Oil, Gas Looks to Hire More Cybersecurity Professionals to Address Risks
Oil and gas companies are looking to hire more cybersecurity professionals as recent advances in oil and gas technology, which have created greater efficiency and reliability, also raise the industry’s risk from cyberattacks.
As it becomes more lucrative and high-profile, the oil and gas industry has become more of a target for cyberattacks.
“Oil and gas is holding the economy together in a lot of ways, and one of the few sectors not struggling, said Chad Pinson, managing director at global investigations, intelligence and risk management firm, Stroz Friedberg.
Pinson said Stroz Friedberg sees more of its clients talking with the company about cybersecurity on ways they can bolster their cybersecurity preparedness.
The hiring trend is not surprising, given the growing stakes and damage that can be caused by both sophisticated and unsophisticated attackers, Pinson noted.
“While the level of sophistication for cyberattackers has grown, even an unsophisticated hacker can download a tool and do pretty good damage.”
Steve Senterfit, vice president of Booz Allen Hamilton’s commercial energy business, said the firm is seeing increased hiring activity of cyber intelligence and cyber professionals in the oil and gas industry across all levels, from junior level workers to more senior level individuals. Of the 200 cyberattacks against all critical infrastructure to which Industrial Control Systems Cyber Emergency Response Team responded, 53 percent were related to the energy sector, the highest percent for any industrial sector, according to a report released last year.
While cybersecurity has become an increasing focus of the oil and gas industry, the industry faces a shortage of true cybersecurity resources, and challenges in hiring workers with forensic skills versus traditional IT workers who are experts on incidents, not malware, said Julian Waits, CEO of ThreatTrack. Watts, who works with a number of oil and gas clients, has seen an increase in spear phishing and advanced persistent threats such as fraud at credit cards systems at gas stations or defrauding of employees of the actual entities themselves.
The oil and gas industry is competing for these professionals not only with a number of industries, such as retail and technology, but the U.S. government. Consulting firms like Stroz Friedberg, which work across a number of fields and disciplines, are also working to attend talent as well, said Pinson.
Over the past few years, large, integrated companies have hired chief information security officers (CISO) to develop and implement a corporate cybersecurity strategy.
“That tells you how serious it is,” Senterfit commented.
Smaller to mid-sized oil and gas companies are also starting to put CISO’s in place.
“You take a well-versed chief information security officer who understands cybersecurity, and they can go from company to company in two to three-year hitches and can increase their compensation by a high degree of percentages,” said Jim Guinn, who heads up IT Security, Private and Risk for PwC’s energy sector practice.
“We get phone calls from recruiters looking for folks, and in the oil and gas space, especially in Houston, the skill level in the talent pool is shallow in the sense of available resources.”
Megamajor oil and gas companies understand the cybersecurity threat, and have evolved to be potentially as good as the financial services industry in their cybersecurity preparedness. However, some large independents, midstream companies and market refiners are still discussing whether cyberattacks present a valid threat, said Guinn.
Brian Henchey, partner in Baker Botts LLP’s corporate practice, also sees increased demand for security experts, but said the trend is neither recent nor tied to the rash of publicized breaches.
“Drilling equipment technologies, especially offshore rigs, achieve higher levels of efficiency and reliability using proven methods from other modern industrial tools and appliances – computerization, automation, and network integration.”
The improvements in tools used to extract and transport oil and gas resemble the evolution in automobiles from the 1970s – in today’s cars, computers are central to steering, braking, fuel economy and emergency measures, and their presence makes cars safer and more fuel efficient, said Henchey.
“However, the failure of a computer system at high speed creates the potential for real-world, physical harm,” Henchey commented. “Oil and gas operations necessarily involve the risk for catastrophic personal, environmental and economic damage arising out of equipment failures, and companies have long integrated safety and security measures into their DNA.”
Introducing advanced systems and networks into the mix does not alter the focus on safety and security, but it does significantly increase the scope of the efforts to ensure rig safety, Henchey noted.
“New avenues through which bad actors, or even unintentional actors, could cause harm, and require new and more specialized skills to combat the risk of damage.”
The industry needs cyber intelligence professionals who not only have understood the technical aspects of upstream, midstream and downstream companies and the anomalies within the systems of these companies, but also the industry’s cyclical nature and business drivers, including joint ventures, mergers and acquisitions and seismic data activity worldwide as the industry looks for the next big find, said Frank Weber, director of cyber security, energy sector with NSS Labs.
All companies, from oil and gas majors to service companies, face risks from cyberattacks, due to the fact that these companies work together.
“You’re only as strong as your weakest link,” said Weber.
This need for synchronized cybersecurity preparedness extends from operations to the legal aspect of business. At the same time, a competitiveness exists in the industry which means that not much information sharing on cyberattacks takes place.
The focus of cybersecurity professionals also have changed as industry’s approach to cyberattacks shifts from responsive to a continuous detection and response approach.
“Cybersecurity professionals have to walk into network and assume that a company has already been attacked and infiltrated, every day every second rather than a wait and see approach.”
As more sensors are added to pipelines for increase efficiency gains in maintenance and environmental aspects, they are also potentially in harm’s way for cyberattacks, said Senterfit.
What Companies Are Looking for in Cybersecurity Professionals
While a cyber intelligence professional’s role includes some aspects of traditional IT work, such as network monitoring or watching a firewall, cyber intelligence professionals must understand not only IT and enterprise aspects of a company but operational technology such as SCADA systems cyber intelligence workers also must have an analytical background to synthesize information from a lot of different sources beyond network monitoring or watching a firewall, said Weber.
“The cybersecurity professionals that I worked with have demonstrated a very particular skill set of skills beyond just the traditional disciplines of IT professionals,” said Henchey. “Almost universally, they have acquired these skills in connection with a background in security – military, law enforcement, intelligence.”
In Henchey’s experience, the distinguishing factor between a security and an IT professional is a “threat-oriented” mindset and awareness combined with the latest information on bad actors (such as criminal networks or non-state actors) – anything and everything can be a vulnerability or a vector for harm. Contrast this approach with a traditional IT professional where threats are an important consideration, but the primary goal is to ensure system availability. Both roles are complementary and are critical to an organization.
“Since the primary focus will be on the safety of the industrial controls used in production and transportation, the industry will require professionals that are skilled in IT and cybersecurity, but also well-versed in the control technologies themselves,” said Henchey. “Contrast this with an industry where the primary cybersecurity issue is protecting data centers and networks, and where the needed skillsets are more widely available.”
An IT professional has to think about whether a SCADA device works well; a security professional needs to think about, as a device works, how can it be protected from an attack that disrupts service or allows a third party to take control of the device, said Pinson.
Cyber intelligence professionals also need to have a good understanding of the business, what might happen in the field from a safety standpoint, and what kind of threats might be posed from the drilling and production state.
“A lot of times, the job is to keep the trains running on time so a train can get from point A to point B with correct riders and without disruption or injuries. Good architecture, good policy and good procedure are needed to ensure reliability and quality of service,” said Pinson.
While a balance between service and security is needed, security professionals have to examine how secure are the devices and networks on which services are delivered so an attacker can’t disrupt service. To achieve this goal, cyber security professionals need skills to not only address network and device architecture from a service standpoint, but a security standpoint, Pinson commented.
Peter Martini, CEO of IBoss, said cybersecurity professionals tend to better trained in using technology silos, not just traditional technology such as firewalls or traditional intrusion detection systems, but how different silos can be leveraged together for a more collaborative mix of information. Cybersecurity is moving towards focusing on different methods. It’s not about behavioral sandboxing, but looking at different tools and constantly monitoring and looking for microchanges that indicate a potential breach or attack.
Cybersecurity professionals must monitor all information across a company’s network, and understand where data flows in and out and what it touches.
“A chief information security officer would need to make sure the person in charge of firewalls had their area of control connected, and make sure workers in charge of monitoring intrusions and personnel directory control team did their job, but how all these sections played together was necessarily part of the role. Instead, separate progress reports would come from each area.”
Booz Allen Hamilton is also seeing an increase in oil and gas companies submitting solicitations into the commercial market looking for cyber capabilities where they’ll partner with a firm versus hiring individuals. Security firms are providing training services not only for cyber intelligence roles in oil and gas companies, but to raise awareness across entire companies about warding off or mitigating attacks.
Oil and gas companies are partnering with outside firms not only to procure technology but to implement training programs. These programs can train workers for cyber intelligence roles from both an IT and a business perspective. Whether a company hires a partner to address cybersecurity concerns depends on the company’s focus. Most companies will have some internal level of capability, so this function won’t be completely outsourced, said Senterfit.
“Oil and gas companies should ensure that their current IT staff is kept abreast of the latest developments, vulnerabilities, threat detection and mitigation techniques and is provided the tools and services needed to maintain security in the ordinary course of business,” said Henchey. “At the same time, because the pool of cybersecurity professionals specific to the oil and gas industry will be tight for some time, the training and education is probably best handled by specialized cybersecurity firms who are able to dedicate resources across the industry.”
These firms, such as Wurldtech, are able to perform audits and assessments to identify and correct vulnerabilities in industrial control systems. Wurldtech focuses on oil and gas industry control security from both the manufacturer and operator perspective, Henchey noted.
What to Look for in a Cybersecurity Professional
Workers with computer science or information technology backgrounds or any engineering degree make good candidates for cyber security positions; however, workers with other educational backgrounds can also be effective in cyber intelligence positions. One of the best reverse engineers of malware that Foster has come across had a degree in biology, and Brian Foster, CTO of Damballa, who has worked in cybersecurity for some time and has an engineering degree.
“Certainly people with scientific backgrounds or who have demonstrated an aptitude for science and analytics” would fit in a cybersecurity professional role, but many people in social sciences also are in the space, Foster noted.
Cybersecurity is a new career field, with opportunities for individuals to shape where a company might go with it, Senterfit commented. However, companies will need to create a career path for these professionals in order to retain these workers.
“If they don’t see any place to go, they’ll go elsewhere.”
This aspect is something the oil and gas industry will face as it becomes more mature around cybersecurity and acquiring these capabilities.
While cybersecurity programs are being established at the university level, hands-on experience and certifications are critical. Cybersecurity professionals should have multiple certifications and understand the different types of software vendors and manufacturers utilized by the oil and gas industry, said Martini. Many certifications don’t require formal degrees, but rely more on industry experience. Formal degrees typically haven’t been focused on cybersecurity and network security in general.
Protecting against cybersecurity is not just about technologies, but skill sets. The breach of Target, a U.S.-based retailer, customer data raises questions, such as how information on anomalous behavior was targeted and what kind of risk level was put on it. Having workers with the right skill sets in place to monitor data can help companies better determine what anomalous behavior presents issues.
The threat that many oil and gas companies face is that hackers have figured out legacy technology. Companies that are hiring workers with a 20-year history with Cisco firewall need to make sure that workers are familiar with more recent technology, and not just stuck on static technology.
Watts, who sees huge demand for workers who have come up through the ranks and understand the blocking and tackling of security, anticipates more spear phishing and polymorphic attacks, a new type of malware that executes a different way each time. This type of malware can’t be detected without advanced tools.
Officials Sees Need for Industry to Collaborate with Universities
Waits sees the issue as what the industry is looking to hire and what industry is looking to invest. He sees the need for industry not only to invest and collaborate with universities, but at the high school level to encourage more people to enter the cybersecurity industry. While a number of schools have STEM [science, technology, engineering and mathematics] programs, these programs are generic and don’t have a cybersecurity focus.
Guinn believes that more university programs focused on cybersecurity will become available if they see a need. Emphasis is being put on a handful of accredited university cybersecurity programs, which should ensure that people graduating from these programs have the right skill sets.
Waits has started to get involved unofficially in the Tampa, Florida area to promote cyber intelligence education programs at the high school level.
“The students who want to route phones and Xboxes are the inkling of people who become hackers,” said Waits. “I want to make sure more of these kids become good guys.”
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.
Senior Editor | Rigzone