Worldwide, the cybersecurity threat is real and growing. The oil and gas industry’s technological critical infrastructure has been especially hard-hit, absorbing 40% of all cyber attacks globally. Yet the realities are not resonating effectively with industry executives, because many companies have yet to put comprehensive protection plans into action.
This issue is potentially so devastating that it figuratively shouts for a short course about the chances that companies are taking, what vendors and purported experts are advocating, the grave risks, the unvarnished truth about hackers and company vulnerabilities, and how waiting for disaster is a dead-end choice.
Largely because of its worldwide exploration and production scope and the vast population dependent on energy, oilfield companies cannot simply blend in with the landscape and become unrecognizable as a major cyber target. For example, Telvent, which makes a control system for smart grid networks, was recently hacked. Project files for its supervisory control and data acquisition (SCADA) system were accessed and malware was installed on its network in the attack.
Other attacks have occurred against Saudi Aramco, which required 10 days to get its network back online after a Shamoon Wiper malware cyber attack disabled more than 30,000 workstations in a supposedly politically directed action by a group of hackers called the Cutting Sword of Justice. In a costly move only possible with a sovereign nation, the company sequestered its entire network while determining the cause of attack and fully restoring service. Meanwhile, the Chinese military has been accused of attempts to hack all types of industries, with a particular focus on oil and gas, according to the Mandiant Intelligence Center Report.
Response Offerings
This disturbing news has had polar opposite effects. One is that the threat message is not getting through to many oil and gas companies. It is akin to a tree falling in a forest when nobody is there to hear the crash. Conversely, springing into action are vendors, so-called cyber experts, and conferences offering cybersecurity solutions to the executives who are receptive to the message. With this growing demand for both information and installed protection, more companies are taking the cue that they need technical cyber expertise they do not have internally to survive the hacking they may have never expected (“Nobody would attack us. We are too small.”).
When companies do become engaged in seriously protecting their organization and its resources, the budget should not be arbitrary. Rather, it should be allocated on a basis commensurate with the spending on any other insurance or similar budget items. Benchmarking the traditional safety budget is a good approach, since it is typically proportioned over several years based on risks. Similarly, in terms of perspective, physical or plant security offers comparable guidelines in allocating resources to both deal with the threat and its consequences.
Grave Risks Every Company Faces
With such dire cyber threats lurking every day, companies that do not recognize the real risks they face from hackers should take a closer look. A graphic enumeration may include a catastrophic event causing widespread injury and even loss of human life, facility damage, and environmental impact. A hacker may shut off a safety system, and cause alarms to fail and equipment to become inoperable. The result could be the destruction of wide-ranging installations from downhole drilling sites to gas processing plants. There could be devastating spills or blowouts, and compressors on a pipeline could overheat.
Another major problem is business interruption. Security breaches may cause a company to halt operations in all facilities, not just the affected one, to fix a breach. When a system such as Telvent’s had to shut down and redo its system, the system could not be used in the interim. In a nonenergy hack, Sony experienced an estimated USD-2-billion loss in cost and business interruption to repair cyber damage, thus dispelling common thinking that interruptions only occur with explosions or other physical destruction.
A third major risk is shareholder backlash from a cybersecurity loss. When shareholders begin thinking that a company has been cyber attacked, news media and financial markets tend to quickly and negatively respond to that mind-set. In turn, shareholders may “vote with their feet” and cause a huge reduction in stock and equity value. This scenario could even prompt someone to conduct a cyber attack specifically so they could short sell or engage in other nefarious activities.
And never overlook potential civil litigation arising from cyber attack incidents. Whenever an accident causes injury or loss of life, consider it pro forma that the affected families will be filing lawsuits. Civil litigation is based on the concept that the prudent person (company) should provide normal, reasonable steps to mitigate a threat. Reflexively, the response often is that a company was not aware of the threat. However, cybersecurity threats have become so pervasive in the news that “didn’t know” has virtually become a meaningless claim.
Additionally, ignoring risk is itself risky not only to the enterprise, but also to those managing the enterprise. Failure to mitigate risk or deal with threats can, in many countries, result in heavy fines and/or jail for individuals who are not protecting the public.
The Realities
In the global oil and gas industry, companies that viewed themselves as nonvictims or occasional victims of hackers are shocked when informed that cyber intrusions at a typical company may total in the thousands on a daily basis. Compounding the denial, executives usually express confidence in firewalls, which are only a single-level, or perimeter, defense. One-dimensional defenses have proven inadequate. Further, liability from a cyber attack extends to personal injury and environmental damage. Over and above severe business interruption and loss of capital and income, people can get hurt and killed while the environment experiences pollution and other adverse effects.
One of the most unrecognized realities is that data security from cyber attacks is no more an extension or subset of information technology than a corporate safety initiative is a function of operations. From a management perspective, the key takeaway along these lines is that cybersecurity must be recognized, managed, and directed from the top down on the company’s business side. If not, the program will have a greatly diminished impact. Cyber attacks are not a peripheral threat; rather they are a mainline dagger to the heart and central nervous system of an oil and gas company and should be handled accordingly.
In short, a waiting game is potentially deadly. Continuing with business as usual until the company gets struck by a cyber attack is incomprehensible in 2013. Inevitably someone will be hurt or killed, the company will be sued, and it will indefinitely be stopped from making money unless this real threat, looming like a toxic fungus, is defended against.
The issue of cybersecurity is incredibly sobering. Companies can possibly get lucky and skipped over by hackers. Anything is possible. But what responsible company does not buy insurance for other potential damages? Why would a company not insure itself and take action against a threat that could destroy its capability to function and make a profit? Becoming cybersecure is not a catchy theme; it is what good management should be all about.
Chuck Drobny is the chief executive officer of Houston-based GlobaLogix (www.globlx.com).