Acyber attack bulls-eye is trained with ever-increasing intensity on the entire energy sector. Conventional wisdom dictates that if a company is in the crosshairs, it is not a matter of if an attack will occur, but when. Cynical wisdom goes further and suggests that if an attack does occur, it is not a matter of if the attacker will eventually breach security, but when.
Energy companies can, however, take steps to control their fate. Proactive enterprise risk mitigation efforts can be the difference between being ravaged by a hacker and simply being irritated by one. By extension, these defensive efforts also build a firm's competitive advantage—being a survivor in an era of unrest and uncertainty does that.
The first step in energy sector enterprise risk mitigation is accepting and understanding the threat. The frequency of cyber attacks on energy firms is skyrocketing. Between October 2012 and May 2013, energy companies reported 111 cyber incidents to the Department of Homeland Security. That is nearly 30 attacks more than the sector reported for all of fiscal-year 2012. In both time periods, the energy sector reported significantly more threats than any other industry in the survey.
In August 2012, Saudi Aramco, the world's largest oil company, had 30,000 computers corrupted by the Shamoon virus that replaced company data with the image of a burning American flag. A month after the attack on Saudi Aramco, intruders broke into the network of Telvent Canada, installing malicious software and stealing project files relating to one of its key products.
In the first half of 2013, gas compression stations in the US reported that outsiders were trying to access their process-control networks through brute force attacks, a technique where hackers attempt to guess passwords and decipher encryption by testing every possible key until a match is found. In May, a report by the Wall Street Journal warned of state-sponsored hackers that likely gained the ability to control pipelines.
There is even at least one company that makes its money by identifying and selling vulnerabilities in powerful SCADA systems. Its customers are not the companies with the vulnerable products, but governments and others interested in exploiting vulnerabilities—there is widespread commercial demand for this kind of disruptive intelligence. And security professionals unveiled at the world's largest hacker conference this summer that wireless networks often utilized by power plants, oil and gas facilities, nuclear plants and water facilities could be exploited and controlled from up to 40 miles away with a simple radio transceiver, leading to, among other things, plant shutdown, alteration of processing techniques, or service interruption.
Valuable targets
Energy companies represent a strategically valuable target to a wide variety of individuals and interest groups. Economic hackers see these companies as a trove of financially valuable data. Competitors have an incentive to steal trade secrets, long-range strategic plans, and proprietary insider information to gain advantage. Foreign state-sponsored rings are known to be interested in industry secrets, national security intelligence, and even production disruption.
As unconventional domestic oil production continues to turn the tables on what we have assumed about US dependence on foreign oil, oil-producing nations now have incentive to disrupt US production as a way to boost falling prices. Geopolitical adversaries and terrorist organizations view the energy industry as an avenue for wreaking havoc on the US economy and population: opening dam gates, interrupting pipelines and shutting down the power grid, for example.
Likewise, hacktivists may attempt to cause economic and reputational damage to companies, like many oil and gas firms, that are participating in what may be considered contentious activities, such as fracing or participation in controversial pipeline plans. Some attackers can even be motivated by the desire to test their abilities and gain notoriety for infiltrating such highly visible and infrastructure-critical businesses. After all, there are few industries where a breach of security can do as much physical damage as in the energy sector, where so many powerful physical structures and environments are controlled remotely, au-
tomated or dependent on technology processes. These disparate interests are at work simultaneously, presenting a persistent, high-level threat. Attackers are extremely dedicated, strategic and flexible, using both technology and social engineering to compromise enterprise security. They hunt incessantly and with laser focus for narrow cracks in network walls, modifying their approaches to circumvent the most cutting-edge and expensive preventative measures.
They also strategically target C-suite executives—CEOs, CFOs, CTOs—with individually customized “phishing” emails, such as those purportedly from popular social networks, which can be hard to spot by busy business leaders and their executive assistants. Often, the goal of these emails is for the recipient to respond by providing passwords or other types of personal information.
These spear-phishing expeditions are notably low-tech, but surprisingly effective. In April 2012, for example, attackers intruded on the natural gas pipeline industry through e-mails tailored to specific individuals within the targeted companies. Another similar attack was reported a year later. However, it was not successful.
It is not just inattention to e-mail activity that exposes energy companies to risk. Energy companies, especially the newer companies entering segments of a booming market, tend to manage complex networks with technology designed primarily for functionality, not security. They often prioritize convenience and efficiency over digital safeguards, and they regularly value consistency in technology over change, even change for the better. Also, oftentimes these companies operate, or have executives that connect to the network, from locales all over the world, meaning they have exposure points across a number of different environments, such as the United Arab Emirates, Angola, Russia and China, which have varying information security risk profiles. It can be a challenging, if not a truly impossible task, to defend against all threats at all times and in all places.
These unnerving circumstances, however, do not mean the energy sector must sit passively in a game of hide-and-seek where the seekers always win. While much is out of leadership's control, every company within the sector is in a position to mitigate its own unique enterprise risks, protect itself and comply with strict, critical infrastructure requirements.
A strong defense
The driving force of a strong defense is a proactive, risk-based security assessment. A risk-based security assessment holistically reviews a company's operation and aligns its recommendations with the greatest risk facing the particular company. It is not a “check-the-box” cursory security effort, and it is much more robust than penetration testing, which is generally focused on identifying weaknesses on an enterprise's networks and servers. A good risk-based security assessment focuses on strategically managing risks posed to a company's most critical and most vulnerable assets. Specifically, companies should:
Identify the company's crown jewels and make sure they are protected. The IT department, often responsible for cyber security, may be heavily guarding e-mail content, but the company's gold may be found elsewhere. In fast-moving and rapidly innovating oil and gas firms, even the best information and operational technology groups may not know which company assets are most critical to company survival. Generally, members of the leadership team, such as the CEO, CFO, COO, general counsel or others with knowledge of essential or new business ventures, know what information and operations must be protected most heavily. Therefore, a risk-based assessment requires collaboration with key IT and operational technology (OT) security personnel, as well as these key knowledge leaders and brokers, to focus risk-mitigation efforts on the correct assets and data.
Once the crown jewels are identified, appropriate access control protections must be put in place to secure those assets. Critical assets should be protected via a defense-in-depth approach. Access to the data and operational assets should be limited to necessary users. And the ability to move and transfer critical data should be controlled and monitored.
Minimize access for intruders who have broken into the network. In the modern-day “when-not-if” environment, an intruder will eventually make his or her way into an enterprise's network. However, that does not mean they should be granted the keys to the castle after having merely crossed the moat. Internal digital barriers should be set up throughout the company's network so that an attacker cannot pivot from e-mail to payroll to the document management system to the remote access controls for physical processes. In other words, energy companies should focus heavily on limiting the ability of an intruder who successfully penetrates a company's network defenses to move about within that network—pivot—and gain access to the company's most critical data and operational assets.
Assess the security of remote access controls. Outsiders should not be able to remotely shut down a cooling system, control a dam, or shut off well production. But because many of these activities are controlled by remote or automated technology, they are susceptible to intrusion and misuse. When many of these systems were set up, the risk of being hacked was not top of mind. As a result, many systems are optimized for functionality, but lack security controls. Critical processes must be assessed to see if they can be compromised, and if so, how to plug the security gap.
Review, as much as possible, the information security practices of business partners. The security of your information is only as strong as the weakest person who has it. Law firms and financial institutions are just two examples of professional service firms that have been under attack. One of the largest US natural gas producers was likely a victim of this type of hack. Attackers targeted its investment-banking firm in an apparent attempt to gain information related to leases. Many oil and gas, wind energy, distribution, power, utility and other energy companies rely on third-party vendors for data storage or outsourced services such as payroll, benefits or even data transfer.
While many companies do obtain indemnity agreements with these service providers, third-party vendors that hold your sensitive intelligence may not have the financial wherewithal to pay for the damage caused by a breach. In other words, they may not be in a position to “make good” on the legal liability these indemnity agreements create. Additionally, monetary recompense often does not fully assuage the damage of a security breach. A security breach often affects reputation and goodwill, both of which are difficult to restore. And once intellectual property or trade secrets are compromised, it can be difficult for energy companies to recover.
Energy companies, therefore, must focus on business-partner security almost as much as their own. Unfortunately, vendors rarely allow clients to perform meaningful assessments of their security measures. But a thorough risk-based security assessment should include analysis of, and risk mitigation against, third-party practices, wherever possible. Best practices include access controls, secure communication methods and network layering that takes into account vendor access points.
Ensure the organization is prepared to respond to an attack efficiently and with the utmost legal protection. Energy companies must have an incident response plan in place. An appropriate incident response plan should define the incident response team, including backup team members, initial steps to take—and not take—and a plan to utilize outside help. Internally, the response team should involve leadership from multiple disciplines within the enterprise, starting with the C-suite and including leaders from the in-house legal function, IT and OT security, and public relations. Additionally, outside legal counsel should be retained at the outset. In the best-case scenario, much of the work performed to shut down and remediate an attack can be protected by the attorney-client privilege.
Other advantages of bringing on outside counsel and security consultants include: subject matter expertise; management of the issues caused by the IT and OT teams' conflicting roles of both assuring network security and identifying the cause of, and all of the vulnerabilities exposed by, a breach; experience responding to other network intrusions in other client engagements; and the credibility and defensibility that will stand up to scrutiny by investors, stockholders, and in potential lawsuits and regulatory actions. Response readiness also means being able to react with immediacy. An improvised and slow response may result in critical lost evidence, additional compromise, and increased damage and expense.
Monitor security events, the threat landscape, and the changing business environment so enterprise risk profile and enterprise security can be reassessed at regular intervals. Energy companies should put in place procedures and technology for monitoring security events, and watch the threat landscape and changes to the business environment. Many companies are guilty of putting great effort into a single security push, but become complacent and static in their enterprise risk management even as the threats against them and environments in which they operate constantly change. Energy companies that are most successful at mitigating risk and threats will continue to monitor security events and evaluate the environment in which they do business.
The risk of, and potential damage from, a cyber-attack within the energy sector is tremendous. It is not hyperbole to envision immense human loss and damage to critical national infrastructure as well as costly production disruptions and other more subtle business risks. For example, if a public company is attacked and the business did not identify the digital security risk through a measure like a risk-based security assessment, that company may have failed to appropriately disclose all significant risk factors in its public SEC filings. Such lapses may lead to a higher likelihood of a successful shareholder lawsuit, because the SEC has issued guidance making it clear that cyber risk must be considered when disclosing significant risk factors.
But taking charge of cyber risk management is not just a preventative measure. When a potentially destructive attack causes minimal damage, the cyber-secure company stands triumphant, or at least relieved at its mitigation efforts. Disclosure of attack shifts from a nightmare to an opportunity to discuss the company's resilience and preparedness.
Chad Pinson is managing director in the Dallas office of Stroz Friedberg, a global firm focused on investigations, intelligence and risk services. Previously he was a partner at Baker Botts LLP in Dallas. He currently is chairman of the State Bar of Texas Privacy, Data Security and eCommerce Committee.
Recommended Reading
Targa to Proceed with Permian Basin Apex Pipeline After All
2024-05-02 - Targa Resources expects to take a final investment decision for the Apex pipeline out of the Permian Basin before the end of the year.
US Appeals Court Upholds FERC Approvals for Gas Pipeline Expansion
2024-05-02 - A unanimous three-judge panel of the U.S. Circuit Court of Appeals for the D.C. Circuit held that the Federal Energy Regulatory Commission was right to determine the Evangeline Pass Expansion project is functionally separate from four related gas infrastructure developments.
Enterprise Targets FID for SPOT Project by End of 2024
2024-05-01 - Enterprise Products Partners’ co-CEO disputed capex figures reported in the media regarding its Sea Port Oil Export Terminal.
US Reforms Green Law to Speed Clean Energy, Infrastructure Permits
2024-04-30 - The reforms are the second and final phase of adjustments to the National Environmental Policy Act, or NEPA, by the Biden administration.
Canadian Railway Companies Brace for Strike
2024-04-25 - A service disruption caused by a strike in May could delay freight deliveries of petrochemicals.