Cyberattacks are an increasing threat to businesses and organizations globally, and the oil and gas industry is and will remain a prominent target.
At the American Petroleum Institute (API) annual Cybersecurity Conference held recently in Houston, James Morrison, a technical expert on information technology (IT) with the United States Federal Bureau of Investigation, told an industry audience, “Every single one of you will be attacked, if you have not already been attacked.”
During 2016, 75% of oil and gas companies had at least one cyberattack, he said, stressing that companies must do more to protect their data and “the industrial control systems behind that data.”
All facets of industry business, very much including operating activity of any kind, are exposed and will only be more so as the Internet of Things proliferates.
More Than a Digital Issue
Thus, cyberdefense is much more than a digital or IT issue. It carries implications for every dimension of business, including health, safety, environmental, and financial activity. Cybersecurity experts are adamant that operations technology (OT) systems cannot be viewed as safe simply because they are not IT systems. While they have differing characteristics, IT and OT systems must be viewed as a continuum.
More than 200 groups globally, including some linked to national governments, are believed to be involved in cyberattacks on US installations, and the number appears to be growing with the rise of criminal activity on the dark web, Morrison said. However, the number of attack groups is surely larger than those known to have targeted US installations.
If there was a consensus coming out of the API conference, it was that the industry is not doing enough to protect itself. While companies may have protective programs and processes in place, the companies generally approach the problem reactively. “We’re actually getting a little numb about too many attacks,” Morrison said.
Disrupt the Attackers
What companies mainly are failing to do is embrace measures that can disrupt the by now established business models of many cyberattackers.
Ransomware attacks, for example, are affecting businesses of all sizes and types and have been growing phenomenally, according to Michael Leigh, the global head of incident response at NCC Group, a cybersecurity and risk mitigation consultant. These attacks use a type of malware that prevents or limits users of a computer system from accessing it until a ransom is paid.
Surveying the different types of ransomware and how long their attack models have been used convinced Leigh that attackers “are continuing to use the same tactics, the same methods,” he said at the conference. “The only thing that differs is the vulnerability. …. And why is it all the same? It’s because we as security people are not forcing adaptation.”
Raise the Bar
Notwithstanding industry vigilance, current cybersecurity efforts are a case of running as fast as one can while only staying in place, Leigh said. What is needed is constant cybersecurity adaptation to disrupt attackers’ business models and raise the “bar of entry” into ransomware activity. Doing so, he argued, would redirect attackers toward more lucrative targets, which typically are better protected. The number of attacks and their rate of success would likely decline.
Yet to raise the bar is very costly and “requires your executive buy-in,” Leigh said. “We have to start getting these security issues at a board and an executive level.”
System backups are essential to fighting attacks. However, backups can become infected and nullify an organization’s cyberdefense if an IT or OT system is inadequately protected. And backups should be regularly tested, which doesn’t always happen. Lack of certainty about backups increases the pressure to meet ransom demands.
‘I Think So’ Not the Answer
If an attack occurs and a CEO asks the head of IT whether there are backups, Morrison said, “‘I think so’ is not the right answer. You’d better know.”
Perhaps oddly, many companies seem to know that their cybersecurity efforts are falling short. Justin Harvey, managing director and lead for Accenture Security’s FusionX global incident response practice, told the API conference that 43% of companies recently surveyed said their greatest security threat comes from malicious insiders but added that 70% of the survey participants lacked confidence in their internal monitoring processes.
Energy companies, Harvey said, generally budget too little money for cybersecurity and give too little thought to testing their systems, technology, and people to ensure that they can protect their organizations from attacks.
His company has set up a “purple team” to provide clients with a testing regimen that combines offensive (red) and defensive (blue) cybersecurity operations to improve the client’s preparedness. The testing adopts a hyper-realistic format that simulates a zero-notice engagement with a cyberadversary, and the client has no specific base of prepared knowledge for meeting the attack. The testing program has proven “very successful,” Harvey said.
Levels of Warfare
John Kindervag, field chief technology officer (CTO) at Palo Alto Networks, sees the fight for cybersecurity as consisting of four key elements analogous to the levels of warfare in military theory: grand strategy, strategy, tactics, and operations.
Speaking at the conference, Kindervag identified the grand strategy as stopping data breaches. The strategy to accomplish that is to adopt a “zero trust” practice toward all seeking to use any part of an organization’s system. The tactics supporting that are the tools and technologies used to defend the system, and operations are the platforms and policies surrounding the use of the tools and technologies, he said.
To view stopping data breaches as the grand strategy could push new thinking, Kindervag acknowledged, such as elevating data security above maximizing operations uptime. But with a successfully implemented multilevel system, he said, “If they can’t get the data, they can’t steal it.”
Breaches, Attacks Will Occur
Still, a grand strategic defense probably will not be executed to perfection. Breaches and attacks will occur.
Gene Stevens, cofounder and CTO at ProtectWise, a cybersecurity company with many oil industry clients, said that the conventional understanding of how operating devices communicate with each other and with what and whom they may be communicating is dramatically at odds with their real communication behavior. Furthermore, current cybersecurity technology can sometimes hamper efforts to hunt and disrupt attackers.
“The state of technology is kind of clumsy,” he said. “It’s good at top 10 lists. Pie charts and pivot tables are really good at removing and hiding information. But what the technology is not good at is showing you all the information—some of which may be relevant and some not, depending on your skill level and expertise—that you need to be freed to make those determinations yourself, instead of relying on the machine to do it.”
Humans are visual and sensory oriented and excel at reasoning spatially. “We are good at taking a tremendous amount of visually oriented signal and have a real-time ability to filter through it and have a perfect expectation of accuracy,” Stevens said. “I feel entirely entitled to this notion that I can drive to work in the morning and not end up in an accident. That’s something that’s an unusual event.
“And so I look at that and think if I can do that in other areas of life,” he continued, “I should probably be doing that here [in cybersecurity], where there is a tremendous amount of signal, where hiding information is actually counterproductive.”
Immersive Visualization
However, to show all the information with a conventional “big data” approach would be overwhelming. Stevens’ company is using immersive visualization to solve the problem. An interface system it is researching and developing uses virtual reality (VR) gaming action to present data in scalable 3D visual imagery depicting the network as a cityscape.
The visual presentation enables users to readily focus at any scale on aspects that look unusual. Attacks can be shown visually as they move across the network, with a context displayed, for example, of the interaction between OT assets on an immediate basis or across time.
Adopting a visualization approach will not only facilitate rapid and proactive network protection, but it appears likely to address what many observers think is the biggest problem affecting network security: a shortage of cybersecurity professionals.
More Professionals Needed
According to ISACA, an international professional body previously known as the Information Systems Audit and Control Association, there will be a global shortage of 2 million cybersecurity professionals by 2019. A 16 March 2017 Forbes article noted that 40,000 information security analyst positions go unfilled annually in the US, and the industry struggles to fill 200,000 cybersecurity-related jobs each year.
Asked if they would rather have more technology or more people, virtually all cybersecurity managers would answer more people, Stevens said.
A prominent role for VR-based visualization technology would likely attract more people, particularly younger people, to the field.
In recent research, a large number of 18- to 24-year-olds interviewed about cybersecurity work indicated little awareness of the field. But when asked about the possible opportunity to use VR-type technology in such work, there was “very strong sentiment,” Stevens said, that “it would make it a more attractive and interesting field … and lower the barrier to entry.”
Thus, it might well give cybersecurity more technology and more people.