《石油和天然气行业的网络复原力.docx》由会员分享,可在线阅读,更多相关《石油和天然气行业的网络复原力.docx(25页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、345891318192023242526Cove匚 Zora Zhuang, Getty Images - Inside: Getty Images, UnsplashContentsForewordExecutive summary1 Introduction2 How to use this playbook3 Cyber-resilience principles for oil and gas industry boards4 Implementing the oil and gas principles5 ConclusionAppendix A: General cyber-re
2、silience principles for boardsAppendix B: How to operationalize the principlesAppendix C: TaxonomyAppendix D: Cyber Resilience in Oil and Gas Strategy andCulture Working GroupContributorsEndnotes 2021 World Economic Forum. All rights reserved. No part of this publication may be reproduced or transmi
3、tted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system.CASE STUDYRepsol shifts from cybersecurity to cyber resilienceScenario: Many organizations harbour different cultures with various risk appetite levels, which can be detrimental
4、 to implementing company-wide cybersecurity policies and best practices. With the goal of reducing the potential impact of cyberattacks at Repsol, the CISO recognized the need to balance risk appetite levels within business units with stakeholder expectations in order to implement cyber resilience h
5、olistically throughout the company.Using the World Economic Forums principles for boards while building a trusted relationship with board members, the CISO shifted the companys cybersecurity strategic plan from a technical- solutions approach to a business-resilience and risk-management approach. Th
6、e board provided support for training and awareness as well as resources dedicated to developing RepsoPs cyber resilience further. The CISO was able to provide budget support to other departments for lighthouse projects on cyber resilience.Key takeaway: By ensuring the CISO had the appropriate resou
7、rces, the board provided the means to build allies in implementing new cyber policies and practices.3.4 Principle OG4 - Holistic risk-management approachThe board should ensure that cyber risks are managed and mitigated across the oil and gas ecosystem by providing an adequate mandate, funds, resour
8、ces and accountability for cyberresilience programmes and reporting.Boards acting on cyber resilience should consider the following questions:一 What risks for the organization do internal and external parties pose?- What financial and personnel resources are adequate to achieve the appropriate holis
9、tic cybersecurity risk-management objectives?- How does the current risk-management approach incorporate cyber risks from the supply chain?- How does the organization manage unknown cyber risks?3.5 Principle OG5 - Ecosystem-wide collaborationThe board should encourage and empower its management team
10、 to create a culture of collaboration for the effective oversight, monitoring and control of ecosystem-wide risks.Boards acting on cyber resilience should consider the following questions:- What cyber-resilience plan of action covers the organizations ecosystem(s)?- How are the lessons learned from
11、collaboration activities used to strengthen the organizations and ecosystemcyber-resilience practices and how are they enabling new opportunities?How does the organization engage with cyber-resilience collaboration platforms and action groups?CASE STUDYEstablishing an ecosystem-wide approach at Sunc
12、orScenario: Energy company Suncors dispersed ecosystem relies on different organizations, partnerships and joint ventures throughout its upstream to downstream business. Each brings its own operating environmental norms and diverse approaches to cybersecurity, which can prove challenging when cyber-
13、related incidents occur.To reduce cyber risk, Suncor launched a pilot initiative aimed at bridging the gap between these different operating environments and connecting the OT upstream and downstream teams together. During the pilot phase, the centralized team is being financed by the IT group to en
14、sure common practices and approaches to cyber risk, a standard infrastructure andconsistent asset inventory tools, and aligned processes to continuously monitor the OT environment. Through this centralized team, Suncor can continuously improve the collective cyber-resilience controls and plans betwe
15、en upstream and downstream partner organizations. This methodology balances preparedness and protection while improving monitoring and response capabilities.Key takeaway: Collaborating and aligning on the adoption of unified approaches and controls improved the monitoring and visibility of the OT en
16、vironment, reducing the detection and response time of IT/OT software versioning and patching from a few days to minutes.3.6 Principle OG6 - Ecosystem-wide cyber-resilience plansThe board should encourage management to create, implement, test and improve collective cyber-resilience plans and control
17、s with other members of the ecosystem. These plans should consider preparedness and protection (e.g. defence in depth strategies10) in conjunction with response and recovery capabilities.Boards acting on cyber resilience should consider the following questions:- What activities are included in the c
18、yberresilience plan? How does it cover theorganizations ecosystem(s), including incident response, communications, business continuity and disaster recovery? Is it adequately tested with appropriate regularity?- Which collaboration platforms should boards and management teams support to advocate for
19、 the development of collective resilience plans?- How do the collective resilience plans reflect and balance preparedness with response and recovery across the ecosystem?CASE STUDYSiemens Energy helps secure weak links in the value chainScenario: In 2019, Siemens Energy and the Ponemon Institute col
20、laborated on a survey11 of industry executives and managers at global oil and gas companies to assess the companies, cybersecurity readiness. The results of the survey showed that, across the sector, most organizations have difficulty hiring cybersecurity personnel with in-depth knowledge of OT- con
21、nected energy assets necessary to identify and address cyberattacks before they occur. Additionally, only the largest organizations were able to fully fund research and development in new technologies and procedures that would improve cyber readiness against an expanding attack environment.Siemens E
22、nergy recognized that one way to improve cybersecurity for all oil and gas companies is to ensure small and medium-sized organizations can access advanced Al-based monitoring and detection solutions, which would help strengthen the weaker links against cyberattacks in the digital ecosystem. In 2020,
23、 Siemens Energy developed an Al-based, OTnative cybersecurity solution aimed at solving the technical and economic challenges associated with expanding monitoring and security that all organizations could access.Key takeaway: By combining interoperable and manufacturer-agnostic Al technologies, and
24、efficiently leveraging Onative human expertise, small and medium-sized energy companies can gain access to monitoring, detection and cyberattack prevention capabilities - a level of protection only previously achieved in-house at companies with ample budgets.4 Implementing the oil and gas principles
25、The cyber-resilience principles for oil and gas industry-specific activities provide cybersecurity practitioners with implementation support.The aim of this guidance is to help corporate officers and managers responsible for cyber resilience to implement these principles and assist board members in
26、exercising their oversight responsibilities.4.1 Principle OG1 - Cyber-resilience governanceThe board should require management to establish a comprehensive cybersecurity governance model. This includes oversight into IT, OT, physical security, health and safety environment, and digital transformatio
27、n to ensure interoperability within the organization and drive alignment across the ecosystem.Suggested activities for the implementation of cyber-resilience governance include to:- Build a comprehensive governance model with the capacity to manage and oversee cyber resilience for IT, OT, physical s
28、ecurity, health and safety environment, and digital transformationEnsure the proper level of authority and command of accountable officers and subjectmatter experts, with the experience and resources to fulfil cybersecurity duties- Provide regular updates in close collaboration with different busine
29、ss unit leaders at an adequate frequency for cyber-resilience strategy implementation and budgetPromote a cyber-resilience culture by communicating best practices regularly throughtraining and awareness exercises across the organizationEstablish clear, practical and comprehensive cyber-resilience po
30、licies, standards and guidelines throughout the organization, including for IT, OT and loT environments and third-party business suppliers and ecosystem partners.Suggested metrics can include the:- Percentage of employees who have successfully completed cybersecurity awareness education programmes o
31、n cyber-hygiene practices with a focus on high-risk groups (e.g. board members, C-suite executives, and IT, engineering, human resource and finance personnel)Number of cybersecurity collaborative engagements with business units- Identification of critical actions during cybersecurity and audit revie
32、ws, including the completion rate and the number of actions that remain outstanding; this can include actions relating to executive management accountability and responsibility.CASE STUDYCybersecurity as a business enablerScenario: In 2020, oil and gas company Eni reorganized and adopted a new organ
33、izational model to achieve significant decarbonization goals, with technological innovation and digitalization as the strategic drivers of its transformation process. To facilitate the decarbonization goals through digitalization, Eni initiated a large number of digital transformation projects, all
34、of which present crosscutting challenges for cybersecurity. Consequently, the company developed a global cybersecurity approach to protect industrial control system (ICS) and information and communications technology (ICT) assets and let the IT/OT convergence happen, while protecting ICS from classi
35、c ICT threats and thus enabling the business transformation. Eni takes a risked-based approach to cybersecurity that is centred on its strategic vision and aligned with major corporate strategy drivers. It includesprotecting key industrial assets, ensuring compliance readiness, employing performance
36、 models to ensure continuous improvement, using a resiliency- first approach to monitoring and a rapid services response to guarantee business continuity, and allowing business to leverage emerging technologies.Reporting and communicating with the Eni risk committee is an important part of the matur
37、ity model; providing continuous information and inducting new members are also key success factors. Consequently, a renewed reporting policy has been adapted to the new business needs, with an improved set of risk indicators and the inclusion of risks linked to the human factors of cybersecurity.Key
38、 takeaways: By ensuring continuous alignment with the organizations strategy drivers and establishing clear responsibility, Eni guarantees cybersecurity is an enabler by adapting its cyber organization, culture and practices. Metrics to evaluate key outcomes include: more than 10 cybersecurity repor
39、ts shared with the risk committee, and more than 10 key risk indicators updated quarterly. So far in 2021, almost 40 cyber projects have been aligned with the company strategy, and cybersecurity competencies have been involved in more the 600 ICT, digital, industrial and business activities.4.2 Prin
40、ciple OG2 - Resilience by designThe board should promote a security by design, resilience by design culture, and should require its management to implement similar standards and values while documenting progress.Suggested activities for the implementation of resilience by design include to:- Define
41、cyber-resilience metrics and appropriate incentives for all business units to ensure ownership and commitment to implementing new cyber-resilience requirements in their operationsEstablish a regular cadence of cyber-resilience reporting by the officer accountable for cyber risk and resilience- Colla
42、borate with business units and risk functions to adapt the cyber-risk posture to business needsEstablish a cybersecurity awareness programme that is tailored to the needs of each business unit and its unique risks- Equip personnel with the ability to identify and manage cyber risksEnsure cyber resil
43、ience, protection, detection and response capabilities are integrated with technical and business activities by design.Suggested metrics can include the:- Percentage of business unit processes that adopt and integrate cyber-resilience practices by designPercentage of employees following cyberresilie
44、nce and awareness training (tailored to different levels)- Percentage of lighthouse projects that serve as a model covering cyber resilience by designAverage time to detect, respond to and recover from a critical cyber incident leading to a system failure or disruption.CASE STUDYRepsol funds lightho
45、use projects to build alliesScenario: Under a company-wide digital transformation initiative at Repsol,12 the company also shaped a new cybersecurity strategy. Its vision focused on integrating resilience into the business design and improving the recovery time after a cyber incident. Instead of foc
46、using only on technical solutions, the new strategy is based on business resilience and risk appetite, and on the World Economic Forum Cyber Resilience in Oil and Gas community5s principles for boards.To this end, the security and business teams collaborated to define resilience metrics and funded l
47、ighthouse projects, ensuring resilience was included from the inception phase. When deemed appropriate, the security team sought support from the board to improve training, awareness and resource allocation to deliver value. This collaborative process allowed Repsol to align the needs of the busines
48、s and security sections and improve cyber-resilience controls.Key takeaway: Focusing on the business risks resulted in corporate integration and awareness of cybersecurity, while collecting insights and lessons from the World Economic Forum community to adopt a more holistic approach to cyber resilience.4.3 Principle 0G3 - Corporate responsibility for cyber resilienceThe board should encourage management to examine cyber risks to the organization and the broader ecosystem, examine the organizations cyber culture and practices, and explore how to manage these risks.