Despite the significant and growing threat of cyberattacks oil and gas producers face, there is a persistent lack of awareness and understanding of the vulnerabilities present in the industrial control systems used for energy production and distribution operations. A panel of experts discussed the potential cybersecurity risks companies face from malicious actors, as well as risk mitigation strategies and emerging security standards in a session, “Cyber Security Assurance: Data and Critical Infrastructure Protection,” held at the 2016 Offshore Technology Conference.
Andrew Howard, director of the Cyber Technology and Information Security Laboratory at the Georgia Tech Research Institute, said cybersecurity risk is a pressing concern for all sectors of the industry, and that companies should not place the burden of handling cyberthreats solely on their information technology (IT) departments.
“It’s no longer just an IT problem,” Howard said. “It’s a multidisciplinary problem that covers just about every field. When we talk cybersecurity to complex organizations, it’s no longer about the IT channel. It’s also the upstream, the downstream, and the finances. It’s in human resources. It spreads over the entire organization, and it’s everyone’s problem.”
A common misconception companies have with regards to cybersecurity is that the “air gap,” or the physical isolation of a secure computer network from unsecured networks, is an effective strategy. Howard said a dedicated security protocol focused on physical systems must include basic cyberhygiene and asset inventory capabilities, even if it is not connected to unsecured networks.
Dawn Cappelli, vice president of information risk management at Rockwell Automation, said the biggest security threats companies face are from insiders, typically disgruntled former employees with technical knowledge and a personal predisposition to cause harm.
“People will cross that ethical line and steal your information because they rationalize in their mind why it’s okay: ‘I created that, that’s mine.’ Most people will not cross that ethical line, but the people who do tend not to get along well with other people. You have to walk on eggshells around them. They don’t take criticism well,” Cappelli said.
Cappelli categorized insider threats into two categories: cybersabotage and intellectual property theft. To combat these threats, she suggested an action plan in which a company’s human resources and legal departments work with IT to develop an auditing protocol for employees to ensure the security of confidential information. The IT department should train human resources to spot potential cybersabotage. The company should then begin a pilot program to put the protocol into action. If the program is successful, it should be launched globally.
Jonathan Pollet, founder and executive director of Red Tiger Security, said that of the approximately 300 security assessments his firm has performed for its clients since 2001, five of them revealed the presence of an intrusion detection system. Of those five systems, two were ultimately discontinued because they were unreliable.
Pollet’s firm also conducts physical assessments of companies, during which staffers disguised as plant workers infiltrate onsite security in order to gain direct access to a company’s server. He said his workers have never failed to access critical infrastructure in these physical assessments, and that the ease with which an outsider can access on-site servers portends the possibility of insider attacks.
“If you look like a plant worker, carry plant equipment in, you do your homework, and you look like all of the other plant workers there, it’s very easy to slip directly inside a control system environment, and now you’re behind all of those layers,” Pollet said. “If I can do that without even being an employee, then of course insider threats are a big issue.”
While he acknowledged that any efforts to improve cybersecurity will add to a company’s overall workload and operating expenses, Pollet also said there should not be a rigid dichotomy between security and convenience in business operations.
“I don’t think security protocol should stop business, but it’s certainly going to put in a few extra steps,” he said. “Is it going to take me longer to pop through all of these steps? Yes. Is it worth the risk? Yes. You just have to think that working today in this modern world is different from 10 years ago.”