Prior to June 20, 2013, the group “Anonymous” threatened to conduct a cyber attack against the oil and gas industry that day. June 20 came and went without incident. But the industry is not always so fortunate.

During a Hart Energy Executive Energy Club breakfast on cyber security, Don Paul from the University of Southern California and Neil Siegel from Northrop Grumman discussed the seriousness of the cyber security issue and how energy companies should address it. The breakfast was not a how-to on protecting a company’s physical and digital assets but more of a discussion of the paradigm shift that needs to take place before companies can really consider themselves “secure.”

Paul was responsible for managing Chevron’s cyber security initiative during his tenure there. “I began thinking about cyber security when we were getting ready for Y2K back in the late ‘90s,” he said. “We set out on a project where Chevron was going to literally map all of the microprocessors in the company. There were quite a few of them.

“It became very clear that many of the threats were going to be from exposure points that were not in the CPUs or in the corporate IT. The very nature of oil and gas, which is distributed physical infrastructure, many times in areas that are less than secure physically, means that the physical security was going to play a part.”

After the Sept. 11, 2001, terrorist attack and the formation of the Department of Homeland Security, Paul initiated a project with that department to understand the threats to structures and the direction that technology development could take to help defend infrastructure. That project, called Project Logic, is now in its fifth generation. “It’s very encouraging to see something we started so long ago growing with many companies participating,” he said.

In his comments, Paul noted a couple of key issues. One is that the threat will continue to change and evolve. “All you have to do is think back five years and how you thought about cyber security then and then think about how you view it now,” he said. “That gives you the idea that this is not a static situation.”

His other key point is that cyber security is not just an IT issue. “It has technical roots, but fundamentally it’s a management problem,” he said. He used safety culture as an analog. “The elements that go into safety are clearly a management problem. It’s the nature of the risk of change.”

Key threats

For management to play a key role in cyber security, it’s important to know not only the threats but the motives. One of the most common threats is what Paul refers to as “mischievous hacking,” much like the Anonymous group threatened on June 20. “This is where cyber security began,” he said. “It still goes on, but it’s not the main issue. When I retired from Chevron we were averaging 50,000 attacks a day. But they were mostly in this category.”

Another threat is a criminal attack. While most people might associate this with financial institutions, Paul said that an oil company’s financial data could be a significant advantage to attackers seeking to gain market positions. Again, he said, this is clearly a management responsibility.

“Increasingly we have seen criminal activities that are transnational, highly organized, and well-funded,” he said. “This is not a trivial activity.”

Industrial espionage is another threat. While it existed well before the advent of computers, new technology is enabling more sophisticated activity. “How valuable would it be for someone to know your plans if you’re planning to bid on an international concession? A fair amount, I would think,” he said. This type of activity points up another critical threat in the cyber world – that one of the biggest threats to a company’s cyber security is its own employees. “Somebody might even do this for ideological reasons – ‘I’m just going to put this information out there.’ It’s almost impossible to prevent.”

Another threat is radical politics, and Paul noted that the oil and gas industry has long been a large and popular target for political groups both locally and internationally. “Political motivations increasingly are an exposure, whether this comes from damaging a reputation, something that might prevent a company from getting a key permit for a facility, etc. All of these kinds of things are threats that are worth thinking about.”

Finally there are state-sponsored attacks, and Paul said that these are considered advanced, persistent threats. “This is something for us to think about because the nature of the threat and the extensive resources being applied to it are much more substantial than many of the more traditional attacks.”

Considerations for management

For a management-driven strategy to be successful, many considerations must be taken into account. First of all, the same technological advances that enable companies to be more efficient through automation and digitization create, as Paul put it, “multidimensional exposures.” “The more automation you have, the more digital intensity you have in your business, the more exposure you have,” he said. “That’s the tradeoff for having the efficiencies.”

Second, the threat environment is dynamic. Even things like social media can create significant exposures, he said.

“The capabilities of the IT system are going to be materially higher,” he said. “I delivered this message early on, and I thought the chairman was going to fire me when I said this is not a solvable problem. But it is a manageable problem, and one of the keys is managing the threats because they will get more sophisticated. This is an ongoing situation.”

Again Paul stressed the need for management to become actively engaged in a company’s cyber security position. This includes not only technology but also the right company culture. “It’s just like what we learned in the industry 15 years ago when we decided we could do better on safety, that we didn’t have to accept the injuries and deaths,” he said. “That required leadership, it required a change in culture, and it required effective processes. I think this is exactly the same story.”

More than a Band-Aid

Siegel noted that Northrop Grumman’s customers typically have critically important and very complex missions that must never stop. “The threats evolve continuously, and there are active, talented adversaries who try to interfere with those missions,” he said. “The techniques that we use to defend that mission must change and evolve every day.”

He said that the oil and gas industry has similarities to the defense industry, including its often high-risk locations, its high-value capital assets, its distributed operations, and its increasing digital intensity. Additionally, it has highly confidential information that needs to be protected, there is a low public tolerance for incidents, and the cyber threats are becoming increasingly sophisticated.

He added that Northrop Grumman’s experience in the defense industry can easily be imported to oil and gas. “I’ve done Silicon Valley and the steel industry and even, God help me, the entertainment industry. Fundamentally none of those really worked as an attractive business proposition because our mindsets about how to do the job were different.”

Defense contractors are best-suited to providing the level and sophistication of protection that the energy industry needs, he added. “In my view only the government has the resources to deal with this threat and keep up with it. I cannot afford a staff that looks at computer monitors to analyze 100,000 events a day. So you use computers to look at those events, and either throw away or automatically deal with them so that only a small set goes to human operators for analysis and eventual action.

“And what you can’t afford to be is wrong. A tremendous amount of the research and investment that the government makes in us goes into this. This is something that the commercial industry does almost not at all.”

At the end of the day, Siegel said, this is a complex problem. “But it’s a risk management problem that is addressable by risk management strategies and good technology.”