Tackling the cyber threat

 By Peter Ward

The oil and gas industry is a particularly attractive target for cyber criminals. There are more points of entry for an attack and, most importantly, more potential for utter disaster. Peter Ward explains what are the main techniques to keep an energy facility secure, and how security providers are staying ahead of those seeking to hack into critical systems…

The oil and gas industry is a particularly attractive target for cyber criminals. There are more points of entry for an attack, more adversaries looking to cause mayhem, and most importantly, more potential for utter disaster.

If a retail company suffers a cyber breach, customers’ personal details can be compromised, but if hackers breach the systems of an oil and gas installation, the consequences are much more severe.

The number of attacks faced by the energy industry is on the rise, according to a survey by Tripwire. The research revealed that 77% of respondents had seen an increase in successful cyber attacks in the past 12 months. “It’s tempting to believe that this increase in attacks is horizontal across industries, but the data shows that energy organizations are experiencing a disproportionately large increase when compared to other industries,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “At the same time, energy organizations face unique challenges in protecting industrial control systems and SCADA assets.”

It’s not just the number of cyber security attacks that has increased, the sophistication has also risen over time. “Cyber Security threats have rapidly escalated since 2008, when the industry saw the first nation-state attacks. In the those attacks, bid-lease data, seismic markups (crown jewels), and intellectual property were stolen from very large ONG companies,” Richard Byrd, Director – Western US, Canada, Mexico, and LATAM at Lockheed Martin – Commercial Cyber told EniDay. “The attacks have intensified in the years since, due to the geo-political ramifications of natural resources, the propagation of IT/OT Convergence in the field (IoT), and because of specialized intellectual property that has been created in drilling/production segments.”

Imagine by

Another looming danger to the oil and gas industry is the insider threat. Byrd says the sector’s workforce is bi-furcated, with over 50% of the industry within five years of retirement. Retirements, coupled with increased layoffs over the past two years, mean experienced workers are leaving the sector, and with them goes a certain amount of security.

Today’s oil and gas industry is an increasingly technologically complex one. More and more processes are being digitized; data mining and analytical programs are being used more frequently, and sensors are everywhere. This may lead to more efficiency, but it also makes systems more vulnerable to cyber attacks.

What is the best way to guard against such security breaches? Most agree that cybersecurity starts at the top of a company. A report by Boston Consulting Group on the oil and gas industry and cyber attacks highlighted the need to “make cybersecurity a highest priority and an ongoing consideration at the executive level.”

Education is a key form of defense against cyber threats, and oil and gas companies are encouraged to ensure employees know the risks — and where the threats can come from. “The current threat landscape involves all of the threat actors: Nation-states, hactivists, splinter groups, lone actors, and generic malware are all problems,” according to Byrd. “Combine this with the insider threat and you see an industry that must rapidly evolve. Whether it be supply disruption, intellectual theft, financial gain, or reputational damage, ONG companies must understand who they are fighting, what their motives are, the TTP that they employ, and the defenses that must be in place to counter an attack.”

“ONG companies must also learn to harvest their own intelligence instead of relying on feeds from the outside,” he adds. “The best source of attack information comes from their own networks. Without harvesting this information, storing it for historical purposes, and sharing it with the cyber peers, they are doing themselves a great disservice,” he added.

SEE MORE: Fighting back the fire by Michelle Leslie

Oil Sands Blaze Forces 80,000 Canadians to Flee Their Homes

The industry has made moves to counter threats collectively. In 2014, the Oil and Natural Gas Information Sharing and Analysis Center was launched to provide information and guidance to U.S. energy companies. Many governments also have national cybersecurity policies that focus on critical infrastructure. One example is ICS-CERT, which was created to monitor and respond to cyber threats across critical domestic sectors. The NATO Cooperative Cyber Defence Centre of Excellence also looks to enhance global cybersecurity-related capabilities.

But more cooperation is needed, and oil and gas companies should be forced to share details of attacks through regulation, according to Byrd. “There is little regulation that the industry faces relative to other industries. Most regulations that exist are in regards to physical security, Health/Safety/Environmental concerns, and transportation. With that being said, all of these industry drivers can be affected by non-resilient cyber security operations. ONG companies should better align their cyber security with physical security and operational integrity operations,” he says.

The cyber threats facing the oil and gas industry are frightening, and staying ahead of the myriad of potential threats is important not just for business, but also for national security. Through education, vigilance, cooperation and transparency, the impact of cyber security attacks can be minimized.

about the author
Peter Ward
Business and technology reporter based in New York. MA in Business Journalism at Columbia University Journalism School 2013. Five years experience reporting in the U.S., the U.K., and the Middle East.