Cyber Risk to Help Shape Industry Trends in 2014



Similar documents
SECURING THE INTERNET OF THINGS:

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

PACB One-Day Cybersecurity Workshop

PENETRATION TESTING GUIDE. 1

Cybersecurity: Mission integration to protect your assets

White Paper on Financial Industry Regulatory Climate

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Cybersecurity in the US Oil and Gas Industry Connected Oilfields Could Open a Pandora s Box

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

FINRA Publishes its 2015 Report on Cybersecurity Practices

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP

The Dow Chemical Company. statement for the record. David E. Kepler. before

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

IBM Smarter Cities Cybersecurity Update

Cyber Governance Preparing for the Inevitable Perimeter Breach

Cybersecurity. Are you prepared?

NIST Cybersecurity Framework What It Means for Energy Companies

POLICIES TO MITIGATE CYBER RISK

What is Really Needed to Secure the Internet of Things?

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Navigating the NIST Cybersecurity Framework

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Cybersecurity The role of Internal Audit

Solving the Security Puzzle

How To Test For Security On A Network Without Being Hacked

White paper. The Big Data Security Gap: Protecting the Hadoop Cluster

State of Security Survey GLOBAL FINDINGS

Internet threats: steps to security for your small business

Click to edit Master title style

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Building a Business Case:

IoT & INFOSEC: A REPORT FROM THE TRENCHES - AGC IT Conference- July 2015 MIKE.ZUSMAN@CARVESYSTEMS.COM

Cyber security: Are Australian CEOs sleepwalking or a step ahead? kpmg.com.au

ICSA Labs Risk and Privacy Cloud Computing Series Part I : Balancing Risks and Benefits of Public Cloud Services for SMBs

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Cyber-Security: Private-Sector Efforts Addressing Cyber Threats

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

Cybersecurity and internal audit. August 15, 2014

SCOPE. September 25, 2014, 0930 EDT

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

CYBER SECURITY: A REPORT FROM THE TRENCHES 2015 AGC NATIONAL & CHAPTER LEADERSHIP CONFERENCE MIKE.ZUSMAN@CARVESYSTEMS.COM

Security Breach: 10 Industries Impacted

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Cybersecurity: The Legal, Legislative and Regulatory Outlook

Cybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

Cyber Security. Doug Houseman Engineering Consulting Research. Modeling Simulation Security. The Practical Grid Visionaries TM

RETHINKING CYBER SECURITY Changing the Business Conversation

Logging In: Auditing Cybersecurity in an Unsecure World

Considerations for Hybrid Communications Network Technology for Pipeline Monitoring

N-Dimension Solutions Cyber Security for Utilities

How To Protect Yourself From A Hacker Attack

NASA OFFICE OF INSPECTOR GENERAL

Time Is Not On Our Side!

Cisco Security Optimization Service

Global IT Security Risks

Cyber R &D Research Roundtable

Cybersecurity. Regional and Community Banks. Inherent Risks and Preparedness.

CYBER SECURITY INFORMATION SHARING & COLLABORATION

This is a preview - click here to buy the full publication

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Overcoming Five Critical Cybersecurity Gaps

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Changing Legal Landscape in Cybersecurity: Implications for Business

SANS Top 20 Critical Controls for Effective Cyber Defense

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

VIGILANCE INTERCEPTION PROTECTION

Defining Data Security in 2015 and Beyond

The Five Most Common Cyber-Attack Myths Debunked

Executive Summary 3. Snowden and Retail Breaches Influencing Security Strategies 3. Attackers are on the Inside Protect Your Privileges 3

Cybersecurity challenges in an interconnected world Key findings from The Global State of Information Security Survey 2015

Dealer Member Cyber-security

Oil & Gas Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity

Perspectives on Cybersecurity in Healthcare June 2015

Impact of Cybersecurity Innovations in Key Sectors (Technical Insights)

System Theoretic Approach To Cybersecurity

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Managing cyber risks with insurance

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Cybersecurity Enhancement Account. FY 2017 President s Budget

DON T BE A VICTIM! IS YOUR INVESTMENT PROGRAM PROTECTED FROM CYBERSECURITY THREATS?

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Five keys to a more secure data environment

Professional Services Overview

Increase insight. Reduce risk. Feel confident.

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Application Security 101. A primer on Application Security best practices

BeyondInsight Version 5.6 New and Updated Features

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

NERC CIP VERSION 5 COMPLIANCE

Transcription:

Cyber Risk to Help Shape Industry Trends in 2014 Rigzone Staff 12/18/2013 URL: http://www.rigzone.com/news/oil_gas/a/130621/cyber_risk_to_help_shape_industry_trends_i n_2014 The oil and gas industry s increasing reliance on third party vendor materials, products and services means it will need to employ greater cyber risk management practices to protect their businesses from would-be hackers. The need for greater cyber risk management in the oil and gas industry technology supply chain is one of six trends anticipated to impact the global oil and gas industry in 2014, according to a recent report by McLean, Virginia-based management consulting, technology and engineering services firm Booz Allen Hamilton. The global upstream and downstream industries face the challenge of managing cyberthreats in the technology supply chain. While oil and gas companies recognize that they can more efficiently operate their business using networked infrastructures, the industry is only now coming to terms with the cyber risk management challenges created by a more open network and increased reliance on the technology supply chain, Booz Allen Hamilton noted in a recent report.

Oil and gas companies face the threat of cyberattacks anywhere technology has intelligent components (hardware and software) that are inserted into the production operations of the supply chain, Emil Trombetti, senior vice president with Booz Allen, told Rigzone in a statement. While it s difficult to guarantee that third-party vendors will provide bullet-proof solutions to protect critical business assets, there are several strategies that offer assurance that due diligence is being done, said Emil Trombetti, senior vice president with Booz Allen, in a statement to Rigzone. For example, third-party liability for damages incurred if their products are used in a cyberattack, or data breach situation, require that vendor products adhere to cybersecurity industry standards. Havingequirements to inform customers as soon as possible if any security concerns are found with their products and requirements to provide timely fixes for these issues Is another strategy to ensure due diligence. The industry will also need to take a more customized approach to cyber risk management. All oil and gas companies face the risk of a cyberattack and only so much can be done to eliminate this threat. Instead, companies should develop comprehensive security risk management plans that meet specific circumstances of high-risk environments, such as ventures into new geographic locations, markets and products. In terms of standard cyber risk management, you always have to address not only technology, but also the process and people aspects of risk management, said Trombetti. In terms of customized risk management strategies, these differ in many ways and reflect the different aspects of a business. Trombetti noted that cyber risk management must be an integrated component of a corporate risk management strategy that addresses key business processes and assets. A good example would be a risk management strategy for an oil pipeline. These are hard assets that the oil flows through, but there are also cyber assets that control and monitor that oil flow. A risk management strategy for that key business process would include both the hard assets and cyber assets because they are all part of the business process. The third trend identified by Booz Allen is that future competitive advantage of oil and gas companies will depend upon technological innovation. In the past, companies did not innovate beyond what was needed for to ensure the reasonably successful production of oil and gas. However, Booz Allen reported it has seen a shift in the industry s point of view towards technology as a new frontier for competitive advantage. As part of this shift, oil and gas companies are integrating mobility, cloud computing and knowledge management into their current work processes to improve operations. But companies are finding they need to implement another layer of security into their operations to protect the research and development that goes into creating intellectual property. Companies need to make sure that they set up collaborative environments and that they address the security aspects of such an environment, Trombetti commented. This can be difficult as the desire for easy and efficient methods to collaborate and share data must be balanced with the control of how information is transmitted and stored. Booz Allen recommends using a consistentreference model to set up these environments and monitor usage. Booz Allen anticipates that the oil and gas industry s efforts to find the right balance between regulation and strong cyber risk management will become more challenging in

2014. While regulation will help, they apply a one-size-fits-all method to security that does not take into account each company s unique vulnerabilities in its specific business processes, or attack surface. Often there are competing priorities between addressing what is required by regulation or what is genuinely needed at the time to effectively protect the company s systems from cyber intrusions, Booz Allen Hamilton said. In the United States, the North American Electric Reliability Corporation s critical infrastructure protection security controls issued by the Industrial Control Systems Cyber Emergency Response Team, which operates under the jurisdiction of the Department of Homeland Security. Sen. Jay Rockefeller (D-W.Va.) has also introduced the Cybersecurity Act of 2013 that calls for the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure. The NIST Framework is currently in development with an anticipated release in February of next year. Trombetti sees the intent behind NIST as good, pointing to the real need of public-private partnership in sharing data on cybersecurity issues. The sharing of data will lead to the more effective handling of cyberthreats not only for national security purposes and but also aid private firms in preparing for evolving threats. To effectively manage cyber risk, oil and gas companies must keep with the constantly changing regulatory environment. Just as energy companies achieve compliance under current regulations, new regulations are developed. Oil and gas companies must balance a host of issues, such as compliance with environmental regulations, while balancing geopolitical issues that can have a material impact on the bottom line, Booz Allen noted. The oil and gas industry s aging workforce and shrinking pool of specialized workers is creating unique risk management, infrastructure and human resources challenges for the oil and gas industry. The aging workforce s impact on the oil and gas industry s cybersecurity risk is the fifth trend identified by Booz Allen. Many of the workers expected to retire from the oil and gas industry over the next few years work on specialized control systems that, in many cases, are not standard and depend on experience in working with them, the risk of cyber issues grows as less experienced workers replace more experienced ones, Trombetti told Rigzone. Booz Allen Hamilton also anticipates that data will continue to create differentiators among oil and gas companies. The industry is seeing an explosion in the amount and types of data generated from their operations, but companies must address the challenges that accompany the increase in data volume to take advantage of business opportunities. Industry leaders must determine how to analyze and present their data in a way that allows the firm to create action, both in terms of driving business strategies and in understanding anomalies associated with their critical assets, according to Booz Allen Hamilton. The surge in data volume coming from oil and gas operations and decline in data storage costs means that oil and gas companies are capturing and storing more data on field devices that not only include typical IT servers, but programmable logic controllers.

What concerns me with Big Data is that multiple copies of important data could end up being stored in different places. Multiple copies raises the issue of whether a company really has control over all its critical data. Cyber risk management now presents a board-level risk that all companies involved in oil and gas production must address. Booz Allen Hamilton cited an ABI Research study that forecasts that cyberattacks against oil and gas infrastructure will cost oil and gas companies $1.87 billion by 2018. Oil and gas and other industrials in general are making progress in addressing cybersecurity risks. The fact that that the whole world is becoming more automated and that cyber risk is now a board-level topic has really exposed the risks of the automated world to senior leaders at oil and gas companies, Trombetti told Rigzone. As a result, oil and gas companies are not only increasing their investment in technologies to address cybersecurity issues to prevent penetration and protect data, but also increasing their investment in educating their workers on identifying possible cybersecurity threats, including targeted social engineering attacks on individuals such as phishing and spearfishing. In the oil days of security, companies would utilize a perimeter prevention strategy, keeping all its assets behind firewalls and trying to keep cyberattackers out. However, companies have had to change their approach as cyberattackers resort to gaining credentials for authorized users so they can work covertly within a network to gain what we call command and control, Trombetti noted. While it s great to put giant locks on network, but it doesn t prevent cyberattackers from using social engineering and email to gain entry to a company s network. People are always willing to help, Trombetti commented. If people believe you re authorized they ll share information, even in telephone calls. Trombetti notes that phishing through emails and phone calls present largest problems for security professionals, and one of the easiest ways for hackers to gain entry into a company s network. To address what Trombetti calls "the weakest link", oil and gas companies are doing more around security awareness and exercises such as simulated phishing attacks to educate employees. Trombetti said he s seen a number of attacks on oil and gas companies coming from the United States as well as overseas, but noted it s hard to determine whether U.S. based attackers are being launched by U.S.-based hackers or hackers who are using U.S.-based servers as the first point of entry. In Trombetti s view, hackers targeting oil and gas companies are primarily interested in intellectual capital or information of a competitive nature such as seismic or land leasing information, versus trying to cause physical damage such as taking down a platform or causing a refinery explosion. Information on U.S. shale plays represents part of the data targeted by cyberattackers, especially as the U.S. shale play space has become more competitive, Trombetti noted. While the entire oil and gas industry faces risks from cyberattacks, upstream presents the most lucrative part of the industry for hackers.

From an intellectual capital standpoint, upstream is where the money is to be made, Trombetti commented. While the midstream and downstream oil and gas sectors have their issues, upstream presents the greatest concern for cyberattacks. Technology can be very effective in mitigating the risks of cyberattacks, but cybersecurity is not a technology issue. Instead, Trombetti cites the effective use of technology as the most critical factor in effective cyber risk management. The people using many of the technologies deployed are not experts in many cases. While technologies such as sensors can detect significant amounts of data, it s up to employees to be able to find golden nuggets in data to identify anomalies. The real key for the industry going forward is having an educated workforce that can understand how to use innovative tools that can detect external attempts of penetrations and unusual activity within a corporate network, Trombetti commented. This is what will make or break a security program s effectiveness. While joint ventures and joint industry projects are becoming more common within the oil and gas industry and are necessary for development of technology, in some cases it s important for companies to understand their critical data and how to provide partners access to data. While it s important to provide data to allow partners to effectively meet joint venture objectives, companies also must know when to limit access as well, Trombetti said. Trombetti believes the oil and gas industry can take lessons on cyber risk management from the financial services industry and its proactive intelligence approach versus reactive incident management for cyberattacks. This proactive approach includes gathering information from different sources, including what is being discussed on the Internet, and looking for indications that a threat is coming or that some of a company s data is being passed around. These types of capabilities will be needed by the oil and gas industry to get out in front of threats and prevent incidents, Trombetti noted.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information