Report: Oil & Gas Cybersecurity Risks to Continue in 2015

Rigzone: In terms of assessing the security of third-party vendors and protecting assets, will this trend increase in 2015? I’m assuming this has to do with oil and gas companies expanding operations into emerging areas and working with new companies. Is this primarily an issue for overseas operations, or is this an issue companies also face working in the United States?

Senterfit: Joint ventures in new territories with new partners bring an unprecedented amount of risk from a cyber, physical and operational perspective. We’ve seen how subcontractors can introduce cyber threats into a large corporation through unconventional means. We also know that the supply chain and the extended enterprise of some of the large operators are the subject of cyberattacks, with disruptions due to one or more of their third-party impacted. Proactive and predictive analysis of the supply chain and third-parties is a key element of an integrated risk approach. 

[In some cases], the operator may not be the target of a cyberattack or labor issues. It might be one of their key suppliers and even if the contract has terms protecting the operator it does not solve the operational issues that may occur. As company’s team or join with regional partners, the question around physical and cyber security, classification of data and protection of IP becomes even more important as we become electronically attached to companies from different nation states. This is also not isolated to international/overseas operations. International companies are entering the U.S. market and the entire supply chain and third-party vendors have access and monitor for risk.   

Rigzone: In terms of crisis management plans, do you see more oil and gas companies including cybersecurity in these plans? Is this something that’s still lacking in terms of the number of companies or the types of plans? Should oil and gas companies seek outside help in designing these plans, or are existing practices they’ve used in the past enough?

Senterfit: Actually the reverse, to a certain extent, many organizations are working to put in place contingency plans for an inevitable cyber security attack or compromise, and so we’re seeing the traditional incident response evolve into a complex set of response activities and preparedness plans involving legal, marketing and PR teams, regulatory and compliance, and cyber indecent response teams, but more importantly led, coordinated and managed by an overall incident commander. We’re helping our clients to design comprehensive incident response plans that go way beyond the typical cyber aspects. These plans are integrated into the companies’ business continuity and crisis management plans. We’re also helping some of the more advanced companies to implement real-time sentiment monitoring tools to measure the effectiveness of those plans during an incident or crisis.

Rigzone: Do you see more cooperation coming in 2015 in the oil and gas industry on lessons learned or strategies for dealing with cybersecurity?

Senterfit: In 2014 we saw the creation of the ONG-ISAC, (the Oil and Natural Gas Information Sharing and Analysis Center). It’s in the process of becoming operational with a view to cross company collaboration sharing of cyber security threat intelligence, including specific industry threats, directed campaigns and attribution information. The ONG-ISAC is a not for profit organization and is specifically being set up with the tools and staff to assess, share and action that cyber intelligence, and provide solid information about dealing with those threats back into the community. Many of the Critical Infrastructure sectors have established ISACs with Financial Services probably the most mature.


1234

View Full Article

WHAT DO YOU THINK?


Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.


Most Popular Articles