By its nature, work on thwarting cyber-attacks against oil and gas companies and their assets is an incremental process. The source, manner, and targets of potential attacks are always changing and, in order to be effective, defenses must anticipate threats before they manifest themselves.
In early 2011 the computer networks of at least five international oil companies, containing bidding plans and other confidential data, were penetrated by Chinese-backed hackers. Woodside Petroleum Ltd. Chief Executive Don Voelte told a conference in Perth that May that major resource companies were coming under increasing threat of cyber-attack from a variety of countries.
By September 2011, the Energy Sector Control Systems Working Group (ESCSWG), with funding and support from the US Department of Energy, published its "Roadmap to Achieve Energy Delivery Systems Cyber Security." BP PLC, El Paso Corp., Ergon Refining Inc., and Alyeska Pipeline represented the oil and gas industries in ESCSWG, with participants from the electricity industry and various government agencies completing the 14-member group.
ESCSWG's vision was by 2020 to have resilient energy delivery systems in place "designed, installed, operated, and maintained to survive a cyber-incident while sustaining critical functions." The roadmap broke out goals in five different categories, setting out strategies that included near, mid, and long-term milestones for each. It also identified six barriers to achieving these goals:
• Cyber threats are unpredictable and evolve faster than the sector's ability to develop and deploy countermeasures.
• Security upgrades to legacy systems are limited by inherent limitations of the equipment and architectures.
• Performance-acceptance testing of new control and communication solutions is difficult without disrupting operations.
• Threat, vulnerability, incident, and mitigation information sharing is insufficient among government and industry.
• The weak business case for cyber security investment by industry.
• Regulatory uncertainty regarding energy-sector cyber security.
Addressing information
David Frazier, Halliburton director of information technology, discussed an industry initiative to heighten security by better sharing information at this year's API Pipeline Conference in San Antonio. Building off the best practices from similar ventures in the financial industry, the membership-based Oil & Natural Gas Information Sharing & Analysis Center (ONG-ISAC) was created to provide shared intelligence on cyber incidents, threats, vulnerabilities, and associated responses.
ONG-ISAC members will have access to guided, anonymous information sharing via a secure web portal as well as automated sharing of machine-readable threat indicators. Real-time notifications for near real-time analyses, and open access to community leaders and security analyst experts, is designed to allow clear and rapid transfer of information regarding threats and vulnerabilities between ONG-ISAC members, other ISACs, vendors, and the US government all in one place. The ultimate goal is a coordinated response between members during industry incidents.
The time is now
Between Oct. 1, 2012, and May 1, 2013, the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team responded to over 200 incidents across all critical infrastructure sectors, 53% of which were in the energy sector.1 A June 2013 Council on Foreign Relations brief concluded that the number and sophistication of attacks on US oil and gas companies appeared to be increasing, as was their potential for inflicting damage.
More to the point, the brief stated that, given the continued deadlock in the US regarding legislation to address these threats, the oil and gas sector's most effective path forward would be self-help.2 Midstream respondents to Black & Veatch's 2013 Natural Gas Industry Report, however, while describing cyber security as "Important" in a ranking of Top 10 Industry Issues, still listed it below any of the other choices.
References
- ICS-CERT Monitor, April-June 2013.
- Clayton, B. and Segal, A., "Addressing Cyber Threats to Oil and Gas Suppliers," Council on Foreign Relations, June 2013.