Many leaders in every industry today are rightfully concerned with the growing cybersecurity threat.
One vertical, the oil and gas industry, faces unique cybersecurity challenges. The distributed ownership and operational nature of the industry infrastructure has led to wide differences in the application of security management practices. This, combined with the general industry image problems, media focus, and potential for large scale disruption, makes the industry in general a tempting target to cyber threats. The industry ranks number two behind utility companies for certain types of cyber-attacks and according to General Keith Alexander, retired Director of the National Security Agency, “41% of malicious attacks reported to the DHS were focused on the energy sector making it a prime target of such attacks.” Attacks can include targeting proprietary data, production disruptions and theft of employee and customer sensitive data.
To date, majority of these attacks have focused on the mid-stream and down-stream sectors of the industry and the integrated operations of the supermajors like Shell, Exxon Mobil, BP, Chevron, etc. Significant and highly publicized cyber-attacks including the 2008 attack on a Turkish pipeline facility resulting in a 30k barrel crude oil spill and the 2012 attack on Saudi Aramco which damaged more than 30,000 computers are a couple of examples. Many more attacks go unnoticed and unreported.
Many small and mid-tier producers and mid-stream companies may feel that due to their size, they may not be targets for traditional cyber-attacks. Others may feel that cyber hackers and terrorists may be more inclined to target large financial institutions, credit card processors and retailers than industrial operations like oil and gas production.
This may make them reconsider their risk. Colorado is currently working on legislation to stiffen penalties for tampering with oil and gas production and transport infrastructure based on actual and perceived actions and threats from anti-oil activists. There are documented cases of individuals tampering with natural gas distribution facilities and the potential for a dangerous release of hydrocarbons is a real threat with its associated cost, regulatory and legal liability. The legislation is focused on physical tampering but there is little to prevent an activist sitting in their living room causing mayhem by hacking into an “Internet of Things” enabled control valve on a pipeline, causing a dangerous situation. In many cases, control systems are installed and serviced by contractors who may not have the same level of security practices as their customer causing unforeseen vulnerabilities.
One solution to these problems is the implementation of a comprehensive security program which includes regular assessments, identification of vulnerabilities and prompt remediation practices for systems and equipment. The program should encompass third party service providers and include contractual provisions when purchasing new or upgrading existing systems and equipment. Additionally, companies need to focus on the people side of the equation as much as the technical side and implement regular information security practices and training regimens for industry workers much as they have focused on Environment, Health and Safety (EH&S) practices. The industry in general has made great strides in improving worker safety and compliance with regulatory guidelines through the application of robust EH&S practices and programs. These can be a model for similar information security practices focused on decreasing vulnerabilities and educating employees on their role in preventing intrusions and responding to events.
Our firm, Lewis Fowler, specializes in providing cyber security assessments, gap closure roadmaps and designing and implementing appropriately scaled Governance, Risk and Compliance (GRC) programs for customers in the energy and other industrial sectors.