The capabilities of the digital age can be a double-edged sword. The same technology used by the oil and gas industry to process and store financial data or remotely monitor and manage complex plant operations also presents the greatest vulnerabilities.
Among the most recent threats, hacker group “Anonymous” declared recently as a “call to arms for Operations Control”—setting its sights on the global energy industry.
In 2012, Saudi Aramco suffered a cybersecurity breach and in an effort to protect the company’s assets, “about 30,000 disk drives at Aramco had to be destroyed,” according to Neil Siegel, sector vice president and chief technology officer (CTO) at Northrop Grumman Corp.
From knowing what requires protection to identifying “channels of vulnerabilities” in company technology to facilitating a culture where employees are well-trained and accountable, the scope of cybersecurity is an “adaptive and proactive process,” Siegel told attendees at a Hart Energy- sponsored breakfast.
A fellow speaker at the executive forum—Donald L. Paul, a former vice president and CTO at Chevron Corp.—said cybersecurity is not an information technology (IT) problem.
“Cybersecurity is a management problem,” said Paul, executive director of the Energy Institute at the University of Southern California.
“When I retired in '08 [from Chevron], we were averaging about 50,000 [cyber] attacks a day,” he added.
According to Paul, the nature of cyberattacks will continue to evolve, and while the oil and gas industries are better-armored than most, they also must evolve by effectively managing risk.
“The how is what most people think cybersecurity is all about, but I would argue that from a management point of view and from a company point of view, managing the risks is at least as much about who, what are they trying to do, why are they doing it; because if you don’t assess the risks and the threats that way, you may be pouring resources into the wrong place,” he said.
Although both the severity of the threat and effectiveness of cyberdefense are largely dependent on where either falls on the IT curve, risk management provides a “security framework” for productive strategizing. According to Siegel, a company’s IT department should not be left to determine what requires protection.
“The integrity of your financial information is clearly a management responsibility, but it’s also a potential for criminal activity,” Paul added.
In order for oil and gas firms to focus resources on “low-probability but high-impact events,” both speakers explained the various types of cyberthreats.
According to Paul, the five main classifications of cyberthreats are:
• Mischievous hacking, which constitutes a large majority of attacks on major companies but is generally a lesser threat;
• Intended criminal adversaries, which seek market intelligence and financial information;
• Internal espionage, which includes all employees and is among the biggest sources of threats;
• Radical political groups, which can damage the company’s reputation and potentially become an obstacle when trying to obtain a permit, for example; and
• State-sponsored threats, which are wellfunded, have strategic or geopolitical objectives and can be transnational entities.
Paul said the final category poses the greatest threat for energy companies.
“State-sponsored attacks are certainly something that plays out as advanced persistent threats [APT]. The nature of the threat and the extensive resources being applied are much more substantial than any of the other ones [threats],” he added.
Siegel agreed and said his company—the largest security contractor for the U.S. government—has a contract with Saudi Aramco to provide security services. He identified several similarities between the federal government and the energy industry that draw similar threats with regard to legalities.
They include:
• High-value capital assets;
• Complex operations distributed in interesting parts of the world;
• Operations within extremely rigorous legal and social frameworks;
• A definition of success that is highly constrained and highly defined; and
• A need to protect against actual damage, as well as manage the business of getting along with a community.
“The cyberthreat, like the physical-protection threat of a large capital asset in a dangerous part of the world, is a very dynamic problem,” he added. “There are talented and determined people out there who want to attack those assets both physically and through the cyberworld. … They have access to great intellectual capacity.”
Several methods of cyberattacks are used to breach security. For example, Anonymous often uses distributed-denial-of-service attacks to overwhelm computers with web traffic.
But most APT threats, such as state-sponsored ones, are multimode, or typically involve both cyberattacks and physical attacks. In addition to defending against multimode attacks, the sheer speed in which such threats advance their approaches is accelerating.
The cyberattack can manifest via a variety of means, according to Siegel. Even a basic printer can provide a potential gateway into a company’s network to demonstrated advanced technology, which can disable security sensors at refineries from as far as 40 feet away, he said.
“The APT is a whole modality where they get something into your computer and your network through any of a variety of means,” Siegel said.
Paul added: “Everything has increasing digital intensity. These [technologies] create more exposure … that’s the trade-off of having the efficiencies that go with it.
No matter how much progress an energy firm makes with its cybersecurity-protection strategies, the adversary’s technology will continue to evolve, and the company’s protection strategy must evolve with it, Paul said.
“Comparative to most industries, the oil and gas industry has always been a sophisticated industry when it came to the use of information technology,” he said, adding that the starting point for the energy industry was, therefore, “very high.”
Given the noted similarities between national cybersecurity threats and cybersecurity threats in the energy industry, Paul and Siegel suggested that a national-security method of defense might be applicable.
“Maybe it’s not really an industrial application or consumer or commercial good,” Paul said. “Maybe it’s really more like a defense and intelligence strategy.”
Siegel said such threats could include terrorism, accidents or natural disasters. He described a basic methodology to “detect, assess and respond” that Northrop Grumman uses for integrated physical, cyber and response management to improve “adverse incidentmanagement timelines,” enable “swift decision- making at vital moments” and enhance “collaboration and situational awareness.”
Regarding best practices for data-sharing between customers and data-providers, Paul and Siegel said that data-sharing creates repositories that become attractive to adversaries, but sophisticated data providers try to strike a balance between the application of a common solution to several installations and the development of customized solutions for every installation.
An integrated plan, assigned management responsibility with adequate resources and knowledge of how your supplier’s capabilities propagate into your company’s system, is a necessary part of the cybersecurity discussion, Paul said.
“Ultimately, you need to build a set of relationships that will help you ensure you’re on a technology curve, and you stay on it, because you can easily fall off of it,” he added. “This is not a solvable problem, but it is a manageable problem.”
Recommended Reading
ConocoPhillips Hits Permian, Eagle Ford Records as Marathon Closing Nears
2024-11-01 - ConocoPhillips anticipates closing its $17.1 billion acquisition of Marathon Oil before year-end, adding assets in the Eagle Ford, the Bakken and the Permian Basin.
Dividends Declared the Week of Oct. 28
2024-11-01 - Here is a compilation of dividends declared this week for select upstream, midstream and downstream companies.
Exxon, Chevron Beat 3Q Estimates, Output Boosts Results
2024-11-01 - Oil giants Chevron and Exxon Mobil reported mixed results for the third quarter, with both companies surpassing Wall Street expectations despite facing different challenges.
Oxy’s Hollub Drills Down on CrownRock Deal, More M&A, Net-zero Oil
2024-11-01 - Vicki Hollub is leading Occidental Petroleum through the M&A wave while pioneering oil and gas in EOR and DAC towards the goal of net-zero oil.
Marathon Oil Expects ‘Mass Layoff’ After ConocoPhillips Deal Closes
2024-10-31 - Marathon Oil’s merger with ConocoPhillips, which is to close by year-end, will trigger a layoff of more than 500 Houston employees, according to a state regulatory filing.
Comments
Add new comment
This conversation is moderated according to Hart Energy community rules. Please read the rules before joining the discussion. If you’re experiencing any technical problems, please contact our customer care team.