The oil and gas industry’s need to prepare for cyberattacks will not abate in 2015 as attacks continue to grow in number and sophistication.
Over the past 30 years, the oil and gas sector has been the target of well-known cyberattacks. One of the most famous was launched against Saudi Aramco in 2012 by the terrorist organization, Cutting Sword of Justice. The group launched the attack to stop oil and gas production in Saudi Arabia’s largest exporter within the Organization of the Petroleum Exporting Countries (OPEC), according to a white paper by Lockheed Martin Corporation.
The attack crippled 30,000 computers and disrupted Saudi Aramco for months.
“The attack on Saudi Aramco ultimately failed to disrupt production, but was one of the most destructive cybersecurity strikes against a single business,” according to Lockheed Martin. “More importantly, this attack echoed the need for oil and gas companies to evaluate the importance of a cyberthreat landscape with regard to attacks and uncovered vulnerabilities.”
Another recent example of cybersecurity threats facing the oil and gas industry is the attack on Mexico’s state energy company Petroleos Mexicanos (Pemex) by Iran-backed cyberattackers, Bloomberg reported Dec. 2. Hackers working for Iran have targeted at least 50 companies and government organizations, including commercial airlines, looking for vulnerabilities that could be used in physical attacks, Bloomberg quoted cybersecurity firm Cylance Inc. as saying.
Estimates vary, but the number of cyberattacks is on the rise. Lockheed Martin quoted reports by Symantec, which reported a 91 percent increase in targeted attack campaigns in 2013. This includes a 62 percent rise in the number of breaches. In the United States alone, IBM reported an estimated 1.5 million monitored cyberattacks occurred in 2013, a 12 percent year-to-year increase in security events.
Last year, McLean, Virginia-based consulting firm Booz Allen Hamilton outlined the cybersecurity trends it anticipated would shape the oil and gas industry in 2014. The firm has released an update on what kind of cybersecurity trends would impact the industry in 2015.
The trends for 2015 include:
- The energy sector is the greatest target for cyber threats, experts agree
- Regulatory balancing act will become more difficult
- Reputation is now part of the risk model
- Health, safety and environment gets predictive
- Capital investments also get predictive
- Retirement of older workers
- Data creates opportunities, challenges
- Risk management must move from backroom to boardroom
Rigzone spoke with Steve Senterfit, head of Booz Allen Hamilton’s commercial energy business, about what to expect in 2015. The firm followed a similar process last year, but has expanded its list this year based upon the growth and dynamics that Booz Allen Hamilton has been following in the market, Senterfit told Rigzone.
Rigzone: Over the past year, have you seen more energy companies moving beyond putting up electronic barriers to protect their IP [intellectual property], supply chain, operations and networks and build a more proactive capacity? If not, why do you think companies are reluctant to do so?
Senterfit: Yes, most definitely. A change in approach, and realization that while you may have a secure perimeter, it doesn’t stop or mitigate risk against an advanced persistent threat, or the inside challenge. We’re seeing a strategy around mobile device security, data loss prevention (DLP), data classification and creation of different types of “confidential”, “secure” and “secret” type networks based on what type of IP is involved. DLP systems are being increasingly deployed, and married with a solid defense in-depth architecture.
Rigzone: Given the recent decline in oil prices, project cost overruns and softening of rig market, do you think companies might pull back from spending in this area? Will it take spending to get the industry where it needs to be?
Senterfit: With this downturn, it is critical that oil and gas companies leverage predictive and pro-active risk analytics on their capital investment planning to reduce risk exposure. Enterprises are going to be reviewing their investments with increased scrutiny for which ones have the greatest impact on the top and bottom line. With data driving how oil and gas companies make these decisions, now more than ever that data needs to be protected. With ISC-Cert indicating that energy companies are the most targeted for cyberattacks, oil and gas companies will need to continue to invest in cyber and data protections in addition to their risk analytics for capital investments.
Rigzone: In terms of assessing the security of third-party vendors and protecting assets, will this trend increase in 2015? I’m assuming this has to do with oil and gas companies expanding operations into emerging areas and working with new companies. Is this primarily an issue for overseas operations, or is this an issue companies also face working in the United States?
Senterfit: Joint ventures in new territories with new partners bring an unprecedented amount of risk from a cyber, physical and operational perspective. We’ve seen how subcontractors can introduce cyber threats into a large corporation through unconventional means. We also know that the supply chain and the extended enterprise of some of the large operators are the subject of cyberattacks, with disruptions due to one or more of their third-party impacted. Proactive and predictive analysis of the supply chain and third-parties is a key element of an integrated risk approach.
[In some cases], the operator may not be the target of a cyberattack or labor issues. It might be one of their key suppliers and even if the contract has terms protecting the operator it does not solve the operational issues that may occur. As company’s team or join with regional partners, the question around physical and cyber security, classification of data and protection of IP becomes even more important as we become electronically attached to companies from different nation states. This is also not isolated to international/overseas operations. International companies are entering the U.S. market and the entire supply chain and third-party vendors have access and monitor for risk.
Rigzone: In terms of crisis management plans, do you see more oil and gas companies including cybersecurity in these plans? Is this something that’s still lacking in terms of the number of companies or the types of plans? Should oil and gas companies seek outside help in designing these plans, or are existing practices they’ve used in the past enough?
Senterfit: Actually the reverse, to a certain extent, many organizations are working to put in place contingency plans for an inevitable cyber security attack or compromise, and so we’re seeing the traditional incident response evolve into a complex set of response activities and preparedness plans involving legal, marketing and PR teams, regulatory and compliance, and cyber indecent response teams, but more importantly led, coordinated and managed by an overall incident commander. We’re helping our clients to design comprehensive incident response plans that go way beyond the typical cyber aspects. These plans are integrated into the companies’ business continuity and crisis management plans. We’re also helping some of the more advanced companies to implement real-time sentiment monitoring tools to measure the effectiveness of those plans during an incident or crisis.
Rigzone: Do you see more cooperation coming in 2015 in the oil and gas industry on lessons learned or strategies for dealing with cybersecurity?
Senterfit: In 2014 we saw the creation of the ONG-ISAC, (the Oil and Natural Gas Information Sharing and Analysis Center). It’s in the process of becoming operational with a view to cross company collaboration sharing of cyber security threat intelligence, including specific industry threats, directed campaigns and attribution information. The ONG-ISAC is a not for profit organization and is specifically being set up with the tools and staff to assess, share and action that cyber intelligence, and provide solid information about dealing with those threats back into the community. Many of the Critical Infrastructure sectors have established ISACs with Financial Services probably the most mature.
Rigzone: In terms of the risk model and reputation bullet, is this something that is more applicable to utilities? Do you think the oil and gas industry could benefit from further exploration of the ecosystem of customers, investors, communities and competition?
Senterfit: No, the oil and gas industry is likely to benefit the most from this trend and we are seeing a lot more interest across the sector. We have seen indications that utilities rate case increases may include customer satisfaction and reputation to justify the rate case.
The oil and gas companies are now pro-actively looking at reputation, geopolitical, security (digital and physical), marketing communications and the risk associated with these through a holistic risk model. A risk in one area can have a ripple effect from one area to another. A cyber-attack that disrupts a company’s operation could have an impact on their reputation which could then impact shareholder confidence and/or stock price.
Organizations that fully embrace using integrated techniques to provide 360-degree awareness will have more insight into their reputation and be better equipped to respond to events to proactively manage risk across the enterprise.
Rigzone: Do you think the trend of predictive maintenance and capital investments also can be applied to cybersecurity? Can looking at data from the past give oil and gas companies insight into potential cyber threats?
Senterfit: Huge amounts to be gleaned from looking at historic data. We’re finding that most threats have been in the network for some time. The data is there. Being able to parse old logs looking for those indicators of compromise over a long period of time will help in being able to identify those compromises. Additionally, companies need to look at proactive and predictive analytics to monitor threat actors. This combined with analyzing historical data provides great insights.
Rigzone: Are you seeing a shift in discussions of risk management from the backroom to the boardroom? If it’s not already occurring, do you see this happening in 2015? What could derail this from happening? Why do you think these discussions historically have been kept to the backroom?
Senterfit: Yes, risk management around reputation, geopolitical, security (cyber and physical) and operational is moving from the backroom to the boardroom. Those risks in total must be fully understood at the CEO and board level because the combination of a failure in one or multiple components could be devastating to a company. Just like HSE moved from backroom to boardroom, we are seeing this same transition with integrated risk. Oil and gas companies have a great culture around HSE. They now need to develop that same culture for cyber, reputation, etc. The right strategic partner can help them get there.