Securing The Oil & Natural Gas Industries

What can we learn from the annual American Petroleum Institute (API) Cybersecurity Conference in Houston? Many things, but nothing more important than we are all part of the same cyber ecosystem. We sink or swim together in cyberspace.

by / November 16, 2014

Admiral Mike McConnell's opening keynote at API Cybersecurity Conference 

The 9th Annual American Petroleum Institute (API) Cybersecurity Conference was held in Houston this past week. Sessions covering details behind the breach headlines, stories of foreign and domestic cyberwars as well as nation-state cyber threats were offered. Specific stories about cyberattacks on the oil and natural gas industries were for the most part fresh and urged action.

So what can governments learn by examining other critical sectors like petroleum industry? How can we prepare together regarding cross-sector dependencies? Who is working diligently with the energy sectors and other industries regarding information sharing? These were just a few of the questions I wanted to answer in Houston. 

The intriguing messages began with the opening keynote by former NSA Director Mike McConnell and lasted for two days through the closing CIO panel with leaders from Fortune 500 companies. Event attendees were offered both keynotes and breakout sessions which included three tracks on the agenda.

Opening Keynotes Highlight Cyberdefense Needs

Admiral Mike McConnell grabbed everyone’s attention early on Tuesday morning with quotes like, “There is not a computer in the world that cannot be penetrated.”

And, “China is causing 80 percent of economic espionage in the world.”

The retired Admiral, who is now a senior executive advisor for Booz Allen, did an excellent job explaining why sharing cyber threat information is essential as we move forward in the 21st century.

“We are dealing with nation-states actors that are hurting jobs by stealing our expensive intellectual property. Yes, most nations (including the USA) engage in cyber espionage for military purposes, but America is being systematically attacked in ways affecting our economic vitality and industry innovation. The scale of this is staggering.”

Admiral McConnell recommended that everyone talk to their elected representatives to urge passage of legislation to share cyber intelligence regarding these threats - which are sponsored by countries such as China and Russia. He closed his speech by asking questions about the future like: How will we use the coming technology that predicts human behavior using big data analytics? Can we balance needed surveillance capability with privacy protections?

Chandra McMahon from Lockheed Martin was the second morning keynote. She described the cyber threats to the oil and natural gas industries. Her presentation had four parts:

1)      External threats – She said what’s in the papers regarding breaches is “a tip of the iceberg.” Threat actors include advanced persistent threats (APT) for cyber terrorism, organized cyber criminals, nuisance threats and nation states.

The vectors of attack range from cloud, mobile, email, parking lot USBs (which employees plug into PCs), fake websites, legitimate websites that are compromised, misconfigurations, supplier/partner relationships and more. The results of these attacks are causing increasing damage to company reputations via a complex cyber ecosystem compromises at multiple points in the sensitive data lifecycle.

2)      Supply chain threats – From counterfeit parts to tainted products to compromised supplier access to internal networks, the supply chain has never been under such a heavy strain.

3)      Process control network (PCN) threats – Asked the question: Do you truly know all your assets? Do you have visibility into intelligence about all critical components and vulnerabilities into the core critical controls? While many of these networks our air-gapped from the Internet, not all are isolated. Also, mechanisms to update and influence these critical functions can be compromised.

4)      Insider threats – Every organization must take these threats seriously, but this is not a “big brother” program. Look for risk indicators. Who has the most access and who is the greatest risk? Tell people about your program, they are being monitored, build accountability and trust but verify actions.

Chandra concluded by saying that most of the cyber incidents identified in the petroleum industry were originating from nation-state sponsored actors. They often use phishing and insider threats to accomplish their goals – with one incident costing over $500,000.

What was a bit different in the sessions over two days were the petroleum company names and sector-specific focus on oil and natural gas. There were several examples of the key responsibilities that their international petroleum sector carried for global safety and security as well as the economies.

With recent headlines detailing military war games that involved cyber and critical infrastructure attacks, the protecting the cyber ecosystem is becoming a matter of national security. This means that protecting America’s economic and military interests also includes cyberdefense for energy companies, transportation companies, petroleum companies and other critical infrastructures that our nation depends upon.

I was not surprised when many of the CIOs and CISOs that I spoke with described ongoing table top exercises and red / blue (attack and defend) cybersecurity training that they are now doing across with their teams, other companies and across multiple critical infrastructure sectors to prepare for and respond to cyber incidents.  

What Was The Most Surprising Take-away?

For me, it wasn’t the cyber stories of the good, the bad and the ugly from petroleum companies that stood out. Nor was it the best practices and lessons learned shared. No, what struck me most was that the central messages on all aspects of cybersecurity were remarkably similar to speeches given at state government cyber summits, financial sector events in NYC or even international events held in the Middle East.

In fact, if I would have closed my eyes, changed a few accents and swapped out a few company names, I might have been listening to speakers at the Wisconsin’s Cyber Summit, the Billington Cybersecurity event in DC or Israel’s big annual cybersecurity event. Most vendor sponsors were even the same technology and security companies – also placed strategically in the exhibition halls where the refreshments were served. 

Still, as an outsider to this sector and a first-time visitor to Houston, I was surprised by the common experiences and relationships shared over lunch. I was glad to see many friends from around the country from a variety of security disciplines and government events. 

Not only did I run unexpectedly into several CISO friends from yesteryear, such as George Wrenn, there were even some former state and federal government colleagues like Mark Weatherford speaking at the event.

Bottom line, this is a small cyber community with common themes, a common language and similar security challenges. States need to partner with more critical infrastructure sectors, such as oil and natural gas, regarding cyberthreat information sharing and participation in cyber exercises.

This means a wider circle of collaboration from federal, state and local governments regarding a long list of critical infrastructure industries that are interconnected and also a part of the same cyber ecosystem. Opportunities to work together on cyber disruption plans and strategies will only increase over the next decade - and move from a nice-to-have project to an economic necessity.

Wrap-up  

The last session, which featured CIOs from major players in the petroleum industry, offered an excellent view of the current thinking of top technology and security leaders, despite the bleak headlines. An enabling mentality was clear, and all of the speakers were optimistic about the future, despite current cyber challenges.

I especially liked the sentiment expressed that the CIO’s role is not to disable technology innovation or curtail business development using new tools, trends or advances. All of them were adopting bring your own device to work (BYOD) programs, with some limitations, and all were utilizing cloud computing. They were also examining new opportunities with drones, big data analytic trends and the Internet of things (IoT).

One panelist said, “I’m not here to stop technology, but manage risk.”

I agree. And it’s nice to hear that sentiment in a brand new critical industry sector (for me).

One final thought about what I learned in Houston. While there are many things we can learn about specific cyber protections for the petroleum industry, nothing is more important than this take-away.

We are all part of the same cyber ecosystem. We sink or swim together in cyberspace.

Note: All photo credits: Dan Lohrmann

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso