OFFICIAL PUBLICATION OF THE UTAH PETROLEUM ASSOCIATION

Pub. 2 2020-2021 Issue 3

Terry Horn

An Interview with a Cyber Security Expert – Terry Horn

UPDATE magazine logo

This story appears in the
UPDATE Magazine
Pub. 2 2020-2021 Issue 3

woodstar-logo

As the technology and the population that leverages it both grow, we will experience additional cyber threats and new attack vectors. Areas that we see the most concerning are areas within the critical infrastructure space.

What is your background in cybersecurity? Also, how and when did you begin working at AUI?


Cybersecurity is a vital area that requires all organizations to acknowledge, understand and implement it. Since we are all now living in an increasingly connected environment for everything from work to play, the scope of vulnerabilities significantly increases. As such, all fields of expertise are required to fully understand all the potential pivot points or areas that can be exploited.

My first introduction to cybersecurity was while working as a chemical engineer at a large specialty chemical manufacturer. At that time, I focused on operational technology (OT) or industrial controls systems (ICS) and how they interacted with the physical process or the manufacturing environment. During that time, my focus was to ensure that the systems and processes were operating safely and efficiently. Cybersecurity was not the most important factor. Not until we started to move away from “air-gapped” or isolated systems to more connected environments did we consider the risks and implications of cyber events. Since our systems interact with the physical realm, our cyber risks in the OT environment needed to be recognized, evaluated and mitigated.

AUI is a key driver for cybersecurity education, consulting and working partnerships. It allows us to leverage our passion for cybersecurity across all marketplaces and clients in both OT and traditional information technology (IT). We strive to help our partners recognize and solve difficult challenges while ensuring solutions are implemented based on the risks and resources of each client. As an employee at AUI for over two years, I value our mission and vision to help our clients understand, mitigate and manage cybersecurity challenges.

According to the AUI website, it was chartered in 1946. What can you tell me about AUI’s history with respect to cybersecurity?


AUI makes scientific breakthroughs possible. We enable scientists by managing and operating large scientific facilities, allowing the scientists to focus on the science. Much has changed over the years and to be a good management organization means keeping up with ever-evolving challenges and responding to changing needs. Our operational support enabled nuclear medicine, the first images of DNA, and more recently, the first image of a black hole.

In 1946, cybersecurity meant locking the door to the computer room. Today, in order to prevent theft of intellectual property and maintain business continuity, management organizations need to have robust cybersecurity capabilities and promote proper cyber hygiene at the facilities they manage. Our leadership has served in the military and worked in the highest offices of government. They understand this evolving need well. They established Woodstar Labs to improve AUI’s cybersecurity operations, increase our capacity as a management organization, and make the highest and best use of our capabilities as a nonprofit, nonmember institution.

In addition to securing ourselves and our managed facilities, AUI and Woodstar Labs are focused on securing critical infrastructure. We convened the National Commission on Grid Resilience, led by General Wesley Clark (U.S. Army, retired), to provide nonpartisan, actionable recommendations to secure our electrical grid.

Leadership at the North Carolina State Board of Elections understands the need to secure critical infrastructure, too. They were our first clients in the election space, and we continue to work together as Woodstar Labs explores securing states across the country.

I believe ARN, like most organizations, recognizes the evolution of cyberattacks as technology has matured and grown to be more embedded in our lives.

Cybersecurity has been important for a while now. The following website link (https://www.arnnet.com.au/slideshow/341113/top-10-most-notorious-cyber- attacks-history/) lists an attack as early as 1988. What do you think about the list ARN staff put together? Would you change it in any way?


I believe ARN, like most organizations, recognizes the evolution of cyberattacks as technology has matured and grown to be more embedded in our lives. They did a nice job of capturing some of the earliest attacks. As the technology and the population that leverages it both grow, we will experience additional cyber threats and new attack vectors. Areas that we see the most concerning are areas within the critical infrastructure space.

As mentioned in the ARN article, cyberattacks are nothing new, but the areas and ways they are targeting our environment are. One example that comes to mind within the critical infrastructure environment was Stuxnet. It really changed the landscape of cyberattacks. The malicious computer worm, uncovered in 2010, targeted ICS networks in the critical infrastructure environment.

Another ICS-related cyberattack worth mentioning is the malware known as TRISIS that affected Triconex/Triton engineering systems. This malware targeted the safety interlock systems at a large oil/gas facility in 2017. The malware could allow the attacker to either change process setpoints, causing physical damage, or shut down the system, resulting in process downtime.

It is important to follow these reports. They show the level of sophistication in cyberattacks and the importance of organizations to acknowledge these attacks in their own risk analysis. The book Dark Territory: The Secret History of Cyber War by Fred Kaplan does an outstanding job of tracing the roots of some of the most damaging cyberattacks since the 1980s – I highly recommend it.

What can you tell me about the Colonial Pipeline ransomware attack in May 2021?


As mentioned by our own federal government and others in the field, we need to consider that attackers target our critical infrastructure environments by leveraging either known or unknown attack vectors. I think we all need to assume that we are a target and include these scenarios as part of our own internal risk assessments. By doing so, organizations may see the need to change processes, policies, or procedures to mitigate, transfer, or avoid the risk.

Unfortunately, I think we will see an increase in these types of attacks. OT and common IT networks are converging to either increase efficiency and/or reduce process expenses. Operations managers need to continue to ask “what if” scenarios on their processes with a focus on cyber threats.

According to an online news story, the Colonial Pipeline ransomware attack has prompted changes in federal pipeline security guidelines (https://www.nbcnews.com/tech/security/colonial-hack-dhs-issues-first- cybersecurity-regulation-pipelines-rcna1050). Had petroleum companies put any security measures in place before the attack?

From our experience with previous clients and companies we supported, we often find that they have a level of security in place. However, we often coach organizations to better understand that as technology and systems evolve to be more dependent on network connections and real-time data, we must consider that the attack vector changes drastically. We must assess risks regularly and ensure that we train our staff by developing critical cyber skills to address the ever-evolving attack landscape.

What changes have companies made since the attack?


We see organizations starting to talk about it more. Leaders are prioritizing and allocating more resources and attention to the issue. If organizations are still unsure of the first steps, we recommend leveraging a good partner in the industry to start the process. Doing so ensures that organizations will not be working in a silo and will allow for a depth of experience.

What security guideline changes do you expect to see in the future?


DoD will soon require organizations doing business with DoD to pass a new cybersecurity standardization, called the Cybersecurity Maturity Model Certification or CMMC (https://cmmcab.org/cmmc-standard/). This new model will require organizations to meet various cybersecurity maturity levels based on the type of business they are pursuing with DoD. Other federal organizations have also unofficially stated that they intend to have their contractors, supplies and supporting service providers meet these requirements.

AUI is a leader in CMMC and supports organizations as they prepare for these new guidelines and requirements. We focus on education, training, consulting, and assessing for these new cybersecurity requirements.

Do petroleum companies support the changes being mandated by the Department of Homeland Security?


Within our partnerships and networks, we see many organizations working together to understand the risks and how the government can influence the best practices, specifically within the critical infrastructure environment. We see many opportunities where both the government and private industry can solve these complex issues.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) regularly puts out threat alert information to relevant critical infrastructure sectors and supports the various sectors, including their Information Security and Analysis Centers. CISA is a good resource for best practices and other information; however, it is up to each individual organization to secure their networks and devices.

... there are many resources available to help organizations improve their cybersecurity posture that won’t break the bank.

What are the best ways for companies to protect themselves from ransomware attacks?


Based on our experience in the field, we believe that organizations must first understand their own risks and how their environment interacts with technology (environmental vulnerabilities). For example, at Woodstar Labs, we have a dedicated process to identify, classify, and quantify risks. Once risks are identified, we can help prioritize these risks and understand ways to either mitigate, transfer, or avoid the risk. This process will build an in-depth defense perspective, ensuring that resources are allocated to the highest priorities. By establishing this process, we help organizations understand unknowns and how they may affect their business.

In the OT and the critical infrastructure environment specifically, key processes must function without digital dependence. That is, there should always be an analog fallback to ensure that critical functions can still operate if or when digital assets are compromised or unavailable. Although the analog functions will lack efficiency and might be more resource-intensive, they will allow for key initiatives and processes to continue until the primary systems are recovered.

What training is needed for someone to be a cybersecurity expert?


Becoming an expert in any field involves a dedicated journey that requires someone to commit time and personal development to master. However, cybersecurity is a great field to start at any point in one’s career. There are several entry-level certifications that someone can take to gain an initial understanding and foundation. For example, AUI has several certifications (entry-level, intermediate and advanced) and training courses that someone can take to advance their current career or start a new career in cybersecurity. It is a growing field and one that requires all organizations to attract those with the skills and the talent.

The DoD maintains a list of certifications that they commonly require in their 8570 publication. If an organization is looking for a list of recommended certifications, that’s our go-to reference.

Are there any other comments about cybersecurity you would like to make?


Leadership must prioritize cybersecurity to ensure that their organizations are successful at establishing good cyber hygiene. As organizations grow, they will be more visible, and they will need to ensure that their risks are identified and mitigated. In addition, organizations must evolve with the technology and the changing threat landscape.

If organizations do not have the skills or talent in their own teams, they must reach out and find great partners to help them in the cybersecurity journey.

We also should note that there are many resources available to help organizations improve their cybersecurity posture that won’t break the bank. For example, AUI is establishing an apprenticeship program focused on assisting manufacturers across the state of Utah. We’re partnering with Davis Technical College, the University of Utah’s Manufacturing Extension Program, and ImpactUtah to create and launch this program this fall. If any readers would like to get involved, please just reach out and let us know!

For more information, please contact Mr. Horn at (517) 378-6834 or tahorn@aui.edu.

Mr. Horn serves as the Director of Operational Technology (OT), leading the OT Cybersecurity Department for AUI & Woodstar Labs. Mr. Horn operates across AUI to set the strategic direction for the OT research portfolio in areas relating to industrial control systems (ICS), industrial internet of things (IIoT), building control systems (BCS), Smart Grids and Supervisory Control and Data Acquisition (SCADA). He is responsible for identifying new and evolving opportunities in basic and applied OT research; and leads AUI Labs business development resources on the most relevant and timely opportunities. He is also responsible for the organization’s cybersecurity maturity model certification (CMMC) efforts related to business development, education initiatives, and program growth.

At Deloitte, he served as a SME for ICS cybersecurity. Project work included testing, analysis, cybersecurity, and DoD Risk Management Framework (RMF) accreditation support for the Navy’s NAVFAC Smart Grid project. In addition, he provided cybersecurity services for critical asset discovery, governance, security control implantation, and cybersecurity audit analysis for process control networks for several major U.S. commercial refineries and NIH.


As a lead engineer at Booz Allen Hamilton, he served the federal client in ICS and as an overall SCADA/DCS SME. He provided guidance and recommendations for ICS topics related to cybersecurity and vulnerability analysis. In addition, he supported the concept of machine learning applications to OT cybersecurity architecture.


Previously he served as a chemical engineer at Eastman Chemical Co., led roles in process improvement, resource & energy efficiency, project management, safety analysis, manufacturing support & troubleshooting, industrial controls, research & development, environmental operations and personnel management.


As an Army Major, he served as a leader in the Army Engineer Corps and Army Aviation. Positions include Company Commander, Operations & Plans Officer, Aviation Maintenance Officer, Battalion S3, Battle Captain and Platoon Sergeant. Leadership experience includes Combat service in both Afghanistan and Iraq.


Education: University of Kentucky MBA, Gatton College of Business B.S., Chemical Engineering


Certifications & Security Clearances:

  • Professional Engineer (P.E.)
  • Project Management Professional (PMP)
  • Certified SCADA Security Architect (CSSA)
  • Security+, Network+
  • FAA Certified Commercial Pilots License (CPL)
  • Six Sigma Green Belt
  • Active TS Clearance