Pub. 1 2019-2020 Issue 4

Understanding and Solving R = C x V x T T his is the risk equation. The posture of a company’s risk is a prod- uct of consequence, vulnerability and threat. Many energy com- panies use industrial control systems and operational technology (OT). All companies use information technology (IT) — data — in their daily operations. These technologies work across the internet, which brings a heightened vulnerability factor to their risk equation. As one of the most consequential sectors of critical infrastructure, the energy sector is a true lifeline sector. Businesses working in the energy sector need to diligently manage their risk to disruptive cyber threats because there are nation-state actors such as China, Russia, Iran and North Korea that are attacking U.S. infrastructure through cyberspace every hour of every day. Phishing attempts are the No. 1 vector for these attacks. Opening the wrong attachment, or clicking on the wrong hyperlink, can deliver malware into a computer and then the attack is successful and underway. Bad actors employ the concept of “social engineering” to deceptively manipu- late workers into falling for these ploys that then deliver innumerable exploits into a computer, into a system and possibly into numerous networks. The “carpet bombing” cyber-attack is incessant, and I recommend all companies provide training to any worker using the internet to mitigate their risk to phishing schemes. Employees aren’t trained to suspect this type of disruption, but we are working in a new digital age that relies on internet connectivity and associated technology more than ever, and we likely won’t be going back to business as we did it prior to this. So, dot on the exclamation point for the importance of cybersecurity training in the general workforce. An additional aspect of cybersecurity ties to the supply chain that supports Information and Communication Technology (ICT). We’ve all heard it said that any chain is only as strong as its weakest link. If vulnerabilities in the ICT supply chain are exploited, the consequences can affect all users of that technology or service. ICT products and services provide remote access into work environments, e-Learning capabilities, mobile computing and include hardware, software and managed services from third-party vendors, suppliers, service providers and contractors. As the nation nears the general election in November, our national cyberse- curity experts at the DHS Cybersecurity and Infrastructure Security Agency (CISA) warn that cyber-attacks will escalate. With so much work being done in cyberspace, it’s easy to see that the attack surface is larger than ever. This reality should prompt risk managers to focus on cybersecurity right now before the cyber-threat landscape worsens. So, with that emphasis, how can companies manage their cyber- based risk? There are two strong resources I’d recommend to petroleum energy compa- nies. First is the ONG Information Sharing and Analysis Center (ONG-ISAC), which provides shared intelligence on cyber incidents, threats, vulnerabili- ties, and best practices to enhance security in the ONG industries. Second would be CISA. Specifically, I’d suggest companies tap into their information streams such as The National Cyber Awareness System (NCAS) (https://us-cert.cisa.gov/ncas) . The difference between the two is that the ISAC charges a subscription fee, and the NCAS does not. https://us-cert.cisa.gov/ncas https://www.cisa.gov/cyber-resource-hub https://www.cisa.gov/publication/cyber-essentials-toolkits I’d also encourage companies to undertake a cybersecurity assessment. CISA offers several types that are free. These range from do-it-your- self to those best provided by one of their experts. I’d direct anyone to https://www.cisa.gov/cyber-resource-hub and encourage them to find the assessment that best suits them. One additional resource I’d recommend is the Cyber Essentials Toolkit at https://www.cisa.gov/ publication/cyber-essentials-toolkits. Aside from the cyber threat what other risks should businesses be thinking about? I manage critical infrastructure risk in Utah across three broad categories: nat- ural hazards, technological hazards and man-made threats. We are well-aware 10 UP DATE