More than 45% of energy companies fell victim to at least one cyberattack in 2014, a higher percentage than in any other corporate sector. With the industry facing constant hacking threats, companies must place a greater emphasis on developing strong cybersecurity strategies, an expert said.
In a presentation, “The Rising Threat—Guarding Against the New Generation of Cyberattacks,” hosted by the SPE Gulf Coast Section, Mario Chiock discussed the key elements of cybersecurity and outlined steps companies can take to reduce potential exposure to cyberattacks. Chiock is a security and technology executive adviser at Schlumberger.
Chiock said a major problem energy companies face is a lack of fragmentation in their enterprise resource planning (ERP) systems. Most ERP systems are connected either to a cloud computing network or mobile devices, leaving significant holes in their firewalls.
With no fragmentation, hackers can access an entire network through one outlet, and oftentimes that outlet is a phishing email. Most major cyberattacks begin with a hacker phishing employees for information such as logins and passwords. Chiock said Schlumberger regularly sends phishing emails to its employees to help raise awareness of the issue. However, even the most diligent companies can have their networks compromised by a single successful phishing attempt.
“All it really takes is one person clicking on something to start an attack,” Chiock said. “[At Schlumberger], we phish our employees once per quarter, and sometimes we think we’re going in the right direction. But all we have to do is change the phishing email and then [the number of breaches] go up again.”
Cloud infrastructures offer benefits and disadvantages. Chiock said storing data in the cloud is safer for companies than storing data on their own servers, but the risk for a security breach is higher because the servers are hosted on the Internet. An additional concern with companies looking to migrate to a cloud infrastructure is that they will likely assume that the cloud provider will bear the financial responsibility for any data lost on its servers in a breach. Most cloud providers, he said, are only responsible for protecting their own servers and not that of their clients.
“When you do things in the cloud, the people who sell you cloud services will promise you everything. They’ll tell you that they’re going to be responsible for handling security. In reality, they’re responsible for the security of their infrastructure and their data, not for the infrastructure of your application,” Chiock said.
Combating cyberthreats is not just a matter of finding a technological solution. Chiock said it is important to promote a culture of responsibility and accountability. Employee training is one step in promoting such a culture, as is the development of policies and standards that can be audited, enforced, and measured. Additionally, companies must constantly update their cybersecurity policies to account for new threats.
“We cannot just have policies and standards that are 10 years old and expect them to protect us today. There is a lot of new technology that opens up holes into our networks, and we need to make sure our policies get updated to protect us,” Chiock said.
While the establishment of proper policies and procedures is important, technology should still play a significant role in cybersecurity. Chiock suggested that companies acquire next-generation security software and automate its protocol in handling cyberattacks. He said hackers will often target companies in the after-hours, and a quick response is critical.
“When you start getting information intel, if it needs to go to a human and that human needs to make a decision, by that point it’s too late. We cannot do that anymore. If there is [intelligence] in the middle of the night, I want it fixed by the time I wake up. All it takes is a little window of opportunity for the bad guys to get in,” Chiock said.
Machine learning, or the development of computer programs that can teach themselves to adapt to new data, is a strategy that has already taken hold in the technology industry. Chiock said Schlumberger develops such programs to help detect false positives in its security systems. But, he said, the technology is still not mature enough to use as the basis of a security strategy.
“I think [machine learning] is the future, but I’m also a big believer that there is no silver bullet that fixes everything. You have to create a strategy, and based on your strategy and your needs you have to use multiple tools and technologies to resolve specific issues,” Chiock said.