ONS: Cybersecurity experts say O&G industry not doing enough
STAVANGER -- While the global oil and gas industry seems to have plenty of innovation and new thinking to show off at ONS this year, there is a group of folks that thinks it is coming up short in one specific area and that would be fighting cybersecurity threats adequately.
In a morning conference session at ONS on Wednesday, a star-studded panel of experts assessed the threat posed to the industry by cyber attacks and what executives still need to do, beyond measures already in place, to address the problem thoroughly. Former Secretary of Homeland Security Michael Chertoff, who served under Former President George W. Bush from 2005 to 2009, led off the session. He set the table for the other speakers, when he said that “the costly and dynamic nature of cybersecurity threats makes them a top risk for many businesses,” particularly board directors and management. However, he says they often struggle with understanding and responding to the scope of these rapidly changing risks.
Chertoff pointed out that for most boards, cybersecurity is far from a core competency. They are not well-schooled in security measures and this lack of “fluency” can cause indecision or avoidance related to cybersecurity. Too often, executives may resign themselves to a mentality that attacks are unavoidable.
Joe Slowick, whose position at Dragos is described as “adversary hunter,” was up next, and he said that he is concerned that cyber attacks are increasing in their intensity, at the same time that many oil and gas executives seem to have a greater risk tolerance. “Operators need to develop a defense in depth. To say that you are 100% cybersecure is a misnomer. There is no such thing.” Slowick said that industry companies need to build on their “defender advantages.” In other words, defenders have the initial advantage over attackers. They can use a layered defense approach, including making their own people more aware of threats. “The environment is quite concerning,” pleaded Slowick. “Some attacks may be for purposes of theft of intellectual property.”
Leo Simonovich, V.P. and Global Head of Industrial Cyber and Digital Security at Siemens, said that the current wave of digital transformation in the industry is a problem in itself. “At the core of digitalization, is trust,” said Simonovich. “Digitalization creates and opportunities and risks. Oil and gas companies have so much to gain from digitalization, but so much to lose from attacks on their infrastructure.” He said the core challenge is how to secure complex infrastructure, and it is more difficult for smaller companies to do so. He recommended that they consider banding together to find solutions. He also recommended that companies invest in “cybertalent.”
Julian Meyrick, V.P. at IBM Security Europe, said three key areas “where we can make a difference” are integration, collaboration and A.I. On the subject of collabortion, Meyrick said that industry companies must do much more together on cybersecurity than they are now. “The bad guys are a hell of a lot better at collaborating than we are.”
Elizabeth Haugsbǿ, senior cyber engineer at DNV, said that she honors Maersk, which experienced an attack, for the amount of information they gave out to the industry and public after the breach. “Many companies have the inclination to not talk about an attack, but others are quite willing to share, and that’s the mentality that we need more of.” Haugsbǿ said that “we’ve been far behind the attackers. We’re catching up, but I fear that we will still be behind for a while.”
In previous years, all assets were pretty much protected equally in the industry, and the boards of companies treated cybersecurity as an I.T. problem, noted J. P. Cavanna, Group Head of Cybe Services at Lloyds Register. “But cybersecurity is not an I.T. issue, it’s a business issue,” said Cavanna. “Companies don’t need to spend millions of pounds in one ‘go.’ They need to identify what you need to protect and why you need to protect it. And then you can plan a better course forward.”
“There’s one thing that companies can do efficiently, quickly and cheaply,” continued Cavanna, “and that is to utilized an existing resource—us! Employees are a first line of defense.” He said that while the spend on cybersecurity is going up every year, the industry is still having as many problems as ever. “So, we need a change in people’s thinking. They need a better awareness.”
Finishing out the session, and dovetailing back with Chertoff’s introduction of the topic, was the other “star” presenter of the morning, retired General Michael Hayden, who served as director of the U.S. Central Intelligence Agency (CIA) under Presidents George W. Bush and Barack Obama (May 2006 to February 2009). His presentation title was “What is (or should be) the Role of Government, Powr and Intelligence.” Hayden described the Worldwide Web as “the most ungoverned space in history.” Hayden reminded attendees of the infamous North Korean cyberattack on Sony several years back, remarking that “this was a particularly vile example of vandalism.”
Hayden said that it is no accident that in most of the advanced countries, “the thought leaders on the cyber domain are the folks that handle espionage.” He said it makes sense, when you consider the nature of their daily mission. Hayden pointed out that in 91% of attack cases, whatever vulnerability in a company is exploited is later publicized, so that it can be patched and solved for everyone’s good.
In some final thoughts, Hayden said that in the U.S. government, the handling of cyber matters is no longer just a National Security Agency NSA) responsibility. Now, it is discussed and handled throughout all government departments. He said that he remains concerned that the U.S. government should be more concerned with cyber deterrance rather than defense.
As an example, he cited a statement made by former Admiral Mike Rogers, who was director of the NSA under Presidents G. W. Bush and Obama (April 2014 to May 2018), as well as the head of the U.S. Cyber Command. Rogers said, “If we don’t change the dynamic here, this is going to continue…This is something that will be sustained over time.” We haven’t “changed the calculus or behavior,” he added, and our adversaries “haven’t paid a price…that’s sufficient to get them to change their behavior.” Hayden said that he is concerned that this mentality still exists in the U.S. administration, whereby officials believe that they can beat cyber attackers into submission by imposing strong penalties. The general said that he thinks officials would be served better by building stronger deterrance in the actual systems of the government, to repel attacks. “As long as there is plenty of money it it, you’re not going to stop people from trying (to attack).”