68% of American oil and gas companies got hacked in 2016, but most have little confidence in their security systems. Here’s what you can do, right now.
A recent survey from the Ponemon Institute revealed that 68% of American oil and gas companies experienced a security breach in 2016. Equally shocking: Just 35% of them say they’re prepared to counter a cyber attack involving their industrial control or operational technology systems. The reality in 2019 is that most oil and gas companies have neither the staff nor the expertise to effectively fight cyber crime.
This is alarming, and it should worry us all. Deloitte warns that hackers “are becoming increasingly sophisticated” and “launching coordinated attacks on the industry.” In 2014, for example, they launched “an all-out assault” on 50 European oil and gas companies, using phishing campaigns and Trojan horse attacks.
Why should you care? What’s at stake when a cyber attack succeeds against your industrial control system?
Dramatic slowing or full stoppage of all technology-driven production
Severe damage to your company’s reputation
Theft and sale of your intellectual property to competitors, rogue nations or other actors via the dark web
Shutting down of critical American infrastructure, like hospitals and power grids
In our connected world, hackers can quietly infiltrate vulnerable industrial control and operational technology systems and then halt production with the click of a button. A company’s IT firewalls only protect against roughly 10% of attacks; the most significant risk facing petrochemical Owners and EPC companies is the unwitting employee who opens an innocuous-looking attachment or uses an insecure USB drive. In short: Our systems are vulnerable, and we need to fix them.
Here are five steps you can take today to mitigate existing risks, and immediately begin setting up protections that will help you withstand a cyberattack.
1| Start awareness training, now
Uninformed people make your organization vulnerable to cyber attack, and you need a comprehensive, mandatory awareness training program in place to help mitigate that risk. A one-hour video is not enough. Consider hiring a company to conduct simulated phishing attacks, and provide extra training for employees who fall for the ruse.
The goal is to build a culture in which people are educated about cyber security and not afraid to ask when they have questions about downloading an attachment or clicking a link. Hackers are more sophisticated than you think.
2 | Hack yourself first
Hire a third-party company to conduct a security assessment according to the National Institute of Standards and Technology cybersecurity framework. Don’t rely on your IT department to do this; they’re focused on critical IT operations, not security. Cyber security experts have unique skill sets, and the field is expanding and growing more complex every day. We recommend a quarterly cyber security assessment during which the third-party organization evaluates the status of the network and provides a report to all stakeholders, highlighting areas of concern and providing recommendations for improvement.
Pro Tip: You should also conduct a cyber security assessment whenever you make any significant changes to your technology infrastructure.
3 | Use less email
Email is not just inefficient, it is a major security risk. According to Symantec’s 2018 Internet Security Threat Report, nearly nine out of 10 malicious emails use attachments like Word and PDF with malware to infect target computers. The solution is to stop using email and start using smart, secure, collaborative platforms. These platforms allow for safe file sharing, and break the email attachment habit that plagues most modern capital project organizations. Collaborative, cloud-based platforms also offer significant project efficiencies.
4 | Don’t assume your vendors are secure
You cannot assume that your vendors are secure, regardless of the certifications they have. During the concept phase, get permission from prospective vendors and conduct penetration testing through a respected third-party cyber security firm.
In 2017, an Austrian hotel was forced to pay a bitcoin ransom to hackers who infiltrated their third-party electronic key card system. For the hotel, the consequences were minor (guests were locked out of their rooms for a short while) and the solution was easy (they simply returned to an old fashioned lock-and-key system). A similar breach in the petrochemical industry could have devastating consequences and be much more difficult to resolve. Make sure your vendors are secure.
5 | Pay special attention to older ICS systems
During your internal security assessments, focus especially on older industrial and operational control and SCADA systems. Older systems have more vulnerabilities than news ones, and you need to routinely update firmware and ensure that you’re not using default passwords.
The importance of monitoring every aspect of your control systems cannot be overstated. In 2017, hackers used an internet-connected thermometer in a fish tank to gain access to a casino’s list of high-rollers. The innovative hack was possible in part because the casino had failed to change the default passwords.
These five critical steps are relatively easy to take, and taken together they will significantly increase your organization’s ability to withstand a cyber attack. Start now.