Discussing the Role of Cyber Security in Oil and Gas Pipelines
By NAOGP Staff
According to global investigations, intelligence and risk management firm Stroz Friedberg, the rate of cyber-attacks on energy firms is skyrocketing. Between October 2012 and May 2013 alone, oil and gas companies reported 111 cyber incidents to the Department of Homeland Security. That is nearly 30 attacks more than the sector reported for all of fiscal year 2012.
Meanwhile, the Department of Energy has announced a $30 million investment to help strengthen electric grid, oil and gas infrastructures. This move casts an even brighter spotlight on the importance of long-term protection of critical infrastructures in the United States.
Chad Pinson, managing director at Stroz Friedberg, spoke to North American Oil & Gas Pipelines about the nature of cyber-attacks, best practices for how energy firms can improve defenses, related costs and industry trends.
What is the nature of cyber-attacks that oil and gas pipeline companies face?
Pinson: Oil and gas pipeline companies, like the larger energy sector, are under constant threat of cyber attack. The question is not if an oil and gas pipeline company will be attacked, but when and how severe the damage will be.
Oil and gas pipeline companies are appealing targets to hackers of nearly any variety. Black hat operators from competing businesses or state-sponsored national companies may attempt steal proprietary information or trade secrets such as specialized processes, intellectual property, corporate and transactional long- and short-term strategy and plans, drilling pans, mineral leasing information, pricing sheets, production and volume statistics, customer lists and pre-public information affecting stock prices. State-sponsored adversaries may also attempt to disrupt production. Terrorists may desire to wreak havoc by crippling the power grid. Hackers with an economic motive see these companies as a cache of financially valuable data. Others may see it as an opportunity to damage the reputation of companies involved in what may be considered controversial activities. And some hackers go after such high-profile energy companies in order to simply gain notoriety.
All of these parties are at work simultaneously, which presents a persistent high-level threat to the energy industry. While many are using high-tech methods of intrusion that only a crack information security team can block or detect, other attackers are attempting to intrude through decidedly low-tech means — such as social hacking through customized phishing emails to gain legitimate access credentials.
Energy companies are finding increased exposure due to the persistent use of SCADA devices throughout the industry. SCADA devices allow companies to monitor and control industrial processes, and are a backbone of the energy and oil and gas pipeline industry. However, SCADA devices have traditionally been designed for functionality, with less emphasis on security. Hackers and attackers know this and target SCADA devices in the energy industry to gain inappropriate access to processes that affect every aspect of oil and gas transportation and production.
Is the oil and gas pipeline industry prepared to defend itself?
Pinson: Some industry players are certainly thought leaders in cybersecurity and are well-situated to mitigate enterprise risk. Some industry players believe they are prepared but may be surprised to learn their best efforts at defense fall short of best practices or the skills of their attacking adversaries. And some industry players give little thought to cybersecurity and enterprise risk management, instead focusing almost exclusively on revenue, production and business functions. Thought leaders in the industry know the threat level is high; many are paying close attention to the Cyber Security Framework being developed by the National Institute of Standards and Technology, and many are investing in measures to mitigate risk. However, successful attacks occur frequently. The Department of Homeland Security reported 111 incidents between October 2012 and May 2013 on the energy sector alone.
The reason for this vulnerability: Security is not often prioritized highly enough. It is common for the technical infrastructure of oil and gas firms to be optimized for functionality at the expense of security. For example, the rapid pursuit of new opportunities and innovations can easily trump the need to slow down to integrate necessary cyber protections. Convenience and collaboration may be valued above what seems like burdensome security measures. Consistency is regularly prioritized above change, as, for example, the implementation of network updates is delayed. Short-term revenue generating activities often lead the way, while security expenditure, whether that’s through new resources or slowed productivity, takes a back seat. In short, the answer is no. In many ways, the industry as a whole is not prepared to defend itself.
What risks are involved to the company if an attack is carried out?
Pinson: In an industry where it is commonplace for powerful processes and physical structures to be controlled remotely, a breach can create destruction on a scale unmatched by nearly any other sector.
A company can face losses from proprietary information becoming compromised, compromised bargaining power in business deals where strategy and secrets are stolen or exposed, financial losses from disrupted production or damage to systems and processes, regulatory fines, and legal fees, and reputational damage from either appearing untrustworthy to industry participants or from the association with a large-scale loss of life. For publicly traded companies, the failure to disclose cyber risks or a cyber incident could lead to SEC investigations and fines for failure to report significant risk factors or materials events. The risks really run the gamut when power production, critical energy infrastructure, crude supply and transport, crude processing and exploration and extraction are at play
What risks are involved for the public in the event of an attack?
Pinson: If a company is public, shareholders could lose their investments if the attack devalues the firm. Attacks that affect production could cause oil and gas prices to skyrocket. Certain attacks, such as those that affect the power grid or cause spills or explosions, could result in economic disruption, personal inconvenience or even loss of life.
Where does the threat originate?
Pinson: Geographically, threats originate from all over the world. The complete connectedness of our world has both positive and negative consequences. One negative consequence is the ability of a cyber attack to originate from almost anywhere and reach almost anywhere on Earth. While hackers can literally be anywhere, oil and gas companies operate all over the globe, and also have executives that remotely connect to their computer networks from countries with questionable information security risk profiles. This kind of global business model and worldwide business travel does increase a business’ risk exposure. But homegrown hackers and even employee-generated attacks can be as large of a threat. And really, when it comes down to it, the open door can be as nearby as an executive’s email inbox.
Why do oil and gas pipelines make a good target for cyber-attacks?
Pinson: I would not say they are a good target. They are an appealing target to hackers, not only because they are high-profile businesses dealing with very sensitive geopolitical economic issues, but also because, as part of the economy’s critical infrastructure, so much physical and financial damage can ensue.
How can pipeline companies protect themselves?
Pinson: While pipeline companies are clear targets, there are many things they can do to protect themselves, number one of which is a risk-based security assessment, and a defense-in-depth approach to enterprise risk management. A risk-based security assessment involves the comprehensive review of a company’s operations, including remote access controls, and the severity of the various threats facing the company. The results of this assessment should produce a plan in which the greatest threats and weakest links are addressed first.
One immediate action item is to identify the company’s most valuable information, where it is stored and how it is accessed. Many IT departments spend a lot of time guarding email content, and while that is certainly important in a day and age of spear-phishing, they may not be effectively guarding the company’s information crown jewels. IT may not even know what the crown jewels are, since oftentimes only members of leadership are privy to this knowledge. Identify the most valuable information at your firm and then fold it deep within a well-layered network and firewall array. Limit access to the data to only necessary users. Monitor the movement and transfer of this data closely.
Throughout the whole network, set up internal barriers to prevent an intruder from sidling from email to payroll to the document management system to the remote access control or even the crown jewels. You may notice this isn’t a conversation as much about preventing attack as it is about preventing the damage. Attackers are trying to get into your network 24/7. They are located all over the globe, working persistently in all time zones. The greatest firewall is not failsafe.
As a result, it is also important for a company to have an incident response plan in place before a breach occurs. You do not want to be building an airplane in midair. Mere seconds can be the difference between an attack that’s frustrating and one that’s devastating. Identify an incident response team and the initial steps to take, and those not to take. Be prepared to bring in outside legal counsel. In the best case scenario, much of the work performed closing off and remediating an attack can be protected by attorney-client privilege. Then, be ready for this plan to stand up to scrutiny from investors and shareholders. The risk of cyber attack on oil and gas pipelines is well known, unpreparedness can be perceived as incompetence.
What are the costs involved with protecting pipelines from cyber-attacks?
Pinson: First, proactive mitigation will almost certainly be cheaper than reactive remediation. So proactive protection is a good investment. Costs vary depending on what approaches are taken. One of the least expensive things you can do is ask your business partners what their cyber security protections are — financial institutions, insurance companies, law firms and others that hold your proprietary information may also be subject to intrusion. Ask them what they are doing to protect your data. On the other hand, a risk-based assessment may require more time and effort than the one-time cost of a check-the-box approach, but it is much more effective, and will likely save money, protect business systems and secrets, and maintain goodwill in the long run. In any case, the costs of protecting pipelines should be weighed against the costs of a breach. Focus on the greatest risk areas first, and then expand your defensive approach from there.