Presented by:

Oil and Gas Investor


Last December, a hacker known as Robotnik went shopping for some malicious code, finally choosing a ransomware program called Sodinokibi, like a customer checking out at a Best Buy for bad guys.

An advertisement for Sodinokibi offered the hacker a cut of up to 70% of the illicit gains from the program. On Dec. 14, the hacker cordially wrote to the advertiser in Russian: “Hello, this is Robotnik. I want to return to work,” according to a federal indictment unsealed in January. The eventual ransomware attack, as described by the FBI, extorted thousands of businesses by encrypting their data and demanding millions of dollars to unlock it. The attack shut down businesses, crippled cash registers in Sweden, local government computers in Texas and affected the software company Kaesya.

Oil and Gas Investor January 2021 - Energy Cybersecurity - Bryan Benoit Grant Thornton headshot
Cybersecurity has become “top of mind”for companies engaged in M&A, said Bryan Benoit, Grant Thornton’s partner-in-charge of the firm’s U.S. energy advisory.

The proliferation of ransomware and other cyberattacks against such a variety of targets might suggest businesses share an equal risk. Each day about 2,000 new attacks are launched, according to 2020 FBI statistics.

But what’s clear to software experts and the American Petroleum Institute itself is that the energy industry has become a preferred hunting ground for hackers. And those attacks have started to have a direct effect on a core way in which the oil and gas sector is continuing to streamline itself and build scale—through transactions.

Most recently, Superior Plus Corp. reported it was the subject of a ransomware incident on Dec. 12 that impacted the U.S. and Canadian propane and distillates supplier’s computer systems.

The company temporarily disabled certain computer systems to investigate the incident and was in the process of bringing the systems back online.

Cybersecurity has become “top of mind” for companies engaged in M&A, said Bryan Benoit, who serves as Grant Thornton’s partner-in-charge of the firm’s U.S. energy advisory in Houston.

Any number of factors, such as ESG concerns, can affect the cost of capital and discount rate attributable to assets, potentially lowering the purchase price.

As Grant Thornton looks to measure the level of risk a company might be exposed to in a deal, cybersecurity has become a new and highly technical area of concern. The U.S. Securities and Exchange Commission (SEC) is already taking actions that suggest far more stringent requirements for disclosure, particularly regarding private information.

Weighing the relative risk of a company with loose—or less than ideal—cybersecurity controls also require ways to analyze and evaluate the relative price of assets, Benoit said.

“The discount rate basically says that a dollar today is worth more than a dollar tomorrow because a dollar tomorrow is at risk,” Benoit said. It changes the rules regarding disclosure, and dealmakers have to find new ways to evaluate the risk to what they expect an asset to generate.

Oil and Gas Investor January 2021 - Energy Cybersecurity - Cynthia J Cole Baker Botts headshot
Cynthia J. Cole, a partner at Baker Botts, said she’s “absolutely seen deals fall apart” due to not only data security issues but for potential data privacy reasons.

Recent deal activity leads him to believe that the cyber health of a potential oil and gas company acquisition has quickly risen to the top 10 or even top five areas of interest to dealmakers.

Cybersecurity in the oil and gas space has clearly lagged in some areas, at least partly because of the brutal commodity price downturns experienced by the industry.

Cynthia J. Cole, a partner at Baker Botts who specializes in cyber and privacy issues, said she’s “absolutely seen deals fall apart” due to not only data security issues but for potential data privacy reasons.

“I’ve seen financings not go through because the investor is like, ‘Whoa, whoa, whoa, wait a second. This is a lot more expensive than I thought,’” she said. “The potential upside is a lot less than I thought it was going to be because there’s a big ramp up to compliance.”

Cyber experts agree as well that not only are cyber intrusions going to increase, they’re also almost inevitably going to be successful. Instead, they stress ways to limit the damage to companies, quickly discover intrusions and already have systems in place that limit dayto-day business communications from operational controls.

“There’s no way you can prevent the security incident [or] the breaches from happening,” said Derek Han, who leads Grant Thornton’s national cybersecurity and privacy practice. “There’s no way you can’t because nobody is perfect.

“You have to assume a bad thing will happen to you one day, but make sure you really have a resilient infrastructure and processes; you can respond to that really quickly [and] contain the damages really quickly,” he said.

What makes those involved in oil and gas dealmaking nervous is that in many cases, they continue to see cases in which companies aren’t taking those crucial steps.

M&A CYBER INSPECTION

The internet has opened businesses up to an endless Barbary Coast of potential, many based in countries hostile to U.S. interests. Cybersecurity’s security due diligence has taken on multiple levels, from surveys of network infrastructure to appropriate disclosure.

In dealmaking, Mike Hoffman, a principal industrial consultant at Dragos Inc., said his approach is to look at a company’s cybersecurity holistically through the view of the network as well as a more detailed and technical inspection of a potential company’s cybersecurity.

Hoffman said owner-operators taking charge of another company should first perform an architecture assessment that includes a full understanding of how the data is monitored and controlled through a system called Supervisory Control and Data Acquisition.

“I’ve actually done this as an asset, owner-operator taking charge of another [asset],” he said.

Hoffman said he asks for drawings, security controls and anything that lets him understand how the computer system has been pieced together and implemented.

“The first thing I do to make sure their architecture is properly done and [to see] what remediations will need to occur to bring it up to the purchasers’ standards,” he said.

A buyer should also be at firewall rules and other protocols, although “that won’t tell you if the company you’re purchasing has been compromised.”

Hoffman said a buyer would also want to collect information, including monitoring network traffic.

“You’re going to either do a threat hunt across that information that you’ve gathered or a compromise assessment to understand that,” he said.

Once the network is clearly understood, “let’s actually look inside, look at the logs of the systems and look at the data that’s flowing back and forth. And to understand if there’s an adversary in the environment, if there’s malware trying to beacon out on those kinds of things.”

Hoffman said the right amount of rigor will give a buyer an overview of how well the company has operated from a security perspective. 

Soft targets

The most infamous attack on energy assets in 2021 on Colonial Pipeline caused havoc and affected millions of Americans. Colonial was forced to shut down a major pipeline system because of a ransomware attack likely caused by a single weak link.

Oil and Gas Investor January 2021 - Energy Cybersecurity - Derek Han Grant Thornton headshot
“You have to assume a bad thing will happen to you one day, but make sure you really have a resilient infrastructure and processes,” said Derek Han, leader for Grant Thornton’s national cybersecurity and privacy practice.

The company wasn’t infiltrated through an elaborate hack, according to analysis by the company, but likely through outdated security protocols. The company had continued to use an outdated network that may have been compromised using a stolen password, possibly obtained on the dark web.

“We believe the attacker exploited a legacy virtual private network profile that was not intended to be in use. We are still trying to determine how the attackers gained the needed credentials to exploit it,” Colonial Pipeline president Joseph Blount testified at a June Senate hearing.

Blount recounted that the May 7 attack forced the company to rapidly shut down 5,500 miles of pipeline, with delivery points in 13 states. The company transports about half the fuel consumed on the East Coast, providing energy for more than 50 million Americans either directly through gas station pumps or to cities and first responders.

Colonial may have been in the spotlight, but many small and midsize oil and gas operators and pipeline companies are in the same position. As they’ve limped along during industry downturns, they’ve had to choose between survival and spending on security. Along with obsolete but still active systems, they have left themselves susceptible to intrusions and takeovers.

Now, as oil and gas prices recover, the energy sector, including companies engaged in oil and natural gas production, has become the second most popular target for hackers looking for a quick payday, API said in October 2021.

Even the federal government’s efforts have lagged behind. In July 2021, the U.S. Department of Energy released its first new blueprint for defending against cyberattacks in about eight years. Since its previous assessment, commonplace technologies such as cloud computing, mobile devices and artificial intelligence have seen widespread adoption without input from the department. The latest blueprint also addresses evolving threats such as ransomware and supply chain risks.

Oil and Gas Investor January 2022 - Energy Cybersecurity - What is at Risk PwC Graphic

Colonial reportedly paid roughly $5 million in ransom, though the U.S. Department of Justice was able to recoup some of the money.

“Being extorted by criminals is not a position any company wants to be in,” Blount said. “As I have stated publicly, I made the decision that Colonial Pipeline would pay the ransom to have every tool available to us to swiftly get the pipeline back up and running. It was one of the toughest decisions I have had to make in my life.”

Oil and Gas Investor January 2021 - Energy Cybersecurity - Mike Hoffman Dragos Inc headshot
The oil and gas industry is in different stages of cyber preparedness, said Mike Hoffman, a principal industrial consultant at Dragos Inc.

Blount said his decision was based on restoring critical infrastructure as quickly as possible and noted that the company took steps in advance of making the ransom payment to follow regulatory guidance while informing law enforcement so that they could pursue those responsible.

Colonial also engaged Dragos Inc., an industrial cybersecurity firm, to help with the strengthening of its cyber defenses.

Mike Hoffman, a principal industrial consultant at Dragos, said the oil and gas industry is in different stages of cyber preparedness. Hoffman previously served as principal industrial control systems security engineer at Royal Dutch Shell Plc and said that downstream assets have been the predominant focus of oil and gas companies as they look to lock down critical assets.

“Downstream predominantly has been the area where there has been the most maturity,” he said. Midstream and upstream onshore assets have been squeezed by tight economics that have made them perhaps the least protected.

“Especially in upstream operations, there’s not a whole lot of loose money around to start spending on security projects,” Hoffman said. “That said, there’s upstream operations that have seen a lot of mergers and acquisitions going on. That’s definitely a ripe area where companies coming in absolutely need to be concerned about the [security] environment they’re taking over.”

The relative size of a company or its profit doesn’t determine whether a company will be disrupted by hackers.

Oil and Gas Investor January 2021 - Energy Cybersecurity - Joe Nocera PwC headshot
Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute, said that the oil and gas sector has long been a target of hacks, though the motivations have changed over time.

“The adversary can still come to you and use you as essentially a playground or a laboratory for a different type of an attack,” Hoffman said. “We’ve actually seen this quite often, where again, a lot of these smaller companies, they may not have a very good security posture.”

On Nov. 13, for instance, Australia’s Strike Energy Ltd. sent out an email to its shareholders disclosing that its primary electronic communications had experienced a “security event” that resulted in emails with news about the company being disseminated via email.

“Please disregard and delete these emails immediately as they were sent without the company’s knowledge or permission,” it said. “Strike is currently investigating how this communication was sent and will take steps to ensure that any issues are remedied as soon as possible.”

Companies also may not know the extent to which they are vulnerable.

In some cases, mobile devices can be exposed to attack. An application easily downloaded by security teams—or attackers—can scan for devices that are connected to the internet that may be in use in the field.

Smaller companies often don’t have good backup plans or may be more prone to attacks because of poorly designed software architectures. Even in cases in which both exist, monitoring of digital traffic needs to be in place. And without proper due diligence, companies in the process of purchasing an asset will see unintended consequences such as picking up malware that wasn’t identified during the purchase.

“We’ve seen before where a company will look to purchase something and begin to kind of dive in and get malware for instance … connecting to that network,” he said. “So around mergers and acquisitions, that’s a huge piece to highlight and something that the companies need to take into account.”

 

INTO THE GRAY

The risk of cyberthreats has radically intensified concerns among insurers in the past 18 months, Cynthia J. Cole, a partner at Baker Botts who specializes in cyber and privacy issues, said, to the point that even underwriters offering coverage for post-deal liabilities are now more wary of covering potential data liabilities.

Cautious buyers and wary financial underwriters and insurance companies are increasingly unwilling to enter deals with companies that use primitive cyber defenses or, in some cases, don’t ask the right questions.

Disclosure can be complicated. Cole said the U.S. Securities and Exchange Commission (SEC) has lately taken a more aggressive approach to how security is described by companies.

In August, the SEC fined a U.K. educational publisher $1 million for inadequate disclosure of a cyberattack, even though the attack hadn’t resulted in any material damage to the business, according to Gibson, Dunn & Crutcher LLP. At issue was the company’s statements that implied no major data privacy or confidentiality agreement had occurred.

Cole said disclosure laws typically require public notification if two or more pieces of personal information are exposed through a cyberattack. But even in cases where that threshold hasn’t been met, companies tread carefully on how they describe the incidents.

That’s also prompted a far more careful stance by reps and warranties companies, which take on “risks of unknown circumstances” for buyers or sellers, Cole said.

Knowing the right questions to ask about a cyber intrusion or an attack is particularly important.

“In the past, let’s say that [cyber disclosure] question mattered a little less,” Cole said. “Now the rep and warranty insurance companies are saying, ‘Hold on a second, hold on a second. Not only did you not ask the right question in the first place but then you sort of asked the question and you didn’t get an answer that really meets our standards.’”

The result is that insurers aren’t willing to cover problems as they arise.

“I’m seeing pressure from the insurers saying, ‘You have to ask that question specifically, and you need to get a direct answer, or we’re just going to exclude it.’” 

Breach charges

Earlier this year, after engineering studies were completed and various delays on a deal stretched on, a seller finally admitted to a potential buyer that management had been locked out of the company’s servers. A hacker was demanding a ransom in Bitcoin, a CEO familiar with the transaction told Oil and Gas Investor.

“You’re never immune, unfortunately; everyone is subject to ransomware or other attacks,” Baker Botts’ Cole said.

In recent deals in which cybersecurity has taken a larger role in transactions, Cole has seen that some oil and gas companies simply aren’t prepared for the rigors that await them at the deal making table.

When she represents buyers, she often sees sellers that haven’t conducted external testing of their vulnerabilities. Sellers are asked for information such as results of network penetration testing, their internal incident response plan and whether they’ve simulated a response through tabletop exercises.

“It’s relatively shocking,” Cole said. “You get nothing, or you get, like, three pieces of paper,” she said. “It’s absent.

“The problem is how do you properly scope a purchase price … if you don’t really get the information that you need? If you can’t really properly assess the company’s data security?”

Joe Nocera, leader of PwC’s Cyber & Privacy Innovation Institute, said that the oil and gas sector has long been a target of hacks, though the motivations have changed over time. For years, the target for intruders was a company’s intellectual property or a nation-state aiming to penetrate critical infrastructure.

Now, companies are chosen far more indiscriminately.

“With ransomware, we see more of a criminal that’s motivated by financial gain,” he said. “And so I think that has caused the frequency and severity of these attacks.”

Seenu Akunuri, leader of PwC’s U.S. energy and mining valuation practice, said attacks seem to have focused on the most disruption, which has tended to mean midstream assets that move hydrocarbons.

Oil and Gas Investor January 2021 - Energy Cybersecurity - Seenu Akunuri PwC headshot
Seenu Akunuri, leader of PwC’s U.S. energy and mining valuation practice, said attacks seem to have focused on the most disruption, which has tended to mean midstream assets that move hydrocarbons.

But E&Ps are now seeing increased scrutiny during the due diligence process.

Nocera said that companies need to also consider whether a company being acquired has already been breached, whether an actor is already inside its system but also the maturity or the capability of the targeted cybersecurity systems.

“What’s the likelihood that they could be breached going forward? It’s one thing to disclose a breach that you know about. It’s another to be able to assess the likelihood that you could be vulnerable going forward,” he said.

Finally, the thornier questions are what should be disclosed.

“Every company gets attacked every day,” Nocera said. “In many cases, they’ll be these little micro-breaches where an individual user clicks on a link and their workstation gets compromised.”

Then there are breaches in which far more information is exposed, perhaps on a financial level. Depending on the way in which the company’s information systems are designed, that could lead to compromising production operations.

But even those disclosures require some thought.

“The debate that we see in the industry is, is there enough clarity on what’s material and therefore it needs to be disclosed? And how do we disclose information in a responsible way that doesn’t give the attackers a road back to our vulnerabilities?” Nocera said.

Source: Baker Botts

 SAMPLE SECURITY Q&A

  • Discuss your current data security infrastructure, and comment on any interruptions, outages or suspension of systems.
  • Have you ever identified a vulnerability, breach or attempt thereof, including criminal or fraudulent activity?
  • What is your schedule for carrying out regular vulnerability assessments and penetration tests?
  • What are your alerting mechanisms in the event of a breach?
  • How are access credentials selected, allocated and monitored (including via audit) within the company, including with respect to backup, deletion and destruction as well as avoidance of unnecessary collection (e.g. are employees/contractors granted access to sensitive data only if necessary?)
  • How do you terminate system access of departing employees and monitor their compliance with ongoing confidentiality obligations?
  • What is your policy on remote access by employees and using personal and mobile devices for work?
  • Do you have a comprehensive written security management program with expected components for your industry in light of the sensitive/critical data in your business? Is the program periodically reviewed for sufficiency?
  • Describe your security protocols for physical materials, including physical storage and transportation of documents, shredding, policies for locking the office, etc.
  • Does the company vet third-party vendors’ security infrastructures, policies and records? Do you ensure audit rights in all vendor contracts?

Robotnik nabbed

In November, the Justice Department said it had arrested Yaroslav Vasinskyi after he had crossed into Poland and seized $6.1 million from a Russian national who was also alleged to have been involved in the ransomware attacks.

Vasinskyi had worked on creating ransomware since March 2019, according to a federal indictment.