Directive Seeks to Coordinate Response to Oil, Gas Cyberattacks

A U.S. presidential policy directive will treat companies targeted by cyberattackers as victims of a crime – and not automatically at fault –  as the government looks to create an environment conducive to sharing information on cyberattacks, according to a former official with the U.S. Federal Bureau of Investigation (FBI).

The Presidential Policy Directive 41 (PPD 41) on United States Cyber Incident Coordination, signed July 26 by President Obama and now in effect, establishes guidelines for how the U.S. federal government will respond to cyberattacks launched against the public and private sectors.

This includes U.S. companies across a number of industries, including oil and gas. The cybersecurity risks that oil and gas companies face continue to grow, according to the 2016 BDO “Oil & Gas Risk Factor” report. Risks associated with data breaches have grown from just 12 percent in 2012 to 74 percent in 2016, with cybersecurity proving to be a rapidly moving target as bad actors evolve and leverage increasingly sophisticated hacking methods, BDO stated in the report. BDO is an accounting and consulting firm that provides services to over 400 publicly traded domestic and international clients.

“Cyber incidents are a fact of contemporary life, and significant cyber incidents are occurring with increasing frequency, impacting public and private infrastructure located in the United States and abroad,” the White House said in a July 26 press statement. “While the vast majority of cyber incidents can be handled through existing policies, certain cyber incidents that have more significant impacts on an entity, our national security, or the broader economy require a unique approach to response efforts,” the White House stated.

PPD 41 designates lead agencies for government action in terms of responding to a threat, protecting an organization’s assets, intelligence gathering and analysis, and restoring operations, according to an August 2016 analyst note by BDO Consulting. It also establishes principles to guide government response, establishes a three-tiered architecture to coordinate the response for significant cyber incidents at a policy, operational and field level, and a shared framework for evaluating and assigning a level of severity to an incident.

John Riggi

Head of Cybersecurity & Financial Crimes, BDO

PPD 41 is really concerned with how the government treats victim corporations, and how information about the private sector is shared across the federal government, John Riggi, head of consulting firm BDO’s cybersecurity and financial crimes unit, told Rigzone in an interview. Riggi, an FBI veteran, served as an official private sector validator for PPD 41. The new directive calls for government agencies to take all needed steps to protect a company’s reputation and its proprietary data that is uncovered during an investigation, Riggi stated.

“The directive, which impacts all industries equally, is a positive step in that the federal government is required to share information with the private sector, and must respond in a unified and coordinated manner to major incidents,” Riggi said to Rigzone.

As a victim, the company would be entitled to other services beyond technical response. This includes legal guidance from the FBI’s Office of Victim Witness Protection, Riggi stated. The FBI also would coordinate media statements and help a victim company manage internal and external communications. In many cases, the personal information of people inside a targeted company is stolen. For example, the government actually provided victims of the Sony Pictures cyberattack with services to manage how to deal with the situation, Riggi said.

Detrimental Impact for Oil and Gas?

Jeremiah Talamantes

Managing Partner, RedTeam Security

Jeremiah Talamantes, managing partner of cybersecurity testing firm RedTeam Security, told Rigzone that many of his firm’s oil and gas clients haven’t had time to determine how PPD 41 will impact them. But Talamantes believes the directive could be detrimental to the oil and gas industry.

The oil and gas industry should mainly be concerned with Section V(B)b of PPD 41, Talamantes told Rigzone. In his opinion, this section suggests significant involvement of multiple federal agencies in a time of a “significant cyber incident”.

“Additionally, the way this type of incident is broadly defined within this document, there are a lot of instances where the federal government could justify its involvement, oversight and presumably regulation,” Talamantes explained. “The bottom line for the operator here is they will be hit with increased costs, liability and public exposure, as well as future regulatory problems.”

Talamantes believes that both PPD 41 and the NIST cybersecurity framework could elevate financial risk for oil and gas companies, depending on the scale of demand resulting from an environmental incident. While NIST is voluntary, it does increase the liability risks for companies that are found not to have achieved its standards. With increased government involvement, oversight and reporting during “significant” incidents, it could increase the risk to companies of public exposure, leading to shareholder, local government or consumer lawsuits, Talamantes commented.