Cybersecurity. Executives now take it much more seriously than even a couple of years ago, as hackers continue wreaking devastating impact worldwide, with 40% of all attacks directed at oil and gas companies. Being victimized by exponentially more attacks aimed not only at just compromising systems, but also causing severe disruptions, stealing proprietary information and for financial gain, the time to take action was literally “yesterday.”
Where could the pipeline industry be affected? Prime targets include interstate and intrastate pipelines, underground gas storage facilities, tank farms, gathering lines, river crossings, pumping stations, valve points and control compressor stations. Let’s explore the cybersecurity landscape and preparedness recommendations – because many companies unfortunately are still bringing up the rear.
Know five key issues
In order to combat the enemy, companies must understand the issues. These are: the existing scenario of cybersecurity (“Where we are”), difficulty in maintaining back office systems with personnel, alternatives to traditional back office structures, a threat’s consequences and Sarbanes-Oxley implications.
First, U.S. oil and gas operating companies are now, or almost, out of time for having their information systems compromised. This has primarily occurred because it has become virtually impossible to find enough IT personnel and qualified SCADA engineers and technicians, which weakens company defenses against a cyberattack (especially global cybersecurity and not just the domestic hacker). Recent attacks, as reported in major media outlets, are clear bellwether warnings that agents have actively penetrated e.g., SCADA systems and control systems.
Pending congressional approval, the Cyber Intelligence Sharing and Protection Act (CISPA) may be a positive step but relying on government for a solution is rarely the best approach. Instead, businesses should be responsible for protecting themselves and not abdicating control for how the protection is accomplished.
Second, the difficulty in maintaining SCADA, field and back office systems with adequate personnel currently tallies several hundred thousand unfilled positions. No longer do employers have the luxury of selecting the ideal candidate, rather schools are not even producing enough graduates to cope with the present attrition rate throughout the oil and gas industry and not just at a few companies. The problem is that whichever segment of a company is involved – from field operations to corporate management or IT – finding specialized expertise and not just generalist education or experience is the issue.
Companies cannot continue to have a dwindling manpower pool but must embrace more technological advances and defend substantially more active cyber threats.
Third, focus on finding the alternative(s) to traditional back office systems within brick and mortar facilities (whether standalone facilities for large companies or inside an existing building’s back office) by developing a new perspective. Company executives and middle management should explore the tremendous resource capability existing on the Cloud.
Although its specific meaning often varies, the Cloud offers the opportunity for providing IT as a service whereby users are provided their applications on sufficient, flexible server space. In this paradigm, technically competent professionals handle IT’s administrative and security sides, including firewalls, mirroring and providing in-depth defense. Previously, most companies were only comfortable handling all these matters internally but a sea change has occurred in this thinking.
Now, external providers can protect companies against disasters including natural catastrophes, power failure and Internet connectivity failure. IT as a service can be put on the Cloud where servers are, in fact, more secure because they provide great redundancy, more back-up, encryption among layers, geographic dispersion and are fully staffed by highly skilled personnel. On an everyday basis, an IT Cloud service can maintain service for dozens, even a hundred or more companies, utilizing the same level of expertise across the spectrum, as contrasted with each company attempting to find that capability individually.
As a result, when the Cloud is properly structured, companies are provided with an exceptional defense in-depth. When compromised by software/ hardware failure or cyber attack, it can be turned around and essentially swapped over to another system. This scenario should become as common in oil and gas and SCADA as now in banking and airline industries.
Fourth, what are the threat’s consequences, with threats coming from systems that can be compromised in any of several different ways? Examples include employees accessing systems and putting the company at risk for e.g., thumb drives and Internet Web sites that allow for malicious code to enter. Also at risk are companies in a remote SCADA environment with tens of thousands of data points/systems in the field, in facilities or pipelines, providing data connectivity into these control networks and systems.
Each of those may provide an additional accessible data point for intrusion and compromise. Case in point is one of the world’s largest SCADA providers which maintains a control network that is used to update its software nationally and to provide remote monitoring of system software inside customer locations. This is one of the systems hacked by the Chinese, which made worldwide news.
The overriding issue is the compromise of safety systems, shut down systems. The very idea that safety systems could be compromised or control systems manipulated to result in destruction of facilities – when natural gas facilities go horribly wrong – the risk of fire, explosion, injury or even death always lurks. Companies may have to turn around and restructure their networks and systems, such as one of the world’s largest companies (North America-based) which was forced to significantly upgrade its entire IT environment and all databases after the Justice Department said they had been hacked.
Fifth is Sarbanes-Oxley, making C-level executives personally responsible for what they report in the company’s financials. These financials now have to deal with the impact of possibles, probables and contingencies that could face the business. Therefore, if cybersecurity could put the company’s financial viability at risk, then signing that statement requires that cybersecurity be looked at, dealt with and reported.
In the absence of an actual set of standards along these lines, prudent advice calls for a third party to provide an assessment or review, make specific recommendations, identify how to build a plan, create documentation of how data should be handled and how security should be established, as well as what action to take in the event of being compromised or experiencing a failure. Typically most oil and gas companies have safety plans and procedures for other emergencies but most do not have cybersecurity plans; they should.
Looking ahead now
Forward-thinking executives know which fork in the road to take. They continue to conduct their pipeline business, SCADA systems and plants but rely on IT experts for detailed, intense expertise and capabilities to keep them up and running. That way they stay focused on the aspects of their business that make them money while other professionals protect their business assets that could conversely cost them money and shut them down.
Chuck Drobny is CEO of Houston-based GlobaLogix (www.globlx.com). He can be reached at firstname.lastname@example.org or 713-987-7637