Could Trump Take Pointers from ExxonMobil's Tillerson on Cybersecurity?

If confirmed as U.S. Secretary of State, former Exxon Mobil Corp. CEO Rex Tillerson could play a role in deciding how cybersecurity policy impacts the oil and gas business, an industry analyst told Rigzone.

“If you look back to Tillerson’s commentary in the 2013 timeframe, he mostly focused on ensuring his people were trained to be better at cybersecurity issues,” Ken Talanian, director of software research with Evercore ISI, told Rigzone. “I think that he was spot on in focusing on the habits of the employees in addition to making technology investments. He was also one of the guests to join the cybersecurity discussion with Obama at the White House.”

In 2013, Tillerson and corporate leaders from the defense, technology, energy and banking industries told President Obama they agreed that cyberattacks posed a top security threat, but said they wanted a ‘light touch’ from the government in response.

ExxonMobil offers a web-based cybersecurity training program on how to identify and respond to potential cybersecurity risks, in addition to an ongoing awareness program to reinforce safe computing behaviors, Kimberly A. Clark, public and government affairs with ExxonMobil, told Rigzone.

Talanian guesses that most business leaders, including leaders in the oil and gas industry, will not look directly for help from the government on cybersecurity issues. But they will want government’s indirect help in dissuading nation state actors from hacking. He also thinks that job creation will occur within the U.S. government for cybersecurity, but the trend is not exclusive to oil and gas.

It’s too early to tell who Trump picks to lead U.S. cybersecurity efforts. But his choice will be critical, as will his choices for the public and private partners that are brought in as advisors, Matthew Brennan, president of cybersecurity and managed services solutions provider VirtualArmour, said to Rigzone.

“The government is going through a cultural change that requires a shift in defense strategy from the physical fight to the virtual fight,” Brennan said. “This is also true from a budgetary perspective. Underfunding cybersecurity initiatives could have a detrimental impact for the government’s ability to protect critical infrastructure.”

Because no major breaches have recently been announced, the topic of cybersecurity in the oil and gas space has been quiet recently. That doesn’t mean that the threat of cyberattacks has gone away, Talanian said. The Saudi Aramco hack in 2012 – when an unleashed virus erased data from three-quarters of Aramco’s corporate personal computers – would have served as a wakeup call for the industry if the Stuxnet attack in 2010 on an Iranian nuclear facility didn’t.

Cyberattacks on U.S. businesses such as Target – and speculation that Russian President Vladimir Putin hacked into U.S. computer systems to influence the U.S. presidential election – are examples of the growing cyberrisks that the United States faces. Critical U.S. infrastructure, which includes oil and gas pipelines, is also vulnerable to cyberattacks.

President-elect Donald Trump’s planned review of the United States current defenses/vulnerabilities, including critical infrastructure, will likely touch the oil and gas industry, Talanian said. However, Trump’s use of “negotiator tactics” makes it unlikely that he would publicly divulge his plans for U.S. cybersecurity strategy when he takes office later this week. Talanian believes that Trump’s actions will be reflective of his business strategy, such as keeping his views private in some cases where he thinks he might have leverage.

“I don’t think the United States is at risk of entering the plot of the fourth Die Hard movie, but clearly cybersecurity poses a threat that operators should take seriously,” Ethan Bellamy, senior analyst with R.W. Baird, told Rigzone.

“We just had the Russians release sensitive private correspondence that may have altered the results of the U.S. election,” Bellamy said. “You’d be a fool not to take this seriously when it comes to protecting operations and the privacy of commercial secrets and customer data.”

So what might Trump’s cybersecurity policy look like?

The growing presence of Internet of Things (IoT) technology is propagating industrial control espionage. For this reason, the Trump administration will likely move towards a more holistic approach to enhancing cyber control within energy, including oil and gas, Tauseef Ghazi, cybersecurity expert and principal of security and private services with audit, tax and consulting firm RSM, told Rigzone. In the next year or so, Ghazi thinks there might be a push for public accounting firms to review cybersecurity strategies through annual audits. He also sees companies potentially reworking cybersecurity standards as needed, or insurance companies requiring companies to meet certain standards for payouts for cybersecurity losses.

For the oil and gas industry specifically, Ghazi sees additional guidelines for things such as health, safety and environmental issues for exploration and production, but not mandated, specific, stamped regulations for public oil and gas companies.

Ghazi said that enterprise risk management should drive cybersecurity efforts, not frameworks and standards.

“The frameworks and standards that are in place are really about compliance, not security,” Ghazi said.

The greatest risks for oil and gas cyberattacks will occur at enterprises that are under severe financial pressure and have abandoned or mothballed facilities, or cannot maintain the resources to protect their assets. Because of the decline in oil prices in recent years, there will be firms in economic distress that may need assistance from the government to secure their assets, Stewart Kantor, CEO and co-founder of wireless telecommunications provider Full Spectrum, told Rigzone.

“It could be potentially beneficial for these firms to have the ability to bring in government resources until these assets can be secured properly. Also, the recent presidential directive (PPD 41), offering assistance to firms under cyberattack, provides a quality option to support operators during a time where cyberthreats are active and cybersecurity options are being vetted.”

Cybersecurity Workforce Development Critical

The United States will need to develop its cybersecurity workforce to meet future cybersecurity needs, Ghazi said.

“In the oil and gas space, you’re going to have a loss of talent as workers age,” Ghazi said. “That loss, in conjunction with a lack of cybersecurity skills in the sector, makes the oil and gas sector vulnerable to attacks. Tools and technologies can help manage and operationalize cybersecurity, but these tools and technologies are not good at conducting risk assessment.”

Colleen Kennedy, analyst with Boston-based Lux Research, told Rigzone that training and awareness on cybersecurity appear to be a main focus recently among its oil and gas clients.

“Regardless of politics or government initiatives, protecting their physical and virtual assets is already important,” Kennedy stated.