What can we learn from the annual American Petroleum Institute (API) Cybersecurity Conference in Houston? Many things, but nothing more important than we are all part of the same cyber ecosystem. We sink or swim together in cyberspace.
Admiral Mike McConnell's opening keynote at API Cybersecurity Conference
The 9th Annual American Petroleum Institute (API) Cybersecurity Conference was held in Houston this past week. Sessions covering details behind the breach headlines, stories of foreign and domestic cyberwars as well as nation-state cyber threats were offered. Specific stories about cyberattacks on the oil and natural gas industries were for the most part fresh and urged action.
So what can governments learn by examining other critical sectors like petroleum industry? How can we prepare together regarding cross-sector dependencies? Who is working diligently with the energy sectors and other industries regarding information sharing? These were just a few of the questions I wanted to answer in Houston.
The intriguing messages began with the opening keynote by former NSA Director Mike McConnell and lasted for two days through the closing CIO panel with leaders from Fortune 500 companies. Event attendees were offered both keynotes and breakout sessions which included three tracks on the agenda.
Opening Keynotes Highlight Cyberdefense Needs
Admiral Mike McConnell grabbed everyone’s attention early on Tuesday morning with quotes like, “There is not a computer in the world that cannot be penetrated.”
And, “China is causing 80 percent of economic espionage in the world.”
The retired Admiral, who is now a senior executive advisor for Booz Allen, did an excellent job explaining why sharing cyber threat information is essential as we move forward in the 21st century.
“We are dealing with nation-states actors that are hurting jobs by stealing our expensive intellectual property. Yes, most nations (including the USA) engage in cyber espionage for military purposes, but America is being systematically attacked in ways affecting our economic vitality and industry innovation. The scale of this is staggering.”
Admiral McConnell recommended that everyone talk to their elected representatives to urge passage of legislation to share cyber intelligence regarding these threats - which are sponsored by countries such as China and Russia. He closed his speech by asking questions about the future like: How will we use the coming technology that predicts human behavior using big data analytics? Can we balance needed surveillance capability with privacy protections?
Chandra McMahon from Lockheed Martin was the second morning keynote. She described the cyber threats to the oil and natural gas industries. Her presentation had four parts:
1) External threats – She said what’s in the papers regarding breaches is “a tip of the iceberg.” Threat actors include advanced persistent threats (APT) for cyber terrorism, organized cyber criminals, nuisance threats and nation states.
The vectors of attack range from cloud, mobile, email, parking lot USBs (which employees plug into PCs), fake websites, legitimate websites that are compromised, misconfigurations, supplier/partner relationships and more. The results of these attacks are causing increasing damage to company reputations via a complex cyber ecosystem compromises at multiple points in the sensitive data lifecycle.
2) Supply chain threats – From counterfeit parts to tainted products to compromised supplier access to internal networks, the supply chain has never been under such a heavy strain.
3) Process control network (PCN) threats – Asked the question: Do you truly know all your assets? Do you have visibility into intelligence about all critical components and vulnerabilities into the core critical controls? While many of these networks our air-gapped from the Internet, not all are isolated. Also, mechanisms to update and influence these critical functions can be compromised.
4) Insider threats – Every organization must take these threats seriously, but this is not a “big brother” program. Look for risk indicators. Who has the most access and who is the greatest risk? Tell people about your program, they are being monitored, build accountability and trust but verify actions.
Chandra concluded by saying that most of the cyber incidents identified in the petroleum industry were originating from nation-state sponsored actors. They often use phishing and insider threats to accomplish their goals – with one incident costing over $500,000.
What was a bit different in the sessions over two days were the petroleum company names and sector-specific focus on oil and natural gas. There were several examples of the key responsibilities that their international petroleum sector carried for global safety and security as well as the economies.
With recent headlines detailing military war games that involved cyber and critical infrastructure attacks, the protecting the cyber ecosystem is becoming a matter of national security. This means that protecting America’s economic and military interests also includes cyberdefense for energy companies, transportation companies, petroleum companies and other critical infrastructures that our nation depends upon.
I was not surprised when many of the CIOs and CISOs that I spoke with described ongoing table top exercises and red / blue (attack and defend) cybersecurity training that they are now doing across with their teams, other companies and across multiple critical infrastructure sectors to prepare for and respond to cyber incidents.
What Was The Most Surprising Take-away?
For me, it wasn’t the cyber stories of the good, the bad and the ugly from petroleum companies that stood out. Nor was it the best practices and lessons learned shared. No, what struck me most was that the central messages on all aspects of cybersecurity were remarkably similar to speeches given at state government cyber summits, financial sector events in NYC or even international events held in the Middle East.
In fact, if I would have closed my eyes, changed a few accents and swapped out a few company names, I might have been listening to speakers at the Wisconsin’s Cyber Summit, the Billington Cybersecurity event in DC or Israel’s big annual cybersecurity event. Most vendor sponsors were even the same technology and security companies – also placed strategically in the exhibition halls where the refreshments were served.
Still, as an outsider to this sector and a first-time visitor to Houston, I was surprised by the common experiences and relationships shared over lunch. I was glad to see many friends from around the country from a variety of security disciplines and government events.
Not only did I run unexpectedly into several CISO friends from yesteryear, such as George Wrenn, there were even some former state and federal government colleagues like Mark Weatherford speaking at the event.
Bottom line, this is a small cyber community with common themes, a common language and similar security challenges. States need to partner with more critical infrastructure sectors, such as oil and natural gas, regarding cyberthreat information sharing and participation in cyber exercises.
This means a wider circle of collaboration from federal, state and local governments regarding a long list of critical infrastructure industries that are interconnected and also a part of the same cyber ecosystem. Opportunities to work together on cyber disruption plans and strategies will only increase over the next decade - and move from a nice-to-have project to an economic necessity.
The last session, which featured CIOs from major players in the petroleum industry, offered an excellent view of the current thinking of top technology and security leaders, despite the bleak headlines. An enabling mentality was clear, and all of the speakers were optimistic about the future, despite current cyber challenges.
I especially liked the sentiment expressed that the CIO’s role is not to disable technology innovation or curtail business development using new tools, trends or advances. All of them were adopting bring your own device to work (BYOD) programs, with some limitations, and all were utilizing cloud computing. They were also examining new opportunities with drones, big data analytic trends and the Internet of things (IoT).
One panelist said, “I’m not here to stop technology, but manage risk.”
I agree. And it’s nice to hear that sentiment in a brand new critical industry sector (for me).
One final thought about what I learned in Houston. While there are many things we can learn about specific cyber protections for the petroleum industry, nothing is more important than this take-away.
We are all part of the same cyber ecosystem. We sink or swim together in cyberspace.
Note: All photo credits: Dan Lohrmann