Directive Seeks to Coordinate Response to Oil, Gas Cyberattacks
A U.S. presidential policy directive will treat companies targeted by cyberattackers as victims of a crime – and not automatically at fault – as the government looks to create an environment conducive to sharing information on cyberattacks, according to a former official with the U.S. Federal Bureau of Investigation (FBI).
The Presidential Policy Directive 41 (PPD 41) on United States Cyber Incident Coordination, signed July 26 by President Obama and now in effect, establishes guidelines for how the U.S. federal government will respond to cyberattacks launched against the public and private sectors.
This includes U.S. companies across a number of industries, including oil and gas. The cybersecurity risks that oil and gas companies face continue to grow, according to the 2016 BDO “Oil & Gas Risk Factor” report. Risks associated with data breaches have grown from just 12 percent in 2012 to 74 percent in 2016, with cybersecurity proving to be a rapidly moving target as bad actors evolve and leverage increasingly sophisticated hacking methods, BDO stated in the report. BDO is an accounting and consulting firm that provides services to over 400 publicly traded domestic and international clients.
“Cyber incidents are a fact of contemporary life, and significant cyber incidents are occurring with increasing frequency, impacting public and private infrastructure located in the United States and abroad,” the White House said in a July 26 press statement. “While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have more significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts,” the White House stated.
PPD 41 designates lead agencies for government action in terms of responding to a threat, protecting an organization’s assets, intelligence gathering and analysis, and restoring operations, according to an August 2016 analyst note by BDO Consulting. It also establishes principles to guide government response, establishes a three-tiered architecture to coordinate the response for significant cyber incidents at a policy, operational and field level, and a shared framework for evaluating and assigning a level of severity to an incident.
PPD 41 is really concerned with how the government treats victim corporations, and how information about the private sector is shared across the federal government, John Riggi, head of consulting firm BDO’s cybersecurity and financial crimes unit, told Rigzone in an interview. Riggi, an FBI veteran, served as an official private sector validator for PPD 41. The new directive calls for government agencies to take all needed steps to protect a company’s reputation and its proprietary data that is uncovered during an investigation, Riggi stated.
“The directive, which impacts all industries equally, is a positive step in that the federal government is required to share information with the private sector, and must respond in a unified and coordinated manner to major incidents,” Riggi said to Rigzone.
As a victim, the company would be entitled to other services beyond technical response. This includes legal guidance from the FBI’s Office of Victim Witness Protection, Riggi stated. The FBI also would coordinate media statements and help a victim company manage internal and external communications. In many cases, the personal information of people inside a targeted company is stolen. For example, the government actually provided victims of the Sony Pictures cyberattack with services to manage how to deal with the situation, Riggi said.
Detrimental Impact for Oil and Gas?
Jeremiah Talamantes, managing partner of cybersecurity testing firm RedTeam Security, told Rigzone that many of his firm’s oil and gas clients haven’t had time to determine how PPD 41 will impact them. But Talamantes believes the directive could be detrimental to the oil and gas industry.
The oil and gas industry should mainly be concerned with Section V(B)b of PPD 41, Talamantes told Rigzone. In his opinion, this section suggests significant involvement of multiple federal agencies in a time of a “significant cyber incident”.
“Additionally, the way this type of incident is broadly defined within this document, there are a lot of instances where the federal government could justify its involvement, oversight and presumably regulation,” Talamantes explained. “The bottom line for the operator here is they will be hit with increased costs, liability and public exposure, as well as future regulatory problems.”
Talamantes believes that both PPD 41 and the NIST cybersecurity framework could elevate financial risk for oil and gas companies, depending on the scale of demand resulting from an environmental incident. While NIST is voluntary, it does increase the liability risks for companies that are found not to have achieved its standards. With increased government involvement, oversight and reporting during “significant” incidents, it could increase the risk to companies of public exposure, leading to shareholder, local government or consumer lawsuits, Talamantes commented.
The implementation of PPD 41 will prompt private oil and gas firms to shift their focus to cybersecurity concerns and place increased emphasis on the development of processes which solicit government aid in the event of a cyberattack, Stewart Kantor, CEO of Full Spectrum Inc., told Rigzone in an email statement. Full Spectrum is a wireless communications firm that provides technology to the upstream and midstream oil and gas industries.
“This push may drive the industry to reconsider where cyber vulnerabilities exist in their current practices and introduce new procedures and technologies designed to minimize risk of a cyberattack,” Kantor commented. “One such example is the vulnerable public data communication networks currently used for monitoring and protecting critical assets of the oil and gas companies.”
To minimize the risk of a hacker entering and potentially damaging the company’s assets, Kantor anticipates seeing the adoption of private cellular data networks as best practice, which provide the necessary security, IP automation, and capacity to isolate damage caused by cyberattacks or natural disasters, including inclement weather.
U.S. Government Seeks to Create Environment for Sharing
Through the directive and the Computer Information Sharing Act (CISA) passed late last year, the U.S. federal government is trying to create a conducive environment for sharing information regarding cyberattacks. The CISA provides incentive for sharing through a statute that provides liability protection for information shared, Riggi stated.
“If they share particular threat information on vulnerabilities, the government can’t use that information to go back and basically conduct a regulatory audit or place regulatory liability on a company,” Riggi explained.
To truly understand the nature of cyberthreats, the federal government and the private sector need to share information, Riggi stated. The vast majority of cyberattacks are occurring on private sector networks, which the government cannot access, but government networks also are being targeted. Some clues may exist in private sector attacks that could help the government defend its networks against mutual cyber adversaries.
“The presumption has been for over the past 10 years that, when a company has suffered an attack, it’s because they didn’t spend enough money on cybersecurity or it wasn’t a high enough priority for the company,” said Brian E. Finch, a Washington, D.C.-based part with law firm Pillsbury, Winthrop, Shaw, Pittman LLP, in an interview with Rigzone.
But the recent cyberattack on the Democratic National Committee has changed the narrative of the debate. The attack, allegedly carried out by Russia, has made the U.S. government realize that organizations are not automatically at fault for cyberattacks by foreign countries.
While companies would still face liabilities, Finch sees more tolerance for a conversation between the U.S. government and companies about an attack.
“It’s a national security issue, not about whether a company invested enough” in the right technology to prevent a cyberattack.
WHAT DO YOU THINK?
Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.
Senior Editor | Rigzone