Stark Realities of Managing Cybersecurity Risk
- Chuck Drobny (GlobaLogix)
- Document ID
- Society of Petroleum Engineers
- Journal of Petroleum Technology
- Publication Date
- November 2013
- Document Type
- Journal Paper
- 122 - 123
- 2013. Copyright is retained by the author. This document is distributed by SPE with the permission of the author. Contact the author for permission to use material from this document.
- 1 in the last 30 days
- 41 since 2007
- Show more detail
- View rights & permissions
|SPE Member Price:||Free|
|SPE Non-Member Price:||USD 17.00|
Worldwide, the cybersecurity threat is real and growing. The oil and gas industry’s technological critical infrastructure has been especially hard-hit, absorbing 40% of all cyber attacks globally. Yet the realities are not resonating effectively with industry executives, because many companies have yet to put comprehensive protection plans into action.
This issue is potentially so devastating that it figuratively shouts for a short course about the chances that companies are taking, what vendors and purported experts are advocating, the grave risks, the unvarnished truth about hackers and company vulnerabilities, and how waiting for disaster is a dead-end choice.
Largely because of its worldwide exploration and production scope and the vast population dependent on energy, oilfield companies cannot simply blend in with the landscape and become unrecognizable as a major cyber target. For example, Telvent, which makes a control system for smart grid networks, was recently hacked. Project files for its supervisory control and data acquisition (SCADA) system were accessed and malware was installed on its network in the attack.
Other attacks have occurred against Saudi Aramco, which required 10 days to get its network back online after a Shamoon Wiper malware cyber attack disabled more than 30,000 workstations in a supposedly politically directed action by a group of hackers called the Cutting Sword of Justice. In a costly move only possible with a sovereign nation, the company sequestered its entire network while determining the cause of attack and fully restoring service. Meanwhile, the Chinese military has been accused of attempts to hack all types of industries, with a particular focus on oil and gas, according to the Mandiant Intelligence Center Report.
This disturbing news has had polar opposite effects. One is that the threat message is not getting through to many oil and gas companies. It is akin to a tree falling in a forest when nobody is there to hear the crash. Conversely, springing into action are vendors, so-called cyber experts, and conferences offering cyber-security solutions to the executives who are receptive to the message. With this growing demand for both information and installed protection, more companies are taking the cue that they need technical cyber expertise they do not have internally to survive the hacking they may have never expected (“Nobody would attack us. We are too small.”).
When companies do become engaged in seriously protecting their organization and its resources, the budget should not be arbitrary. Rather, it should be allocated on a basis commensurate with the spending on any other insurance or similar budget items. Benchmarking the traditional safety budget is a good approach, since it is typically proportioned over several years based on risks. Similarly, in terms of perspective, physical or plant security offers comparable guidelines in allocating resources to both deal with the threat and its consequences.
|File Size||86 KB||Number of Pages||2|