By The Utah Petroleum Association
This is the risk equation. The posture of a company’s risk is a product of consequence, vulnerability and threat. Many energy companies use industrial control systems and operational technology (OT). All companies use information technology (IT) — data — in their daily operations. These technologies work across the internet, which brings a heightened vulnerability factor to their risk equation.
As one of the most consequential sectors of critical infrastructure, the energy sector is a true lifeline sector. Businesses working in the energy sector need to diligently manage their risk to disruptive cyber threats because there are nation-state actors such as China, Russia, Iran and North Korea that are attacking U.S. infrastructure through cyberspace every hour of every day. Phishing attempts are the No. 1 vector for these attacks. Opening the wrong attachment, or clicking on the wrong hyperlink, can deliver malware into a computer and then the attack is successful and underway.
Bad actors employ the concept of “social engineering” to deceptively manipulate workers into falling for these ploys that then deliver innumerable exploits into a computer, into a system and possibly into numerous networks. The “carpet bombing” cyber-attack is incessant, and I recommend all companies provide training to any worker using the internet to mitigate their risk to phishing schemes. Employees aren’t trained to suspect this type of disruption, but we are working in a new digital age that relies on internet connectivity and associated technology more than ever, and we likely won’t be going back to business as we did it prior to this. So, dot on the exclamation point for the importance of cybersecurity training in the general workforce.
An additional aspect of cybersecurity ties to the supply chain that supports Information and Communication Technology (ICT). We’ve all heard it said that any chain is only as strong as its weakest link. If vulnerabilities in the ICT supply chain are exploited, the consequences can affect all users of that technology or service. ICT products and services provide remote access into work environments, e-Learning capabilities, mobile computing and include hardware, software and managed services from third-party vendors, suppliers, service providers and contractors.
As the nation nears the general election in November, our national cybersecurity experts at the DHS Cybersecurity and Infrastructure Security Agency (CISA) warn that cyber-attacks will escalate. With so much work being done in cyberspace, it’s easy to see that the attack surface is larger than ever. This reality should prompt risk managers to focus on cybersecurity right now before the cyber-threat landscape worsens.
So, with that emphasis, how can companies manage their cyber-based risk?
There are two strong resources I’d recommend to petroleum energy companies. First is the ONG Information Sharing and Analysis Center (ONG-ISAC), which provides shared intelligence on cyber incidents, threats, vulnerabilities, and best practices to enhance security in the ONG industries.
Second would be CISA. Specifically, I’d suggest companies tap into their information streams such as The National Cyber Awareness System (NCAS) (https://us-cert.cisa.gov/ncas). The difference between the two is that the ISAC charges a subscription fee, and the NCAS does not.
I’d also encourage companies to undertake a cybersecurity assessment. CISA offers several types that are free. These range from do-it-yourself to those best provided by one of their experts. I’d direct anyone to https://www.cisa.gov/cyber-resource-hub and encourage them to find the assessment that best suits them. One additional resource I’d recommend is the Cyber Essentials Toolkit at https://www.cisa.gov/publication/cyber-essentials-toolkits.
Aside from the cyber threat what other risks should businesses be thinking about?
I manage critical infrastructure risk in Utah across three broad categories: natural hazards, technological hazards and man-made threats. We are well-aware of the natural hazards of seismic activity, flooding and even severe weather. In today’s just-in-time management philosophy, an earthquake disrupting the pass-ability of I-15 or I-80 could be catastrophic. These roadways are critical to the national security and economy, and as the crossroads of the west, they are essential to the movement of commodities and essential products from the West Coast into Utah and to the rest of the country points east. Companies that are analyzing how these natural hazards could disrupt their critical operations are finding ways to mitigate those vulnerabilities. That’s sound risk management.
Managing technological risk can be as simple as preparing for a power outage. Should a company have a backup generator? Lock down a fuel contract to refuel that generator? The internet has become a business necessity. If the internet goes down, this can disrupt IT and OT, as I mentioned before. It can affect billables, payables, maybe phone systems and much more.
The cyber threat is today’s primary man-made threat to businesses. However, I’d remind companies working in the energy industries that as you see workforce reductions, you should plan for how you might need to manage the disgruntled employee. That’s essentially an insider threat that may cause a lot of problems unless you’ve anticipated those and have made plans.
The last thing is that you don’t have to reinvent the wheel when considering how to manage any of these things. Our office can help. CISA can help, and your local emergency management office can help. I would encourage every business to plan and plan well, because it’s not a question of if you will need a risk management plan, but when.
If interested in assistance or more information Matt Beaudry can be reached at mbeaudry@utah.gov
The Utah Association of Petroleum
This story appears in Pub 1 2019-20 Issue 4 of the UPDATE Magazine.