The American Petroleum Institute will hold its 13th Annual Cybersecurity Conference for the Oil & Gas Industry on Nov. 6-7 in The Woodlands, Tex. Even sooner is the joint API-International Association of Oil & Gas Producers Cybersecurity Europe Conference, June 27-28.
These are just two of many such events in the coming months, and the need for continued discussion—and accompanying action—is clear. As oil and gas operators—upstream, downstream, and midstream—automate and interconnect increasingly large swathes of their businesses, exposure to potential cyberattack grows.
As their employees’ work-personal time divide continues to erode, they lapse into blending work and personal electronic practices. Sitting by the pool, phone in hand, and need to check something back at the office? Don’t feel like getting up, drying off, and walking into the study to take care of it? No need! Just take care of it through your smart phone.
This is (hopefully) an exaggerated example, with most companies by now presumably having put up some sort of barrier between Employee X’s handset and mission-critical controls. But it this example serves a purpose. It forces people to realize that they’ve come closer to doing that funny thing the presenter just mentioned than they’d care to admit.
No time for mirth
Energy firms experienced a lower share of critical information technology and infrastructure exploits and vulnerabilities than most other industries in security scans performed by Protiviti labs at over 500 organizations since 2009. The company’s “2018 Security Threat Report,” however, concludes that the US threat landscape has become more perilous.
The firm’s analysis of its testing data gathered over nearly 10 years found that:
• Vulnerabilities that can be easily patched are not being fixed in a timely manner, particularly within applications.
• Organizations are still running a high number of unsupported systems, increasing the risk for breaches.
Less than half of the vulnerabilities identified had publicly available exploit codes at testing time.
Protiviti listed energy as among the most vulnerable industries.
Tick tock
In March, the Trump Administration publicly blamed the Russian government for attacking the US energy infrastructure. The Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert warning that since at least March 2016 individuals employed by the Russian government had sought to penetrate critical US infrastructure sectors, including energy.
API 1164 outlines supervisory control and data acquisition (SCADA) cybersecurity processes for pipeline operators and is updated as frequently as is practical for a formal standard. Russel Treat, president and chief executive of EnerSys Corp., cautions that the processes outlined “could take years to implement correctly depending on the complexity of a SCADA system.”1
There are, however, steps operators can take to shore up cybersecurity independent of the standards. Protiviti suggests that companies:
• Maintain strong permission and user access controls. By periodically checking networks and default permissions-credentials, organizations can reduce the likelihood of a hacker gaining easy access to a network.
• Provide employee security awareness. Inform employees of the latest security threats and social engineering techniques, how they can protect themselves, and what the organization is doing to mitigate these risks.
• Implement a patch management program. Organizations should use automated tools to identify and apply patches within network devices, operating systems, and applications. For systems that cannot be upgraded or patched, compensating controls should be implemented to protect the network.
• Ensure strong system configuration management. Be sure to examine areas like password and audit policies, services, and file permissions, as these should be controlled through the configuration management process.
• Conduct periodic penetration testing. Penetration testing and ongoing vulnerability management across various pieces of IT infrastructure can help organizations identify security vulnerabilities and stay up-to-date with the latest tricks and techniques attackers are using.
Reference
1. Pipeliners Podcast, Episode 23, May 15, 2018.
Christopher E. Smith | Editor in Chief
Christopher brings 27 years of experience in a variety of oil and gas industry analysis and reporting roles to his work as Editor-in-Chief, specializing for the last 15 of them in midstream and transportation sectors.
