will need to deliver. Among them.
Inventory all the systems that control physical assets, and their connectivity to the rest of the IT infrastructure.
Identify security gaps they must fill to meet regulatory requirements.
Monitor usage of IT services to see whether new third parties are on the network.
Assess the starting security posture of their own systems and any third parties they use.
Establish mitigation steps that might be necessary, and assign them to control owners.
Conduct any news risk assessments might be necessary as new regulations emerge.