Cyber Security Poses Threat to O&G Bottom Line

Financial loss and intellectual property theft are two of the impacts businesses are feeling from breaches in cyber security, a threat that the U.S. government and industries are beginning to address.

A number of industries, including the military and health care, have been targeted through cyberattacks, and the Stuxnet virus, which was used to take control of nuclear power plants in Iran, highlights the potential threat to energy assets.

Concerns over breaches in cyber security, which have grown in numbers and level of sophistication in recent years, have prompted the U.S. government to begin addressing the issue, including the National Security Council's Perfect Citizen program, a program announced in July 2010 which would set up surveillance of domestic computer networks, including private utilities, to monitor for viruses.

Oil and gas companies also are beginning to examine how security breaches can impact their businesses. Energy companies can be vulnerable to security breaches that target data on exploration and production drilling. In one case, data was being stolen from the unsecured email server on a computer workstation aboard a rig.

While some PwC's clients are taking a wait and see approach to cyber security risks, this approach may not be enough to ward off an advanced persistent threat, in which attacks are more sophisticated and targeted, cannot be detected through traditional security monitoring.

"We believe our clients should not be ignoring these threats," said Brad Bauch, principal with PwC, who would like to see the level of monitoring for oil and gas information breaches reach a level seen with credit card companies, who closely monitor transactions and will call customers quickly after seeing suspicious activity.

Security breaches into corporate data have grown over the past decade due to growing number of corporate systems connected with the internet and the need for workers throughout companies to have access to proprietary information to make decisions.

At the same time, the introduction of so-called "silver bullet" security systems such as firewalls, gave companies a false sense of security, to the point where many companies reduced their IT staffs and the number of workers monitoring for viruses and other cyber attacks.

Monitoring technologies also become misconfigured, and alerts from monitoring technology to voluminous for companies to track. If alerts are seen, they are often not interpreted correctly by staff. Many times, companies do not know they've been hacked until someone such as the FBI alerts them.

The abundance of personal data available through social media outlets such as Facebook also is enabling cyber criminals to gather in-depth information on potential victims, and make specific, targeted attacks such as spearfishing. One example is an email sent to an intended target, saying they had met someone at a luncheon where an article was discussed. What looks like a link to the article is included, but when the email recipient clicks on the link, a virus is downloaded.

Once a vulnerability in a company's system in is exploited, custom-developed malicious software can be installed, including sniffers, backdoors, password crackers, counter-forensic file deletion, and stealth data egress techniques. Target data and domain controllers can be identified and data collected. Customized malware can be difficult to clear out of a company's operating systems.

Cyber threats come in several forms, including espionage by foreign intelligence services to gain military, political or economic advantage. This can include disruption of critical infrastructure.

Transnational criminals, who are usually seeking identify and credit card information which they can sell, pose threats to cyber security, as do corporate competitors who are seeking an economic advantage over a rival. In the case of corporate competitors, the risk of information security breaches may grow as more oil and gas companies form joint ventures.

Insiders also can pose threats to a company. In 2010, 43 percent of security incidents were perpetrated by insiders. While unintentional breaches can occur, a user, employee or contractor also can deliberately infiltrate a system and steal data to sell or disrupt IT services.

The average loss from a single incident of security breach was $875,146, according to the 2011 Global Information Security Survey by CIO Magazine and PwC. Forty-two percent of respondents surveyed reported financial loss as the biggest impact of security breaches, and 32 percent reported intellectual property theft as the second biggest impact.

Thirty percent of respondents said their business' reputation had been compromised by a security breach, while 17 percent of respondents had experienced fraud due to security breaches and 14 percent reported loss of shareholder value due to cyber security issues.

The ultimate cost of a breach goes beyond the initial loss or disruption of service, including cost of legal support, security remediation, forensic investigative support and the cost of making customers whole on financial losses.

In addition to traditional security skills, companies also must acquire cyber security response capabilities such as log aggregation, network and system baselining, network traffic monitoring and live memory monitoring.

"There should be less reliance on signature based technologies," said Bauch. "These are still valuable, but don't protect against the threat" of a cyber attack.

If a breach occurs, oil and gas companies should define and understand where valuable information is stored on the network and within systems. They should also identify breach indicators, analyze results to determine breach impact, identify remediation activities and evaluate susceptibility to future attacks.


Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.