Recent cyber attacks on the Iran Oil Ministry and its affiliates that forced the country to disconnect some of its main Persian Gulf oil terminals from the Internet is evidence that the oil and gas industry isn’t exempt from such threats.

“It’s not a matter of if, but when,” Sarah Zanders, manager of security investigations and incident response for Halliburton, told a crowd gathered Sept. 18 for the Emerging Cybersecurity Threats: Public Policy and Technology Response conference hosted by the James A. Baker III Institute for Public Policy at Rice University.

The conference featured speakers sharing their thoughts on emerging cyber threats along with ways to protect against, detect, and respond to such acts. One of the challenges facing the oil and gas industry in combating cyber threats is that the victims don’t want to share their stories, which can oftentimes become not only learning tools but possibly prevent future attacks on their peers, panelists said.

Communication among the industry is starting to happen, Zanders said, adding competitors are beginning to call each other to share their experiences or pass on information. It is these impromptu phone calls that form the majority of the intelligence information that proves most useful to companies.

But a one-size-fits-all approach to finding solutions doesn’t work for the industry, considering its complex infrastructure. David Zacher, manager of information technology security and risk management for Marathon Oil Corp., pointed out that differences between companies’ upstream, midstream, and downstream divisions call for different approaches to various cyber threats.

“We are collaborating with other people to understand what those threats are to the oil and gas industry,” Zacher said. “We do have to take a risk management approach to this. Not all assets are taken equally. Not all of them can be protected the same way.”

And protecting the company from such threats involves real business discussion with those who make financial decisions. Individuals who realize the importance of these growing threats may be faced, for example, with having to justify why the company should spend $1 million to protect something that’s only worth $500,000. But adequate incident responses are needed to recover from or, preferably, avoid cyber attacks.

Risks can involve physical assets such as damage to a plant or offshore platform, Zacher said. “The threats out there seem to be growing exponentially,” and the situations companies faced 10 years ago, such as traditional viruses and spyware, are still out there.

“Most oil and gas businesses aren’t in business by themselves,” he added. “We could be in a partnership with somebody, and we have to rely on their security controls. So it important that we are collaborating and understand what the value of the assets are and how we are going to protect them.”

Overcoming the tendency to be quiet about such threats and finding ways to share information with each other without divulging or releasing sensitive data pertinent to a company’s operations is crucial. “We all have the same issues,” Zacher said, adding the industry should be able to collaborate on a set of standards that will be in its best interest to meet. “It is to our benefit to find ways to share information in a way that is beneficial but is not harmful to industry.”

There are plenty of tools that already exist, such as intrusion detection and prevention systems, to guard companies against certain threats. And many of these tools can be purchased off of store shelves, said Dan Wallach, director of Computer Security Lab and computer science professor for Rice University. He mentioned, as an example, one piece of software that opens every email before it gets to its recipient and makes sure nothing is wrong.

“The problem with all of these cool tools is you buy them, you turn them on,” he said, but “Are you safe? We don’t really know.”

Companies can’t declare their jobs done after simply purchasing software products to protect themselves against threats. “Security is about process and people. It’s about hiring the right kinds of people who can operate the tools and who can extend the tools and fix them when they don’t do what they need,” Wallach said, noting it requires developers.

It also may require opening offices where the talented security professionals are – in the San Francisco Bay or Washington, DC, area, for example, instead of making the new hires move to a company’s headquarters, which may be in a less desirable area.

But the tasks don’t stop there. Companies must know their adversary, Wallach said. Hackers are not using textbook attacks. “Antivirus companies are completely worthless because they defend against known attacks, and you’re getting attacked by novel things that nobody has ever seen before. So what are you going to do?”

That’s when the “I scratch your back, you scratch mine” theory comes into play. Individual relationships between companies within the industry are extremely valuable, Wallach said. If one company is hit with a virus and spreads the word to others about what happened, it can become a huge benefit.

“Knowing your adversary means going outside of your walls,” Wallach said. However, nondisclosure agreements are needed with these arrangements so that those with knowledge can freely talk to each other. Knowing that a company’s vice president of finance was the victim of a cyber attack as opposed to only knowing that an employee (no specific title) was the target of an attack makes a difference.

The same holds true for government when it comes to sharing information, he said.

However, the government sometimes has valuable information but can only share so much – or none at all – for fear of further compromising a situation if too much detail leaves their hands.

“Somehow we have to cut through all of this red tape,” Wallach said. By creating consortia with a suitable nondisclosure, getting everybody cleared to a certain level, knowing that anything that is said stays in the room, and perhaps a shared staff -- somewhere therein lies the answer.

Contact the author, Velda Addison, at vaddison@hartenergy.com.