Cyber Threat Risk and Response for the CIO in the Oil and Gas Sector
The role and complexity of the Chief Information Officer (CIO) in the Oil and Gas (O&G) sector is expanding at an exponential rate. In part, this is due to the increasingly sophisticated Internet of Things (IoT) technologies being leveraged in infrastructure, and business functions that must be managed, such as; aggressive mergers and acquisitions cycles, challenges in funding and resource allocation and cyber threats that have already successfully and continuously targeted this industry.
Whether Upstream (exploration and exploitation of the raw material); Mid-stream (transport, store and process the raw material); or Downstream (refining the raw material into a consumable products for distribution to consumers), O&G organizations create, develop, process, and store tremendous amounts of sensitive information. Data points such as new exploration zones and seismic readings, research and development, financial records and merger and acquisition information all provide lucrative targets for cyber threat actors who are working nefariously to identify, exploit and establish persistent access in the O&G sector infrastructure. We can assume that the long-term focus of these actors on information technology and operational technology systems is intended for destructive purposes, as was observed in the aftermath of the cyber attacks on Saudi Aramco in 2012 and 2016.
Cyber threats and the related risks to the O&G sector have never been as pervasive as observed throughout the past several years. The Federal Bureau of Investigation (FBI) reported that in 2016, “75 percent of oil and gas companies reported a cyber attack incident”. In April 2018, The New York Times reported that “A cyber attack on a shared data network forced four of the nation’s natural-gas pipeline operators to temporarily shut down computer communications with their customers”. Cyber threats will continue to increase in volume, adapt to defences with burgeoning complexity and continue to target this critical national infrastructure. Threats will continue to emerge from a diverse set of actors including; nation-states, terrorist organizations, organized crime syndicates, hacktivists, as well as others. Earlier this year, the Department of Homeland Security (DHS) and the FBI issued a technical alert to industry that described a Russian government threat actor targeting operational technology infrastructure in the United States. This should be a wake-up call for Boards of Directors (BoD), senior executives and CIOs to ensure they understand the risks and need to mitigate these risks targeting their sector.
A common challenge for CIOs is how to identify, manage, and reduce this risk while ensuring the business operations experience minimal impact. Managing risk is as much art as science, especially when it comes to application of cyber techniques, since the threat continually changes and the CIO and their staff must be cognizant of risk reduction measures that should be implemented on a continual basis as companies navigate mergers, acquisitions and new technology implementations, which continuously provide new risks to address.
The authors recommend that at minimum, the following six activities be implemented to reduce cyber threats and risks to the organization:
1. Develop and implement a mature Cyber Risk Governance Framework that is understood by senior executives and the BoD that is guided and supported by the appropriate cybersecurity control frameworks. A BoD and senior executives that do not understand the implications of cyber threats and the risks to their companies cannot effectively provide governance and oversight. The NIST Cybersecurity Framework (NIST CSF) is one such model that was written for critical infrastructure and can be adopted by O&G organizations.
2. O&G companies must have a Chief Information Security Officer (CISO) that has both budgetary, operational and functional authority to identify risk and implement change in the organization. The complexity of cyber requires a dedicated CISO who has a focus and responsibility of cyber risk and mitigation.
3. O&G corporations, regardless of size, should conduct a yearly Cyber Readiness Evaluation (CRE). The purpose of the CRE is to assist the CIO, corporate executives and the BOD in understanding the company’s current state of cyber readiness. Without understanding the current state, it is difficult to determine what the target cyber state of the organization should be and where resources should be dedicated to mitigating risk.
4. O&G corporations should empower the CISO with direct cybersecurity oversight of IT and Industrial Control System (ICS) environments. These environments can be extremely complex to understand and manage. Many organizations don’t have a good grasp of this infrastructure and thus it remains susceptible to cyber threats and risk. In numerous O&G organizations, this environment is managed by the business with little to no oversight from the cybersecurity team.
5. Third Party supplier/vendor risk must be identified and managed to minimize impact. Many cyber-attacks occurring in the O&G sector are specifically targeting third party suppliers/vendors, the premise being that the third-party vendors have weaker cybersecurity measures that can more easily be defeated. This was recently observed when several natural gas pipeline operators announced in April 2018 that a cyber-attack on their vendor had caused a disruption in their service.
6. Cyber insurance is a force multiplier in terms leveraging risk. Risk that cannot be addressed due to logistical issues or resource constraints may potentially be transferred by cyber insurance coverage.
No panacea exists to eliminate cyber threats and risks to the O&G sector. It is a sector that offers a rich target and reward landscape for cyber threat actors. But, there are steps that can be taken to mitigate risk. BoD members and senior executives should ensure that cybersecurity efforts in the company are properly funded and resourced.