The SMi Oil & Gas Cyber Security conference held late last year in London offered an excellent overview of the problems facing oil and gas operators who are confronted to multiple IT and process security risks. Oil and gas, according to chairman Ed Hamilton (Price Waterhouse Coopers) is one of the most heavily targeted sectors. Attacks come from groups focusing on espionage or sabotage. PwC has identified several state-backed groups targeting oils and has responded to ‘a number of severe network intrusions in oil and gas companies.’ Moreover, while such attacks are on the increase, regular firewalls, antivirus and spam gateways are ‘not likely to detect an attack specifically tailored to get into your network.’
Claudio Lo Cicero (Maersk Oil) confirmed that cyber-attacks and espionage are on the rise. This brings the risk of disruption to critical processes and of the loss of intellectual property and confidential information. Regulators, aware of the risks, are placing a growing burden on operators of critical infrastructure. Along with the headline grabbing Duqu/Shamoon style attacks, oils are at risk from environmental ‘hacktivism,’ witness the attack on Shell and Gazprom’s systems by groups opposed to arctic drilling. Exxon, BP, Shell, Marathon, ConocoPhillips and BakerHughes’ systems were compromised by the NightDragon spyware for over 5 years before discovery. For Cicero, the first line of defense is your people. Awareness and education are key in that they can turn employees into ‘an extension of the information security team.’
A 2013 Veris study found that 80% of known malware requires some user action to execute. It is also important to go beyond reactive monitoring that focuses on exploit discovery after delivery. Proactive monitoring can identify threats in the reconnaissance and delivery phases before they become exploits. This may involve monitoring internet forums and social media looking for leaked information and checking what information may be freely available from requests for proposals and job postings. Companies must prepare for what is probably inevitable with appropriate processes and capabilities to manage complex incident response, recovery and forensics. Cicero also discussed the pros and cons of managed security services. These may suit companies with insufficient internal cyber security resources and capabilities. Outsourcing may give better protection against rapidly morphing malware that may evade detection by internal systems. On the downside, outsourcing will involve complicated implementation and service level management and will in no sense transfer the risk. Organisations remain responsible for managing both the risk and the service provider. Outsourcing may also deprive companies of perspective and competency in security fundamentals. In his exhaustive treatment, Cicero outlined the security risks inherent to the extended supply chain. According to one study, 42% of breaches in 2012 were the results of third-party mistakes. Visit the conference home page.
© Oil IT Journal - all rights reserved.