Oil and Gas Industry Becoming Aware of the Message Concerning Cybersecurity
The oil and gas industry is fast becoming a 'business of choice' for cyber attackers.
Disrupting this lifeblood of any nation is a sure way of securing financial gain and / or economic and social chaos, sometimes both. This was shown to the full after the ransomware attack on the Colonial pipeline on May 7 this year, which shut down the largest fuel pipeline network in the United States; one that supplies 45% of fuel to the East Coast.
Rather than face the prospect of bringing much of the eastern seaboard to its knees, the company paid the US$4.4 million (75 bitcoin) within a matter of hours. The FBI recovered around half of this, but the hackers still walked away with a tidy sum.
Despite the ransom being paid in good time it still took several days for the pipeline to get back to capacity and borderline chaos ensued. Fuel shortages at airports halted air traffic, filling stations ran out of gas, and fuel prices shot up to more than $3 a gallon, their highest in seven years.
It's not like the Colonial attack should have come as any surprise.
In August 2020 the Ponemon Institute surveyed 370+ US oil and gas security professionals and only 35% rated their organisation’s operational technology (OT) cyber readiness as high. Two-thirds also admitted that their company experienced at least one security compromise in the previous year, resulting in OT disruption or the loss of confidential information.
INSURANCE, INSURANCE, INSURANCE
Prior to the Colonial attack the energy sector was among the worst when it came to buying cyber insurance, with only about half of US pipeline companies taking out policies.
Thankfully that has changed since May 7, and cyber insurers have noted an increase in business.
"Since the Colonial outage, submissions from energy companies are up across the board," said Nick Economidis, vice president of cyber liability at insurer Crum & Forster. "We started getting calls the day after the Colonial attack."
However, if anyone in the industry needed any more confirmation of their susceptibility to attack, Obrela’s Digital Universe Study from the April – June 2021 shows that "oil and gas is one of the only industries to consistently see an increase in attacks on its systems." These increases, as compared to the same quarter in 2020, included:
- An 18% increase in attacks on its users and endpoints
- A 22% increase in attacks on its cloud environments
- A 12% increase in attacks on its IT infrastructure
- A 29% increase in attacks on its system / perimeters
- A 14% increase in web attacks
- A 22% increase in APT / malware attacks
TRAINING AND AUTOMATION
The Colonial hack wasn't out of the ordinary. The company's defences were breached via a compromised password, a tried and true method of breaching cyber defences of organisations around the world.
With at least 90% of successful cyber attacks caused by human error, awareness through training is one of the best methods of prevention. However, automated security measures such as vulnerability alerts, network security, two-step verification, backing up data, and email security are an integral part of any business' cyber defences.
As chance would have it, days after the Colonial pipeline event the World Economic Forum released a White Paper evaluating cyber risk across the oil and gas industry. In it they outlined six principles "to help boards at oil and gas companies govern this risk and strengthen their organization’s cyber resilience":
- Cyber-resilience governance
- Resilience by design
- Corporate responsibility for resilience
- Holistic risk management approach
- Ecosystem-wide collaboration
- Ecosystem-wide cyber-resilience plans
AUTHORITIES ISSUE DIRECTIVES
Things stepped up on July 20 this year, when the US Department of Homeland Security's Transportation Security Administration (TSA) issued a second Security Directive aimed at owners and operators of TSA-designated critical pipelines that transport hazardous liquids and natural gas, "in response to the ongoing cybersecurity threat to pipeline systems".
The directive followed on from an initial directive in May and required the owners and operators to:
- implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology (IT) and operational technology systems (OT)
- develop and implement a cybersecurity contingency and response plan
- undergo an annual cybersecurity architecture design review
To further emphasise the econimic and social importance of pipelines to the nation, upon release of the directive the Secretary of Homeland Security, Alejandro N. Mayorkas, stated: "The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats. Through this Security Directive, DHS can better ensure the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats, and better protect our national and economic security."