The capabilities of the digital age can be a double-edged sword. The same technology used by the oil and gas industry to process and store financial data or remotely monitor and manage complex plant operations also presents the greatest vulnerabilities.
Among the most recent threats, hacker group “Anonymous” declared recently as a “call to arms for Operations Control”—setting its sights on the global energy industry.
In 2012, Saudi Aramco suffered a cybersecurity breach and in an effort to protect the company’s assets, “about 30,000 disk drives at Aramco had to be destroyed,” according to Neil Siegel, sector vice president and chief technology officer (CTO) at Northrop Grumman Corp.
From knowing what requires protection to identifying “channels of vulnerabilities” in company technology to facilitating a culture where employees are well-trained and accountable, the scope of cybersecurity is an “adaptive and proactive process,” Siegel told attendees at a Hart Energy- sponsored breakfast.
A fellow speaker at the executive forum—Donald L. Paul, a former vice president and CTO at Chevron Corp.—said cybersecurity is not an information technology (IT) problem.
“Cybersecurity is a management problem,” said Paul, executive director of the Energy Institute at the University of Southern California.
“When I retired in '08 [from Chevron], we were averaging about 50,000 [cyber] attacks a day,” he added.
According to Paul, the nature of cyberattacks will continue to evolve, and while the oil and gas industries are better-armored than most, they also must evolve by effectively managing risk.
“The how is what most people think cybersecurity is all about, but I would argue that from a management point of view and from a company point of view, managing the risks is at least as much about who, what are they trying to do, why are they doing it; because if you don’t assess the risks and the threats that way, you may be pouring resources into the wrong place,” he said.
Although both the severity of the threat and effectiveness of cyberdefense are largely dependent on where either falls on the IT curve, risk management provides a “security framework” for productive strategizing. According to Siegel, a company’s IT department should not be left to determine what requires protection.
“The integrity of your financial information is clearly a management responsibility, but it’s also a potential for criminal activity,” Paul added.
In order for oil and gas firms to focus resources on “low-probability but high-impact events,” both speakers explained the various types of cyberthreats.
According to Paul, the five main classifications of cyberthreats are:
• Mischievous hacking, which constitutes a large majority of attacks on major companies but is generally a lesser threat;
• Intended criminal adversaries, which seek market intelligence and financial information;
• Internal espionage, which includes all employees and is among the biggest sources of threats;
• Radical political groups, which can damage the company’s reputation and potentially become an obstacle when trying to obtain a permit, for example; and
• State-sponsored threats, which are wellfunded, have strategic or geopolitical objectives and can be transnational entities.
Paul said the final category poses the greatest threat for energy companies.
“State-sponsored attacks are certainly something that plays out as advanced persistent threats [APT]. The nature of the threat and the extensive resources being applied are much more substantial than any of the other ones [threats],” he added.
Siegel agreed and said his company—the largest security contractor for the U.S. government—has a contract with Saudi Aramco to provide security services. He identified several similarities between the federal government and the energy industry that draw similar threats with regard to legalities.
They include:
• High-value capital assets;
• Complex operations distributed in interesting parts of the world;
• Operations within extremely rigorous legal and social frameworks;
• A definition of success that is highly constrained and highly defined; and
• A need to protect against actual damage, as well as manage the business of getting along with a community.
“The cyberthreat, like the physical-protection threat of a large capital asset in a dangerous part of the world, is a very dynamic problem,” he added. “There are talented and determined people out there who want to attack those assets both physically and through the cyberworld. … They have access to great intellectual capacity.”
Several methods of cyberattacks are used to breach security. For example, Anonymous often uses distributed-denial-of-service attacks to overwhelm computers with web traffic.
But most APT threats, such as state-sponsored ones, are multimode, or typically involve both cyberattacks and physical attacks. In addition to defending against multimode attacks, the sheer speed in which such threats advance their approaches is accelerating.
The cyberattack can manifest via a variety of means, according to Siegel. Even a basic printer can provide a potential gateway into a company’s network to demonstrated advanced technology, which can disable security sensors at refineries from as far as 40 feet away, he said.
“The APT is a whole modality where they get something into your computer and your network through any of a variety of means,” Siegel said.
Paul added: “Everything has increasing digital intensity. These [technologies] create more exposure … that’s the trade-off of having the efficiencies that go with it.
No matter how much progress an energy firm makes with its cybersecurity-protection strategies, the adversary’s technology will continue to evolve, and the company’s protection strategy must evolve with it, Paul said.
“Comparative to most industries, the oil and gas industry has always been a sophisticated industry when it came to the use of information technology,” he said, adding that the starting point for the energy industry was, therefore, “very high.”
Given the noted similarities between national cybersecurity threats and cybersecurity threats in the energy industry, Paul and Siegel suggested that a national-security method of defense might be applicable.
“Maybe it’s not really an industrial application or consumer or commercial good,” Paul said. “Maybe it’s really more like a defense and intelligence strategy.”
Siegel said such threats could include terrorism, accidents or natural disasters. He described a basic methodology to “detect, assess and respond” that Northrop Grumman uses for integrated physical, cyber and response management to improve “adverse incidentmanagement timelines,” enable “swift decision- making at vital moments” and enhance “collaboration and situational awareness.”
Regarding best practices for data-sharing between customers and data-providers, Paul and Siegel said that data-sharing creates repositories that become attractive to adversaries, but sophisticated data providers try to strike a balance between the application of a common solution to several installations and the development of customized solutions for every installation.
An integrated plan, assigned management responsibility with adequate resources and knowledge of how your supplier’s capabilities propagate into your company’s system, is a necessary part of the cybersecurity discussion, Paul said.
“Ultimately, you need to build a set of relationships that will help you ensure you’re on a technology curve, and you stay on it, because you can easily fall off of it,” he added. “This is not a solvable problem, but it is a manageable problem.”
Recommended Reading
Bunge, Chevron Announce FID on Oilseed Processing Plant
2024-03-05 - Bunge Chevron Ag Renewables' facility will be used to manufacture low carbon renewable fuels from oilseed.
Government, Private Sector Learning to ‘Dance’ Towards Transition
2024-03-18 - Panel: Federal loans will continue to play a major role in advancing newer energy technologies.
Trace Carbon Solutions Applies for First Phase of Class VI Wells at Evergreen Hub
2024-03-12 - Trace is applying for its subsidiary Evergreen Sequestration Hub to be allowed to permanently sequester CO2 in underground geological formations in Louisiana.
Alberta's Ban on Renewables Could Hurt CA$11B in Investments, Says Study
2024-03-11 - Alberta's ban on some renewable projects could hurt CA$11.1 billion ($8.24 billion) in investments and stall up to 6.3 GW of solar and wind power capacity.
EnCap Launches Bildmore to Invest in Hard-to-finance Clean Energy
2024-03-11 - In an effort to support hard-to-finance clean energy projects, EnCap Energy Transition Fund is launching Bildmore, a platform expected to invest in up to 15 third-party battery storage, solar and other energy transition projects per year.