As the federal government and industry players pay more attention to the issue, cyber security problems lurk for the oil and natural gas industry, and greater levels of risk assessment and a "new way of thinking" about information security are needed, according to a global survey released Monday by PricewaterhouseCoopers (PwC).

The results of PwC's "2013 Global State of Information Security," a survey of 9,300 CEOs, CFOs, CIOs and other executives, indicate that the oil and gas industry is "trying to catch up" to known cyber-security problems. More than half (53%) of the respondents said that "known weaknesses and incidents" drive security spending, but less than half (47%) address cyber security on an enterprise-wide level.

Some 47% of the executives surveyed indicated their companies had programs addressing "advanced persistent threats," leaving more than half without the programs.

PwC's survey comes within days of the Federal Energy Regulatory Commission (FERC) establishing a unit to address cyber threats to energy infrastructure (see Daily GPI, Sept. 24), and growing reports of the nation's energy infrastructure's vulnerability to cyber attacks (see Daily GPI, Sept. 6). FERC Chairman Jon Wellinghoff recently said he has communicated with the Department of Homeland Security and "any other agency that will listen to us" about the need for improved cybersecurity for energy facilities.

The PwC survey data indicated that a certain amount of industry indifference has continued among top leadership with nearly half (46%) of the respondents pointing a finger at executives and boards as being roadblocks to raising the level of cyber-security issues. More than a third of the respondents (36%) indicated cyber security was only focused on the implementation phase of projects or on an as-needed basis.

"While 85% of the respondents say protecting customer and employee data is important, far fewer understand what that data entails and where it is stored," PwC said.

PwC concluded that most oil/gas executives think they are "winning" in the constant struggle that characterizes the global state of information security, but PwC doesn't think the current odds favor the industry.

"Given today's elevated threat environment, businesses can no long afford to play a game of chance," said Gary Loveland, a principal at PwC. "Those keeping score agree that the bad guys appear to be in the lead."

As a result, the PwC survey recommends that oil/gas industry leaders:

Since Congress failed to pass the Cybersecurity Act of 2012 this summer, President Obama was reported earlier this month to be preparing an executive order aimed at protecting critical national infrastructure, including power plants, and natural gas and crude pipelines, from cyber attacks (see Daily GPI, Sept. 13).

PwC survey respondents expressed optimism that there will be more spending on cyber security in the next 12 months, but only about half said that they have a training program in place for employees.

"Effective security requires a new way of thinking," PwC emphasized in summarizing the survey data, which was compiled online Feb. 1-April 15 this year for publication in CIO and CSO Magazines. "The very survival of the business demands that security leaders understand, prepare for, and quickly respond to security threats."

©Copyright 2012 Intelligence Press Inc. All rights reserved. The preceding news report may not be republished or redistributed, in whole or in part, in any form, without prior written consent of Intelligence Press, Inc.