The collapse in global oil prices has prompted companies across the industry, from operators to contractors, to sharply reduce capital (CAPEX) and operating expenditures. Are these reductions also affecting spending on cybersecurity?
Most industry experts and government authorities, including the Department of Homeland Security (DHS), U.S. Cyber Command and the National Security Agency (NSA) estimate that over 40 percent of the recent cyber-attacks in North America targeted the oil, energy and resources segments. Thus, it would be unwise and inappropriate to compromise some areas of security and safeguards, whether they address workplace safety, environmental impairment, pollution or cybersecurity, Glenn Legge, a partner at Legge, Farrow, Kimmitt, McGrath & Brown LLP, told Rigzone.
The oil and gas industry is exposed to cyberattacks through its use of Big Data, or data sets so large and complex that processing them with on-hand data management tools or traditional data processing applications in difficult. Big Data is managed by supervisory control and data acquisition, or SCADA systems, and industrial control systems, or ICS, according to a November 2014 presentation by Legge. Big Data is utilized throughout the energy sector for analysis, from real-time downhole data sensors that gather information on deepwater rigs, to the remote monitoring of onshore wells, as well as midstream and maritime transportation, refining and petrochemical.
Faced with pressure from shareholders to boost returns and reduce costs, the oil and gas industry is using IT to achieve operational efficiencies. The broad geographic distribution of oil and gas facilities also means that IT must be used to link facilities with headquarters.
Successful cyber-attacks have already affected major power grids, oil pipelines, gas infrastructure and the energy trading markets. Adversaries of oil and energy organizations seek financial gain, competitive advantage, intellectual property, valuable exploration data and the like. These adversaries include sophisticated foreign state-sponsored hackers, corporate cyber-spies and other malicious attackers intent on disrupting, spying and stealing.
“Everything that we do as a society is powered by energy and because of this these critical resources and the companies that control them need to remain vigilant about the cyber threat,” said Legge.
The spending cutbacks are the quickest way for companies not only to reduce margin, but pacify shareholders and maintain internal financial health. Despite the cuts, Legge said it’s difficult to imagine that a responsible energy company, particularly a publicly traded company, would make significant cuts in the critical areas of health, safety and environment (HSE).
“No matter how much you’re reducing CAPEX, most risk managers believe you have to maintain the fortress around HSE.”
The drop in oil prices and CAPEX reductions are indeed affecting business decisions including company staffing at many major oil and energy firms. However, the recent price drop in oil prices have a zero effect on the significant exposures to cyber-attack that these companies face, said Jeffrey Bernstein, managing director of T&M Protection Resources’ Information Security Advisory Division in New York City, in a statement to Rigzone. T&M, a global provider of security services that focus on the protection of people, property and information, has worked with dozens of oil and energy firms on cyber-security issues.
“Oil and energy companies are among the most profitable and operationally efficient businesses on the planet. Maintaining a heightened cyber security posture is one of the most critical components to remaining efficient in this high-stakes sector,” Bernstein noted. “In my experience, these firms understand this expansive and growing threat and the potential cost associated with falling victim to a successful cyber-breach. Because of this, while we will continue to see increased optimization and cost-cutting by the oil energy firms, we will also continue to see increases in cyber-security and protection budgets.”
Richard Mahler, director of Commercial Cyber Solutions at Lockheed Martin, told Rigzone that the oil and gas industry is well prepared to address the fluctuations in oil prices and incorporate those forecasts into the financial planning cycle.
“Given the critical necessity of cybersecurity to ensure the reliability, safety and security of operations across an enterprise, coupled with the ever increasing volume and impact of the threat landscape, we have not seen oil and gas companies cut their cybersecurity programs. They instead are focusing their efforts on other areas of operations, including capital programs, spending and services.”
Lockheed Martin has seen oil service companies delay, but not cut, their security initiatives because in many cases they are impacted sooner and more severely by the drop of oil prices, Mahler said.
Historically, oil and gas companies have never liked spending that much on cybersecurity, Graham Speake, a cybersecurity and industrial control systems expert with more than 30 years of experience in the oil and gas industry, told Rigzone. Cybersecurity technology in the oil and gas industry has always been an add-on, mostly purchased through integrators. Oil and gas companies have gotten better about implementing tools for cybersecurity, but convincing them to spend money in this area still remains a hard sell, Speake noted.
If oil prices remain low over the next few years, companies will likely turn to digital oilfield technology to remotely monitor platforms and assets while employing fewer people on site. Larger companies will likely employ this strategy to extend the life of assets, rather than constructing new infrastructure. Once the field is no longer profitable for that company, they will sell it to a smaller, low-cost producer, who will seek to eke out production with the existing system.
“Quite often, the devices installed are wireless, which is cheaper compared with rewiring or adding cable to old platforms. While the devices are industrial wireless, they still create another attack vector for cyberattacks.”
Operators also are likely to want their vendors to contact platforms remotely and remotely monitor assets such as rotating equipment.
“If companies start opening communications on offshore assets without good security tools, it can open up backdoors for cyberattackers to get in.”
Many offshore and other remote oil and gas assets only have anti-virus tools, and nothing more sophisticated. Companies might update anti-virus tools each week, but it’s more likely to be updated only once a month, while updates for Windows might only be done once or twice a year.
“Oil and gas companies’ surface attack is quite high, given that there’s no updates and few tools, and [they] don’t know what’s going on with their communications around all assets on a platform,” said Speake.
Companies may not even fully understand the assets, likely making it more difficult to spot a rogue actor in a network. In many cases, the people who are on a platform don’t have the basic security knowledge seen in a data center or a business network. Some companies who do establish remote security operations center onshore are utilizing third parties or conducting monitoring at a very low level.
The merging of a company’s control network and wireless devices such as laptops and smart phones, which personnel bring on board to communicate with home, increases the changes of malware being passed from personal devices to the corporate network. Vendors who fly out to a platform and are under deadline to complete work introduce another way for malware to enter a company’s network system. In certain circumstances, Speake could see basic cybersecurity procedures ignored if things start to go wrong and work needs to be done quickly, raising the risk of malware entering a system.
LAYOFFS ADD NEW WRINKLE TO CYBERSECURITY MONITORING
Given the current layoffs taking place in the oil and gas industry, Lockheed Martin recommends that clients ensure a thorough review of their insider threat security program before making significant changes to their workforce, Mahler noted. These programs focus on identifying at-risk employees and providing additional monitoring and training to those employees prior to them taking undesired actions.
“Unlike data loss prevention solutions, the focus is to detect the risk prior to the employee taking a bad action. This solution looks not only at online network behavior but also other data sources such as human resources records, travel, etc. and applies custom risk scores that were developed by psychology, sociology and counter intelligence experts,” said Mahler.
Employee information is anonymous so that only when the individual’s risk score reaches a preset threshold will an analyst begin an investigation and work with legal, human resources or corporate counter intelligence to “unlock” the identity of the subject of the investigation.
“While the solution has a proven track record of identifying and preventing acts of sabotage or intellectual property theft, it also has demonstrated cases where we identified good employees dealing with tough situations and were able to provide help from our employee assistance program and keep a good employee on the right path,” said Mahler.