Last week I chaired a cybersecurity summit in Houston, Texas, one of many cybersecurity conferences focused on this sector. While the American Petroleum Institute (API) has sponsored such conferences for nearly a decade, the proliferation of these conferences along with the resurrection of an Information Sharing and Analysis Center (ISAC) for the oil and gas industry is a reflection of greater activity to address real or perceived cybersecurity threats. Unlike other sectors, however, there are no direct cybersecurity laws or regulations targeting this sector. Instead, they are one of many to have to comply with Sarbanes-Oxley, state breach laws, and the Payment Card Industry Digital Security Standard (PCI-DSS) where relevant. But on the operations side, cybersecurity regulations are largely indirect through mechanisms like the Chemical Facility Anti-Terrorism Standards (CFATS) that is more about physical security for potentially dangerous chemicals, but it has a cybersecurity element around protecting the inventory information. In any case, even voluntary industry standards, such as API 1164 for pipeline cybersecurity, have been slow to be adopted across the industry.
Despite the somewhat lackluster initiatives until recently, the industry has been subjected to several high-profile attacks targeting highly sensitive intellectual property such as “Operation Night Dragon” that involved the theft of bid and operational data from several large oil companies. However, that was five years ago, and while cybersecurity has gained more attention across the board, there is a still a lingering sense among many in the oil and gas sector that the threat is still manageable with existing resources. Later attacks on Saudi Aramco and pipeline control system vendor Telvent have not created a groundswell to significantly step up spending. Perhaps the fact that there has yet to be an injury, death, plant stoppage, oil spill, or explosion attributed to a targeted cybersecurity attack has led the sector to believe that current threats are merely a nuisance, albeit a very painful one in the case of Saudi Aramco where 30,000 hard drives were corrupted. However, this level of comfort may be akin to whistling past the graveyard. Like other critical infrastructure sectors, the oil and gas industry relies on the lack of incentive or skill among its adversaries as part of the driver for this go slow approach. That is a viable risk management strategy so long as adversaries remain segregated. Typical cybercrime organizations looking for an easy profit are more apt to focus on retailers like Target than oil companies with little personally identifiable information. Intellectual property theft, while definitely growing, requires greater sophistication and patience to fully exploit. Moreover, much of the data is time-sensitive and loses its value quickly. Sabotage and destruction, long viewed as the eventual tools of terrorists, have yet to fully materialize, although we got a dramatic preview with the Saudi Aramco attack. But as capabilities and funding increase, it is only a matter of time before something goes boom. One possible scenario is that the now disconnected hacker communities recognize the value they can provide to terrorist organizations that are willing to pay. Nation states have already turned hacking into a very large business, and it’s only a matter of time before terrorists catch on.
So, that leaves us with the question: Is this recent spate of activity amongst oil and gas companies in the cybersecurity space a real game changer or simply a passing fad? My money is on the former. While I believe the release of the Framework for Improving Critical Infrastructure Cybersecurity is hardly a catalyst for real change, I do believe its value as a marketing tool to raise awareness among senior executives should not be discounted despite the fact that most large oil companies already implement security controls that largely adhere to this framework. Many of these executives lead some of the largest and most profitable companies on the planet. It’s hard to not approve some additional spending. However, that raises the question of where to spend money. The Target incident proved that having state-of-the-art tools is useless without sufficient highly trained professionals to follow up on the alerts, and many oil companies operate around the globe over every possible communication medium imaginable. Recognizing the need to do more is only the first step. But many are taking that step, and it reflects well on an industry that is taking these steps without a gun to its head. Let us hope this opportunity is not squandered by regulatory regimes that seek to impose cybersecurity requirements that increase costs and worsen security postures as has been the case in nearly every sector with mandatory cybersecurity requirements.