Oil Gas Cyber Security & SCADA

Digital Danger: How Do You Build An Effective Cyber Strategy For Oil & Gas?

Posted: 10/14/2013

From the technical to the cultural, there a many risks associated with digitizing upstream oil processes.


As David Joy, Senior Project Integration at Weatherford explains in the following interview, Cyber threats exists that can be managed if you stay ahead of them – read below to find out the elements that go into building and maintaining a robust and proactive cyber security strategy:

Highlight the range of technological and cultural risks associated with going digital.

Technological risks:

  • Company intellectual property, trade secrets, etc. typically are more accessible to a larger audience when stored and accessed via digital methods.
  • Digital surveillance and gathering/storage of personal data is pushing the limits of individual privacy concerns, and increasing the corporate liability for privacy breaches.

Cultural risks:

  • Global staff possesses varying degrees of knowledge about cyber-security, the importance of safeguarding company intellectual property, etc. – some regions may be quite deficient in their treatment of cyber-security.
  • People are more apt to make poor ethical, personal and business decisions behind the relative anonymity of the Internet vs. in person.
  • Identity theft is a growing risk that crosses cultural, age and educational borders, and can have negative implications in the corporate world as well as the personal domain.

RELATED: Life In The Age Of Stuxnet - Scada Systems In The Developing World's Technological Order

How are cyber threats seen to be evolving, and how can organizations stay ahead of this?

Data breach – laptops or other devices containing personal data of customers/clients are compromised, potentially leading to identity theft via "phishing" attempts.

Malware – drive-by downloading (delivery of malware from a malicious URL), mobile device application repackaging (and delivery via alternative channels), and "smishing" (unsolicited text messaging prompting users to divulge personal credentials) are all sources of malware.

DoS and DDoS – distributed denial of service attacks of various forms and at various levels within the network; lately, DoS used to create a diversion away from an intrusion or other more ominous type of cyber attack.

Mobile devices – mobile phones, tablets and phablets are no longer immune to viruses, worms, etc.; also, BYOD (bring your own device) are introducing an additional layer into the cyber security domain, especially personal mobile devices that connect to the corporate network.

Industrialized and commercialized fraud – fraud rings; software building blocks for developing fraudulent programs are readily available; fraud websites, fraud conventions, etc. are all contributing to the growing number of cyber threats.

Insider threats – the disgruntled employee, or the employee who looks to profit by trading his/her employer’s trade secrets.

What can be done to stay ahead of these threats?

Careful control over what data resides outside of corporate servers; better firewalls; multi-factor authentication required to access sensitive data; written cyber-security policies that are audited and enforced.

Better education of employees about security threats, common tactics, avoidance, etc.; internal emergency response teams; keeping up to date on anti-virus programs, etc.

Better firewall equipment, and properly configured perimeter guardian equipment.

Use care in utilizing mobile devices within the corporate data environment; avoid BYOD (bring your own device) unless strict controls are placed over the personal devices, including which applications are allowed to reside on the devices.

International cooperation required to police and penalize organized fraud; increased budgeted spend within corporate and industrial environments to combat fraud.

More careful control over employee’s access to data; intolerance over security breaches.

RELATED:
TED Talk: Mikko Hypponen "Three types of online attack"

Explain the elements that go into building and maintaining a robust and proactive cyber security strategy.

A cyber-security policy should be carefully developed and written. In addition, a written quality plan should accompany the policy so that compliance can be assured.

People are the first line of defense and also the weakest link – proper training, awareness, and audit are paramount in an effective cyber-security strategy; as an example, prepare "ePolicy" classes utilizing the corporate online learning system. These classes need only be a few minutes in duration, but can be very effective in educating personnel on the corporate cyber-security policies. IT involvement of HR in the process can serve to create and emphasize a corporate culture of integrity and loyalty.

Start at the top. Proper prioritization of the cyber-security strategy is necessary, and an endorsement by the company president or CEO can serve to convey the importance of developing and executing a cyber-security strategy.

Proper risk assessment is necessary in order to decide which cyber-security threats are most damaging to the specific corporate digital environment. A proper risk assessment compares the probability of the specific risk to the cost of the risk if the risk is realized.

Appropriate classification and marking of sensitive and/or proprietary data/information is absolutely necessary in order to properly protect the information.

External company interfaces and cross-country borders are important considerations that cannot be ignored. Vendors and contractors who have access to sensitive information must be educated and audited to insure compliance with corporate cyber-security policies. The involvement of home-country personnel in foreign offices can serve to help enforce compliance with the corporate cyber-security policies.

RELATED: Setting The World aFLAME: Oil & Gas vs. The World's Deadliest Computer Virus

Speak to the importance of understanding ‘cyber threats’ and how you can overcome them – where has this gone wrong?

A serious mistake being committed by many organizations is the failure to appropriately analyze the risk of a particular mechanism or behavior causing a cyber-security breach vs. the amount of time, expense and labor it takes to prevent the cyber-security breach. For example, prohibiting the use of all thumb drives and other USB-based devices from being used on corporate computers may be an excessive move when the risk is analyzed.

If the corporate IT policy pushes anti-virus out to the devices, configured with periodic updates, and if USB devices are required to be automatically scanned when connected to the device before being mounted to the file system, then the real risk is that a new virus or worm might leak through before it is identified. How probable is this risk when compared to the risk of the same thing happening while an employee is connected to some rogue website?

Rather than over-reacting to cyber threats, take the time to carefully analyze the risk, using well-known risk assessment methodologies, and take intelligent actions based on the severity of the risk.

____________________________________________________________


David Joy is a senior project integration manager for Weatherford where he is responsible for managing engineering and deployment teams for digital oilfield production optimization projects. Previously he was an engineering manager at HP where he was responsible for managing the development of secure remote server management technology. Joy has spent over 30 years working in high-technology fields in business and industry.

He spent several years at HP working with cyber-security methods of transmitting information securely over worldwide corporate networks. Over the past three years, Joy has worked closely with a national oil company in developing innovative security methods to allow data to pass bi-directionally between the production network in the oilfield and the business network in the collaboration center. Joy holds an MBA from the Jones Graduate School of Business at Rice University


Have Your Say
Rate this feature and give us your feedback in the comments section below
Posted: 10/14/2013

O&G Members Banner

Join for Free

EVENTS OF INTEREST

Dusit Thani Hotel, Abu Dhabi, United Arab Emirates
September 26 - 27, 2017
Dusit Thani Hotel, Abu Dhabi, United Arab Emirates
September 24 - 27, 2017
Marina Bay Sands, Singapore, Singapore
September 25 - 28, 2017