Cyber Risk to Help Shape Industry Trends in 2014 Rigzone Staff 12/18/2013 URL: http://www.rigzone.com/news/oil_gas/a/130621/cyber_risk_to_help_shape_industry_trends_i n_2014 The oil and gas industry s increasing reliance on third party vendor materials, products and services means it will need to employ greater cyber risk management practices to protect their businesses from would-be hackers. The need for greater cyber risk management in the oil and gas industry technology supply chain is one of six trends anticipated to impact the global oil and gas industry in 2014, according to a recent report by McLean, Virginia-based management consulting, technology and engineering services firm Booz Allen Hamilton. The global upstream and downstream industries face the challenge of managing cyberthreats in the technology supply chain. While oil and gas companies recognize that they can more efficiently operate their business using networked infrastructures, the industry is only now coming to terms with the cyber risk management challenges created by a more open network and increased reliance on the technology supply chain, Booz Allen Hamilton noted in a recent report.
Oil and gas companies face the threat of cyberattacks anywhere technology has intelligent components (hardware and software) that are inserted into the production operations of the supply chain, Emil Trombetti, senior vice president with Booz Allen, told Rigzone in a statement. While it s difficult to guarantee that third-party vendors will provide bullet-proof solutions to protect critical business assets, there are several strategies that offer assurance that due diligence is being done, said Emil Trombetti, senior vice president with Booz Allen, in a statement to Rigzone. For example, third-party liability for damages incurred if their products are used in a cyberattack, or data breach situation, require that vendor products adhere to cybersecurity industry standards. Havingequirements to inform customers as soon as possible if any security concerns are found with their products and requirements to provide timely fixes for these issues Is another strategy to ensure due diligence. The industry will also need to take a more customized approach to cyber risk management. All oil and gas companies face the risk of a cyberattack and only so much can be done to eliminate this threat. Instead, companies should develop comprehensive security risk management plans that meet specific circumstances of high-risk environments, such as ventures into new geographic locations, markets and products. In terms of standard cyber risk management, you always have to address not only technology, but also the process and people aspects of risk management, said Trombetti. In terms of customized risk management strategies, these differ in many ways and reflect the different aspects of a business. Trombetti noted that cyber risk management must be an integrated component of a corporate risk management strategy that addresses key business processes and assets. A good example would be a risk management strategy for an oil pipeline. These are hard assets that the oil flows through, but there are also cyber assets that control and monitor that oil flow. A risk management strategy for that key business process would include both the hard assets and cyber assets because they are all part of the business process. The third trend identified by Booz Allen is that future competitive advantage of oil and gas companies will depend upon technological innovation. In the past, companies did not innovate beyond what was needed for to ensure the reasonably successful production of oil and gas. However, Booz Allen reported it has seen a shift in the industry s point of view towards technology as a new frontier for competitive advantage. As part of this shift, oil and gas companies are integrating mobility, cloud computing and knowledge management into their current work processes to improve operations. But companies are finding they need to implement another layer of security into their operations to protect the research and development that goes into creating intellectual property. Companies need to make sure that they set up collaborative environments and that they address the security aspects of such an environment, Trombetti commented. This can be difficult as the desire for easy and efficient methods to collaborate and share data must be balanced with the control of how information is transmitted and stored. Booz Allen recommends using a consistentreference model to set up these environments and monitor usage. Booz Allen anticipates that the oil and gas industry s efforts to find the right balance between regulation and strong cyber risk management will become more challenging in
2014. While regulation will help, they apply a one-size-fits-all method to security that does not take into account each company s unique vulnerabilities in its specific business processes, or attack surface. Often there are competing priorities between addressing what is required by regulation or what is genuinely needed at the time to effectively protect the company s systems from cyber intrusions, Booz Allen Hamilton said. In the United States, the North American Electric Reliability Corporation s critical infrastructure protection security controls issued by the Industrial Control Systems Cyber Emergency Response Team, which operates under the jurisdiction of the Department of Homeland Security. Sen. Jay Rockefeller (D-W.Va.) has also introduced the Cybersecurity Act of 2013 that calls for the National Institute of Standards and Technology (NIST), to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure. The NIST Framework is currently in development with an anticipated release in February of next year. Trombetti sees the intent behind NIST as good, pointing to the real need of public-private partnership in sharing data on cybersecurity issues. The sharing of data will lead to the more effective handling of cyberthreats not only for national security purposes and but also aid private firms in preparing for evolving threats. To effectively manage cyber risk, oil and gas companies must keep with the constantly changing regulatory environment. Just as energy companies achieve compliance under current regulations, new regulations are developed. Oil and gas companies must balance a host of issues, such as compliance with environmental regulations, while balancing geopolitical issues that can have a material impact on the bottom line, Booz Allen noted. The oil and gas industry s aging workforce and shrinking pool of specialized workers is creating unique risk management, infrastructure and human resources challenges for the oil and gas industry. The aging workforce s impact on the oil and gas industry s cybersecurity risk is the fifth trend identified by Booz Allen. Many of the workers expected to retire from the oil and gas industry over the next few years work on specialized control systems that, in many cases, are not standard and depend on experience in working with them, the risk of cyber issues grows as less experienced workers replace more experienced ones, Trombetti told Rigzone. Booz Allen Hamilton also anticipates that data will continue to create differentiators among oil and gas companies. The industry is seeing an explosion in the amount and types of data generated from their operations, but companies must address the challenges that accompany the increase in data volume to take advantage of business opportunities. Industry leaders must determine how to analyze and present their data in a way that allows the firm to create action, both in terms of driving business strategies and in understanding anomalies associated with their critical assets, according to Booz Allen Hamilton. The surge in data volume coming from oil and gas operations and decline in data storage costs means that oil and gas companies are capturing and storing more data on field devices that not only include typical IT servers, but programmable logic controllers.
What concerns me with Big Data is that multiple copies of important data could end up being stored in different places. Multiple copies raises the issue of whether a company really has control over all its critical data. Cyber risk management now presents a board-level risk that all companies involved in oil and gas production must address. Booz Allen Hamilton cited an ABI Research study that forecasts that cyberattacks against oil and gas infrastructure will cost oil and gas companies $1.87 billion by 2018. Oil and gas and other industrials in general are making progress in addressing cybersecurity risks. The fact that that the whole world is becoming more automated and that cyber risk is now a board-level topic has really exposed the risks of the automated world to senior leaders at oil and gas companies, Trombetti told Rigzone. As a result, oil and gas companies are not only increasing their investment in technologies to address cybersecurity issues to prevent penetration and protect data, but also increasing their investment in educating their workers on identifying possible cybersecurity threats, including targeted social engineering attacks on individuals such as phishing and spearfishing. In the oil days of security, companies would utilize a perimeter prevention strategy, keeping all its assets behind firewalls and trying to keep cyberattackers out. However, companies have had to change their approach as cyberattackers resort to gaining credentials for authorized users so they can work covertly within a network to gain what we call command and control, Trombetti noted. While it s great to put giant locks on network, but it doesn t prevent cyberattackers from using social engineering and email to gain entry to a company s network. People are always willing to help, Trombetti commented. If people believe you re authorized they ll share information, even in telephone calls. Trombetti notes that phishing through emails and phone calls present largest problems for security professionals, and one of the easiest ways for hackers to gain entry into a company s network. To address what Trombetti calls "the weakest link", oil and gas companies are doing more around security awareness and exercises such as simulated phishing attacks to educate employees. Trombetti said he s seen a number of attacks on oil and gas companies coming from the United States as well as overseas, but noted it s hard to determine whether U.S. based attackers are being launched by U.S.-based hackers or hackers who are using U.S.-based servers as the first point of entry. In Trombetti s view, hackers targeting oil and gas companies are primarily interested in intellectual capital or information of a competitive nature such as seismic or land leasing information, versus trying to cause physical damage such as taking down a platform or causing a refinery explosion. Information on U.S. shale plays represents part of the data targeted by cyberattackers, especially as the U.S. shale play space has become more competitive, Trombetti noted. While the entire oil and gas industry faces risks from cyberattacks, upstream presents the most lucrative part of the industry for hackers.
From an intellectual capital standpoint, upstream is where the money is to be made, Trombetti commented. While the midstream and downstream oil and gas sectors have their issues, upstream presents the greatest concern for cyberattacks. Technology can be very effective in mitigating the risks of cyberattacks, but cybersecurity is not a technology issue. Instead, Trombetti cites the effective use of technology as the most critical factor in effective cyber risk management. The people using many of the technologies deployed are not experts in many cases. While technologies such as sensors can detect significant amounts of data, it s up to employees to be able to find golden nuggets in data to identify anomalies. The real key for the industry going forward is having an educated workforce that can understand how to use innovative tools that can detect external attempts of penetrations and unusual activity within a corporate network, Trombetti commented. This is what will make or break a security program s effectiveness. While joint ventures and joint industry projects are becoming more common within the oil and gas industry and are necessary for development of technology, in some cases it s important for companies to understand their critical data and how to provide partners access to data. While it s important to provide data to allow partners to effectively meet joint venture objectives, companies also must know when to limit access as well, Trombetti said. Trombetti believes the oil and gas industry can take lessons on cyber risk management from the financial services industry and its proactive intelligence approach versus reactive incident management for cyberattacks. This proactive approach includes gathering information from different sources, including what is being discussed on the Internet, and looking for indications that a threat is coming or that some of a company s data is being passed around. These types of capabilities will be needed by the oil and gas industry to get out in front of threats and prevent incidents, Trombetti noted.