Noah Fox (NF): As a leader in a cybersecurity firm serving the oil and gas industry, what specifically are you seeing as the most common threats to companies? Have they changed over the past five years?
Chad Neale (CN): There are many cyber threats to oil and gas, including increasing threats from nation states and “hactivist” threat actors planning backdoors and time bombs to be used as unconventional warfare, as well as new ransomware and production network attacks. But the most critical vulnerability we see is the introduction of Internet of Things (IoT) technology, which exposes previously isolated production data networks and corporate data networks to broader networks; this leaves the production network vulnerable to multiple different attacks. And because many oil and gas companies do not have robust security programs with a dedicated IT staff, they are at even more risk and may not be able to react and mediate cyber-attacks as quickly as needed.
There are also physical and environmental risks for oil and gas. Supervisory control and data acquisition (SCADA) services can cause physical damage if proper cyber safety procedures are not followed. While IoT systems allow for more flexibility in monitoring remotely, their use makes the systems they are connected to more accessible to outside threats. Oil and gas companies also must protect sensitive information including business proprietary information (geological deposit data, land royalties) and employee and customer information (bank accounts, addresses). A threat actor that captures this information could use it against those individuals (fraud, identity theft), or companies (ransomware, front running, negotiations, etc.). These threats also expose businesses to legal action.
NF: As oilfield digitalization has become more prevalent, do you find that companies are aware of security threats to digital oilfields, or is this something they learn about later after your company comes in?
CN: Many companies understand the threats inherent in digitalization, but they do not see the specific threat to their operations, such as the damage to or loss of operations as well as physical and environmental risks.
NF: Has this lack of awareness been an ongoing issue in keeping this industry secure? Have you seen an uptick in awareness in the industry?
CN: Absolutely. Energy executives and technologists are becoming more aware of the risks, but with the rapid growth in upstream and midstream players over the past five years or so, many are often too narrowly focused on building the business and don’t believe they will be targeted for an attack. Additionally, smaller operations often do not have dedicated IT personnel and are not familiar with the threats or how best to mitigate their exposure to the risks.
NF: With the current downturn, do you think the industry will see fewer attacks, or will hackers “kick them while they are down”?
CN: Unfortunately, hackers won’t let a good crisis go to waste. Oil and gas companies seem to be targeted for cyber-attacks at the same frequency or higher as they were before the current market instability and the COVID-19 pandemic. Hackers are taking advantage of turbulence in the oil and gas industry. The energy industry has seen a major uptick in cybercrime since 2019. In February 2020 alone, 5,000 unique cyber-attacks were registered against energy companies. The U.S. and the U.K. are noted as suffering the most cyber-attacks on worldwide.
NF: You cover a lot of regulatory issues. Could you delve into some specifics that you handle within the oil and gas industry?
CN: The primary cybersecurity regulatory frameworks seen in the energy sector are NERC/CIP and C2M2. NERC/CIP reliability standards define the cybersecurity requirements for planning and operating the North American bulk power system. NERC developed these standards focusing on performance, risk management, and capabilities. The overriding goal of the CIP standards is to ensure that the appropriate security measures were in place to protect the Bulk Power System (BPS) across North America.
The C2M2 is a voluntary evaluation process utilizing industry-accepted cybersecurity practices that can be used to measure the maturity of an organization’s cybersecurity capabilities. The model provides a well-defined framework an organization can benchmark themselves against in order to measure current maturity and target its future state of cybersecurity.
NF: What are some of the emerging security challenges that you see occurring in the oil and gas industry over the next few years? You mentioned ransomware earlier as a concern. What are some of the dangers of a ransomware attack specific to oil and gas?
CN: Ransomware can bring operations to a complete halt. For example, in February of this year, attackers gained access to a natural gas compression facility’s IT network via a targeted spear-phishing effort, in which specific staff were tricked by email into providing access credentials. Once in the network, the attackers deployed ransomware to encrypt data and demanded payment to decrypt that data.
According to the Cybersecurity and Infrastructure Security Agency (CISA) division within the U.S. Department of Homeland Security that’s responsible for securing critical infrastructure, the ransomware incident affected the control and communication assets within the facility’s Operational Technology (OT) network. The ransomware attack led to a two-day controlled shutdown of operations, causing significant loss of productivity and revenue.
Cybersecurity situations were not considered in the facility’s emergency response plan. There was no segmentation between information and operational networks, and there was no staff training regarding phishing that could have prevented network access by criminal elements.
The facility was ultimately able to restore the affected data files from secure backups and resumed operations shortly thereafter. The damage was limited in scope, but significant losses were recorded at this and connected facilities.
NF: Relatedly, why is spear-phishing a concern for oil and gas?
CN: Spear-phishing, a highly targeted form of phishing sent to targeted individuals in order to gain confidential information, often leads to wire fraud and ransomware as in the previous example. Most recently, in April 2020, hackers used fraudulent emails targeted at energy professionals attempted to entice them to click on links that would download malware to their devices. The malware enabled criminals to gain access to confidential information on user machines.
These spear-phishing campaigns used industry-specific terminology and company names to provide themselves with the appearance of legitimacy. For example, energy company officials in the U.S., South Africa, Turkey, Oman, Malaysia, and Iran have received emails impersonating ENPPI, a well-known Egyptian engineering contractor.
Similarly, a campaign posing as a well-known shipment company used industry terminology and specific oil tanker information targeted at Philippine energy officials. These campaigns used a spyware Trojan, which surreptitiously downloaded information to user systems when they clicked on seemingly relevant attachments. The spyware enabled remote users to access confidential information from user systems.
Additional related campaigns have employed malware that installs keylogging software that enables remote viewers to capture keystrokes (e.g., login information, typed memos, etc.) from infected systems.
NF: Do you see different cybersecurity concerns for upstream, midstream or downstream?
CN: What we have found from working with oil and gas companies is that downstream, due to NERC/CIP, will typically be further along the maturity spectrum than upstream and midstream. Upstream and midstream are more likely to use outsourced service providers or non-IT personal responsible for IT and cyber which can lead to security and cyber concerns.
NF: Most importantly, what are some actions oil and gas companies should take to protect themselves?
CN: One of the most important things you can do is implement a training program focusing on the prevention of phishing, spear-phishing, and other forms of social engineering as this is a very common entry point for hackers. Employee awareness is the most critical protection for your business. You should also ensure all operating systems, anti-malware, and device patches are regularly installed via a mandatory patching policy and ensure device patching programs reach and are enforced for users in the work-from-home environment.
If you haven’t done this already, you should perform a cybersecurity risk assessment, in which potential areas of risk are located and controls are subsequently detailed. Also, have a plan for incident response in case cyber-attacks do occur and regular tests of that plan. You should develop a risk management program to inform resource allocation decisions and perform a thorough review of SCADA segmentation/isolation so you can ensure that all remote access is secure and protected. And one thing that people sometimes forget is to ensure your outsourced IT providers are up to the challenge and are as secure as you are.
NF: Finally, what kind of risk assessment/mitigation are you providing for COVID-19? Are you involved with many safe practices for re-opening businesses?
CN: As mentioned above, cyber criminals are not waiting for COVID-19 to disappear before targeting their victims. In response, we have retooled all our cybersecurity and risk assessments and testing in order to effectively perform them remotely. Onsite visits, if needed, will be performed post COVID-19. We’ve also developed an extensive program for protecting your business from cybersecurity risks during COVID-19 as documented in our COVID-19 resources page and will be releasing a step-by-step process for returning to work safely. We also offer a free working from home assessment checklist and online training and awareness on cybersecurity as part of our cybersecurity services.
ACA Aponix is the cybersecurity and technology risk/maturity assessment and advisory division of the ACA Compliance Group. It consists of a team with deep technology, cybersecurity, and data privacy experience. Our team is comprised of senior technologists, former CIOs, CTOs, technology operating partners, chief information security officers, directors of information security, M&A due diligence and integration experts, and data privacy professionals. These team members started in the technology trenches and were previously technology leaders in a variety of verticals, including financial services, technology, healthcare, energy, retail, consumer, and manufacturing/distribution. ACA works with hundreds of firms, ranging in size from less than 10 to over 10,000 employees. Our award-winning solutions are designed to help companies uncover risks and identify deficiencies in their technology infrastructure and cybersecurity policies, procedures, and controls.