By Shanti Terry
The digital world is one filled with dangers for all industries, and oil and gas is no exception. Industries that make up our nation’s critical infrastructure, like the energy sector, remain constant targets from entities outside the United States who mean to do as much harm as possible for their own gain. After conversations with experts involved with the tech industry about the issue of cyber security, one quickly reaches the conclusion that, despite many companies’ efforts at taking major steps to protect themselves, there are still others who are doing the bare minimum and may not even realize it. A lack of knowledge and awareness surrounding cyber security is to blame, as is a need for better methods of strategizing. On this, our third journalistic foray into the digital domains of the oil and gas industry, we found that there is still much groundwork to be laid on the path to establishing true cyber security.
Awareness: A Lack Thereof
Operation Cleaver. Energetic Bear. Night Dragon. Do you recognize those names? According to Andrea Little Limbago, those in the oil and gas industry should, as all three are large advanced persistent threat campaigns designed to specifically target the U.S. energy sector over the past few years. The attacks came from Iran, Russia, and China—competitors in the United States’ oil and gas industry. Limbago is the Principal Social Scientist at Endgame, a cyber security software company involved in protecting both national security and commercial interests from advanced cyber threats.
For those of you who recognized the names of the attacks on the oil and gas industry, kudos to you. For those of you who didn’t, according to Limbago, it may not be your fault. Limbago shared with us that she is surprised at how little coverage the media gives to stories concerning security breaches if they don’t consider them to be high profile cases, such as Target, Home Depot, and the recent Office of Personnel Management breach. “At the end of the day, the more worrisome attacks and potential attacks that are being caught are not the ones that are gaining much attention,” said Limbago. “This is especially true of the oil and gas industry specifically. The media reports more on stories that are more sensational, like the breach at Sony.”
A lack of information circulating concerning security breaches is a problem, as many people are left in the dark about what their companies are up against. Limbago attributes some of the lack of news coverage to the fact that many of the cyber threats have been stopped before their actual goals could be achieved, although there have been cases of theft of intellectual property that have impacted many companies. She said another reason could also be that cyber attacks in the oil and gas industry are unlikely to affect everyday citizens across the United States.
Despite the fact that only high profile breaches are given a large amount of attention, Limbago said that every little bit helps when it comes to spreading awareness about cyber security threats across the broader population. “Cyber security is definitely gaining awareness and attention with some of the high profile breaches.”
Thomas Mandry, CEO of Mandry Technology Solutions, an MSP (Managed Service Provider) company operating across West Texas, had another reason to offer concerning why there is a lack of awareness about cyber security in the oil and gas industry. He attributed a lot of the cause to the industry’s rapid growth. “It’s because, often, that industry is in a hyper-growth mode. They’re focused on what they do in their core business,” said Mandry. “They do some basics like a standard firewall and antivirus software, but they are still leaving themselves exposed via things like passwords left out on desks on sticky notes and passwords that are easy to guess, like family members’ names.”
Cyber Attacks: Who? What? Why?
In addition to awareness about threats that exist, there are many other questions that need to be answered on the trek to reaching full cyber security. These questions are:
(1) Who’s attacking?
(2) What information are they after and why?
Who’s attacking?
According to Limbago, those attacking the United States on a cyber-level are nation-states and non-state actors. “The majority of these [attacks] are coming from nation states, and so they’re much more sophisticated than something that would come from non-state actors. Most attacks on oil and gas are advanced persistent threats, and so they’re coming from very competent groups.”
Stephen Slick, Director of UT-Austin’s Intelligence Studies Project and Clinical Professor at the LBJ School of Public Affairs, shared with us that he believes threats against the United States are both foreign and domestic, as well. As a former CIA officer and National Security Council official, Slick is no stranger to matters of national security, including the digital sector. Slick shared, “The efficient flow of information within and between firms, and to the rest of the world through the Internet, is a modern business imperative but it creates opportunities for access by malign actors ranging from disgruntled employees and business competitors to foreign governments.”
What Information Are They After and Why?
In short, they are after everything. Those who seek to harm the United States are after any and all information they can get their hands on. “Anything along the lines of IP theft—looking for new exploration oil and gas drilling areas, or photographs of new drilling techniques—is what they’re looking for,” said Limbago.
Slick mentioned intellectual property, trade, and financial data, but he said it doesn’t stop there. Personal information about employees is also data that needs to be protected. For an example, Slick talked about the recent Office of Personnel Management breach, where many current, former, and prospective employees’ information was compromised. “The recent attacks against records held by the Office of Personnel Management, attributed to the Chinese government, illustrate the need to protect not just sensitive strategic and tactical information but also the personal data we gather and store on employees. Cyberspace remains a poorly understood, chaotic, and dangerous environment.”
Commenting on destruction and intellectual theft as a means gaining a competitive edge, Limbago stated, “Stealing information from the R&D that U.S. companies invest in allows them [competitors] to leapfrog and not have to do that similar investment. On the other end, they are after achieving political, economic, and even military objectives through physical destruction.”
Limbago went on to explain that physical destruction causes problems not only from a global perspective, but also on a smaller scale, for individual companies. “The Saudi Aramco case is an example. That was an Iranian attack that targeted Saudi Aramco. It destroyed thousands of computers. All of the memory was wiped from the computers so that they could not be used. It caused the company to have to reinvest in their entire network system. Looking at companies that have had that happen, they were barely able to survive the instance.”
While companies struggle to piece themselves back together after destruction attacks, the perpetrators, those who should be located and punished, are often hard to find. Slick pointed out that there are few consequences served to those foreign governments who come intruding. “It is incumbent on the United States to lead in articulating and enforcing standards for conduct, at least concerning foreign governments. Until we impose a higher cost for aggressive actions in cyberspace by foreign states, the United States will continue to suffer economic harm, and private businesses will remain principally responsible for protecting their own networks.”
Where are we now?
Current issues like the sharing of information between the government, the state, and private and public sectors, seem to be a matter of perspective. Each of our experts had plenty to say on the matter as there are positives and negative to view from all sides of the issue.
Limbago said that oil and gas is leading the way for government cooperation, pointing out that the industry is part of the ICS- CERT. “It stands for Industrial Control System- Cyber Emergency Response Team. The Department of Homeland Security has set it up to cooperate very specifically with the 16 different sectors of our critical infrastructure.” Limbago further explained that she believes valuable information is being shared through the ICS- Cert system because information about attacks between competing companies, which would not usually be shared, now has a way to be spread. “ICS will let the competing companies know about the attacks so that they can know what they need to watch out for. The information sharing is great despite the fact that information sharing legislation is stalled in Congress right now.”
Congress being stalled on information sharing was a matter of concern for Slick, as he mentioned that he feel businesses should demand action by their elected representatives on cyber security legislation. He stated, “The Congress has missed multiple opportunities to debate and pass cyber legislation that, at a minimum, would promote sharing of information on network intrusions between businesses and between the private sector and the government. Liability protection should be available for individuals and organizations that participate in our national cyber security efforts.”
Eddie Block, the current Chief Information Security Officer and Cyber Security Coordinator at the Texas Department of Information Resources, spoke on behalf of the state and it’s current status for information sharing. Block said “One of our goals here, within the state, is to not only collect information, but share it with our public partners. We are trying to develop ways of sharing that information with the private sector partners.” Block went on to say that the maturity bar of the state is being moved up concerning cyber security. That feat is being accomplished because the DIR is developing new programs that ingrain the Texas framework into everything the state does. Other DIR workings as of late include setting up new risk and assessment centers and new internet reporting systems that allow for better visibility of incidents statewide and other programs. “We’re working with a number of our higher risk agencies to make sure that we’re sharing information better and in a more uniform way.”
On a federal level, Block stated that the DIR has federal partners that information is shared with, and they reached out to them so that information can be shared nationwide. “We also reach down into the agencies, providing information to them to get feedback on who else is seeing the same kind of activity,” said Block.
The Cyber Future
The prevailing thought on the future of cyber security is best be summed up by saying that we’ve come a long way, and we still have miles to go. Mandry and Limbago shared a common opinion that technology and threats are dynamic rather than static now, and that makes it more difficult to keep up as things move forward. “Companies’ ability to stay up to date with technologies that can protect them is hard to maintain,” said Limbago. “As new technologies come along, hackers are able to adapt and find different vulnerabilities. The technology is there, but it’s a matter of companies prioritizing the modernization of their technologies to help them defend themselves better.”
Describing the future of technology as uncertain, Slick declared that cyberspace will remain “an open, relatively unconstrained competition” as time passes. He continued, “To protect and advance U.S. interests, it will be important to find common ground between our government, commercial, and technology sectors that we lack today.”
Goals for the future concerning technology in the cyber security world were focused on modernization in Mandry’s mind. He said, “Better ways of getting alerts into the hands of the customer is something that’s being sought out. I think things are moving closer to that goal, but not quite there yet. I’d like to see more things like apps, where the alerts pop up and make the customer aware that an event is happening, and they can choose whether they’d like to take action or not.”
Limbago’s thoughts went towards technology, but further still, onto plans for better self-awareness, better management of important information, and a better understanding of the risks involved in security breaches. Her final thought was of great insight, as she gave a warning about vigilance during downturns. “The oil and gas industry is very tied to the prices of the market, but so are some of our competitors and they are willing to take greater risks like trying to go after destruction and information theft during downturns.”
The targets are set, the threats are persistent, and the technology is dynamic. Cyber security is an issue that’s here to stay so instead of fighting or ignoring it, the oil and gas industry must work to adapt itself to survive as it moves along.
Watch for Part 2 in our October issue. See the sidebars in our digital edition.
Shanti Terry has been a freelance writer/blogger since 2011. She can be reached via email at: terryamoni@gmail.com.