Q&A: Managing cyber security and technology risks in the energy & natural resources sector
November 2015 | SPECIAL REPORT: ENERGY & NATURAL RESOURCES
Financier Worldwide Magazine
FW moderates a discussion on managing cyber security and technology risks between Mike Gillespie at Advent IM Ltd, Michel de Goede at Alliander, Paul Lowrie at Clyde & Co LLP, and Robert Minicucci at GE Oil & Gas.
FW: How would you characterise the extent of the cyber security and technological risks currently facing energy & natural resources companies? Is this sector particularly vulnerable to attack?
Gillespie: The risk is significant and we are not certain whether this risk is fully understood, organisationally. Energy companies are a key target for all sorts of attacks including those from nation states, terror groups and hacktivists. They face direct threats but also threats from within the supply chain. One of the risks inherent in energy and other critical national infrastructure (CNI) is legacy systems called into an internet protocol (IP) role, for which they were not designed. Potentially built on obsolete platforms like Windows XP, these systems can be dangerous open doors for attackers. Globalisation of supply chain and functionality also means that greater levels of digital assets need protecting and access points policed. Given the nature of the business, getting this wrong is potentially disastrous and dangerous. It is also worth noting that not all serious risk is technological – 43 percent of businesses surveyed by Intel Security reported data exfiltration by an insider, mostly on CDs and USBs. Half of these were non-accidental. Never forget the risk from your people or your other insiders, like contractors, temps, visitors and the supply chain.
Lowrie: There have been a disproportionate number of cyber attacks concentrated upon energy and power installations. Given that the effects of a successful attack are potentially so extensive, they are an increasingly attractive target for hackers seeking to make a political statement or simply disrupt day to day life and business. Successful examples include the forced shutdown of power stations in the UK and Saudi Arabia and a floating storage and offloading vessel (FSO) operating offshore West Africa. Since companies are generally not required to disclose details of cyber attacks causing physical damage, this is likely to be the tip of the iceberg. Lloyd’s of London has recently estimated that the effects of a multi-site cyber attack on power stations in the Eastern US could result in losses of up to $1 trillion.
Minicucci: The risk is as high as the value of the assets at stake, and the exposure to attacks is wide. Energy companies have enjoyed relative immunity – until automation technology began evolving toward a more collaborative and connected paradigm. This began about 10 years ago and has increased on a larger scale in the last five years. Today, every stakeholder in each organisation wants the ability to receive near-real time information from the plant, whether it be a technician ready to solve an issue from the control room or a plant manager interested in ensuring production KPIs are good. With this ability to receive data comes vulnerability. The energy sector is particularly vulnerable for at least two reasons. Firstly, the assets being targeted have long lifecycles around 20-25 years, which means little to no security was built in. Secondly, there is a cultural gap in that most operating people are not cyber aware, nor perceive the risk until an actual incident occurs.
de Goede: From a technological point of view, energy and natural resources companies face an increased level of risk due to the rising market penetration of solar panels, wind and energy storage systems. This makes customers less dependent on centrally managed infrastructures. As a result of this, the significance of some players in the industry may decline over time while the individual use of solar, wind and storage makes the energy grid less and less vulnerable to threats. Once the Internet of Things is connected to back-end production and transport systems – for example as a result of smart metering – then risk would largely increase. It is the task of the industry to make sure this type of risk does not occur.
FW: Are certain types of attacks seen more frequently within the energy & natural resources sector? Do different types of attack require a different type of response and defence strategy?
Minicucci: It’s not easy to gather accurate data in this sector unless for some reason – such as regulatory constraints or hacktivist attacks – information about attacks is made public. What we know is attacks may occur in many stages, including across the supply chain, during development or integration, commissioning and operations. Common attack vectors are removable media including USB and laptops, phishing, and poor practices during development and commissioning. The consequences may be an increase of maintenance costs, delayed release or invoicing, reduced reliability and IP theft. Different attacks would require different responses, but the common factor for successful incident response is planning. Our key suggestions are, firstly, to define the chain of command. Who is in charge on the scene of the incident? Secondly, staff must also know their tasks. Who do they need to contact? What are the next tasks? Thirdly, make decisions – either do it now or never. There is no luxury of a long decision-making process. Finally, keep people focused. Define the current task and make sure the team is working toward mitigation. If you have no plan, under the pressure of an incident any effort to mitigate is likely going to fail and you will not be in a condition to make proper decisions.
de Goede: Energy and natural resource companies face no other mix of attacks than any ‘regular’ larger sized company – the 14 year old hacker, the critical hacktivist, organised crime or nation states – that hasn’t already been identified. As the relevance of industry players declines and grids become less vulnerable, training staff on the tips and tricks used by all these groups, could raise the bar to a point where the potential gain is no longer worth the effort. Nation states require a whole other level of nationally organised cyber security.
Gillespie: We are told that attacks on the UK’s CNI are relentless and heavy. According to Symantec, computer-system invaders attacked 43 percent of global mining and oil & gas companies at least once last year. Some will be bot-based and random, others keenly targeted and purposeful. These are the ones that are often hard to detect as a great deal of trouble has gone into making the attack successful. That could be engineering a complex spear phish, for instance. Spear phishing is the most comprehensively successful attack method. Once opened and activated, it can then serve a toxic payload and enter a network. This is a lot more damaging than the casual vandalism we see some hacktivists indulge in, like defacing websites or carrying out DDoS attacks, for instance. Many employees don’t recognise a spear phish as they are increasingly well crafted. Our defence strategy must, therefore, take people into account and we have to start funding education and awareness that is targeted and job-specific to all areas of these organisations. Fifteen minutes of online training a year will simply not suffice, if it ever did. Collaboration is very helpful when it comes to defence and sharing information about attacks can help strengthen each other, this is useful in any form of defence strategy, but is particularly useful in a sector like this.
Lowrie: Whilst the target of cyber attacks on most companies is data theft, energy and natural resources companies face the additional threat of attacks designed to control or damage their physical facilities. These are wholly different threats requiring wholly different responses. Whereas a number of countries, including the US, have put in place legislation requiring companies to disclose details of successful data breaches, there are no such obligations in respect of attacks causing outages or physical damage.
FW: In your opinion, how important is it to achieve board level understanding of the seriousness of the issue? Does the question of cyber security receive the necessary resource allocation among energy & natural resources companies?
Lowrie: Board level understanding is essential, but indications are that it is moving up the agenda. This is no surprise considering that we are starting to see the first wave of claims directly against directors for failing to adequately protect their data and systems. In the US, shareholder derivative actions and books-and-records suits have been launched against a number of companies, and their directors, who have been the subject of high-profile data breaches, including Target, Home Depot and the Wyndham Worldwide Corporation. Such claims would be likely to be many times more serious, and expensive, in the case of energy and natural resources companies where life and property are at stake, rather than just loss of sensitive data.
de Goede: Within the utilities sector in the Netherlands, the full rollout of smart meters that is supposed to begin next year, and the potential cyber security and privacy risk, has helped raise board awareness, which has in turn helped to free up the necessary budgets.
Gillespie: Security needs boardroom oversight and governance in the same way all business functions do. You wouldn’t dream of setting finance or HR policy without board control, would you? In businesses like oil, gas and energy, the target is already on your back and the threat can come from inside as well as outside. Vigilance is vital and you can’t have a genuine robust security culture and posture without boardroom buy-in and support. Understanding your own sector and how others in that sector are affected is also key and intelligence sharing is a potential way to help support security systems and processes. A lack of understanding drives a lack of funding and in turn a lack of education and this is the situation we need to redress as a matter of urgency. This can only come from the board. The lack of board oversight is helping to perpetuate and extend the myth that this is an IT issue, when it is clearly a business issue.
Minicucci: Unless cyber security makes its way routinely into the boardroom there is little chance of successful programme implementation. To this purpose, it is prudent to include cyber in the enterprise risk management deck and bring it to the attention of senior executives. In recent years there has been a substantial increase in the attention devoted to cyber from the board in the energy vertical. Undoubtedly, some sectors are more advanced that others, but the situation has vastly improved. It is important now to keep this pace and focus, given the challenge and the technological and cultural delays that this vertical has accumulated over the years.
FW: To what extent could improvements to the quality of a company’s Industrial Control Systems (ICS) equipment help to reduce the risk of a cyber attack? Do such systems generally require significant reconfiguration to withstand the cyber security threats that exist today?
Gillespie: These systems need to be protected with the same level of care and attention that corporate systems enjoy. So they need to be brought into the loop of software updating, patching and anti-malware updating. They should be looked at very closely if they are running on obsolete platforms such as Windows XP. Some of these systems were never meant to be IP leveraged and that needs to be borne in mind when considering how best to protect them. We can’t really reduce the risk of a cyber attack; we can, however, reduce its impact or successfully protect our assets from it. If you live in area where burglary is common, you can’t stop burglars trying but you can protect your home and contents with quality systems and sensible behaviour to reduce the risk you will be impacted by your environment. SCADA and ICS are notorious for vulnerability and offer attackers a less protected route in. That system may or may not be the target system but damage can be caused and physical threat realised, such as we saw in Germany before Christmas 2014, when an attack on steel mill ICS saw the blast furnaces compromised and the system unable to shut it down before significant damage had been done and risk to life realised.
Lowrie: It is well known that the ICS equipment used in many energy and power facilities is relatively unsophisticated, and often outdated. Upgrading such systems, however, is often difficult because they are designed to be always-on and therefore software is only upgraded or patched on an infrequent basis.
Minicucci: Cyber security can be considered an attribute of quality – high quality systems, designed according to robust engineering practices are very likely to show a better security posture. Designed-in security with a layered defence approach is what the industry has adopted as most effective when it comes to security. At the same time, we have to assume that a network breach has already happened or will surely happen, so our goal is also try to minimise the impact of such a breach. The ultimate defence layer must reside in the design of the component itself. Whether it be integrity checks, traffic pattern baselining, trusted platform module (TPM) approaches or advanced application security techniques, the ICS itself must have been designed with such defences. Reconfiguration is sometimes possible, other times compensating technical and procedural measures must be put in places, and still other times an upgrade might be required. Most importantly, expertise in an ICS partner is critical as it’s important to establish a trust relationship, and be able to address specific customer pain points with solutions that work with the overall plant assets instead of simply providing a product that would end up creating other issues.
de Goede: ICS systems are more vulnerable to exploits and attacks than IT systems. Therefore, if a reasonable security baseline cannot be guaranteed – and we might have to wait a little while for this to happen – isolation remains a decent strategy. For energy and natural resources companies, most of their assets are somewhere out in the open and can more easily be accessed than their ICS systems. Hence security starts with network topology; if energy is routed like the internet, breaking one or two lines has no impact.
FW: How should an energy or natural resources company initially respond if it finds itself the victim of a cyber attack? What steps need to be taken at the outset?
Minicucci: There are technical steps and programme management steps. Forensics and detail analyses are not the number one priority during a crisis. Instead, it is critical to be able to make fast decisions on what should and should not be done. For an effective response you should firstly have a clear picture of what is at stake. Do you have an updated inventory of installed systems including details on hardware and software components? Secondly, you should be able to detect that an incident has actually occurred. Do you have routine controls in place, both procedural and technical? Thirdly, know who you need to contact. Have resource contact information ready to go for incident response. Finally, know what actions to take. Have a plan with everyone ready to execute their part. Root cause analyses and lessons learnt will then be part of the process as well. Depending on the case, this can be handled internally by the company or by a specialist third party.
Lowrie: The first issue will be to determine whether or not a cyber attack has taken place. In the case of data breach it may be months or even years before the loss is noticed. In the case of an outage or physical damage, the effects will be felt immediately but it may not be known that it was caused by a cyber attack. It is essential that cyber attack is considered when performing a root cause analysis of an incident, otherwise data evidencing the breach may be lost and the true cause may never be identified. As soon as a cyber attack is identified, it is important to determine what damage has been caused or data breached, and whether any statutory or regulatory notifications are triggered. In addition, if a cyber attack is suspected and the company has cyber insurance, the company should immediately notify its insurers, who will typically recommend that the company engage lawyers to ensure that the company is doing everything possible to comply with its obligations and minimise disruption. Engaging lawyers early on in the investigation process is prudent – not only will counsel advise on the company’s reporting obligations and legal exposure, they will also ensure that the forensic investigation into the cause and extent of the attack is protected by legal privilege.
de Goede: It is of primary concern to have the right allies and trained staff with the mindset of hackers. This means that incidents may be identified early due to the monitoring activities of your SOC, while your partners may help you divert or defend against a DDoS, for example. Hacking communities may have more time on their hands, which is a factor that you might want to hedge against by upping your level of professionalism and expanding your professional network.
Gillespie: Detect and contain first of all, then monitor and assess what the attack is doing or attempting to do. Having protective monitoring in place is vital and don’t just look at corporate systems, protect anything that is networked. If the worst happens, learn from it and communicate it appropriately; pretending it hasn’t happened is a route to reputational harm and ultimately helps no one. Make sure you have an incident response plan and an incident response team who know what to do and when. There is no point spending valuable budget on superb detection capability if nothing happens once it is detected. Use the information you gather from your incident to build your forensic readiness. Forensic readiness is knowing an attack is inevitable and being prepared for it. You have to have a strategy and from that your plan is derived, based upon genuinely understood, rather than perceived, risk. We need to be confident in our defences, but not arrogant, and understand there is always the possibility our defences could be breached. When dealing with these incidents you need fast time reporting to warn your community about the potential attack. So detect the attack and contain it, gather information, learn from it and share it.
FW: How should an energy or natural resources company experiencing a data breach communicate the situation to suppliers and other business partners? What steps should it take to contain reputational impact and maintain trust?
Lowrie: Effective communication is crucial in order to mitigate the effects of a cyber attack. Many companies would want to inform suppliers and business partners on a voluntary basis, but contracts often contain warranties obliging companies to inform their counterparties if they are the target of a cyber attack and failure to follow such warranties could result in substantial damages. The first reaction when faced with a cyber attack is often to apologise and promise that steps are being put in place to prevent such an incident from happening in the future. It is essential that any promises can be met; an overly optimistic promise made in the heat of a crisis could have a disastrous effect on the company’s perceived trustworthiness, as well as opening up the possibility of further legal claims.
Minicucci: There should be an established communication framework between suppliers, acquirer, partners and customers, which articulates what needs to be communicated and how. The message must be clear and consistent. Also, depending on the data compromised – or assumed to be – different state law obligations may apply and require different actions. For a trusted and effective communication you should state your commitment to security and privacy, be candid about the incident without revealing secure information, outline the impact or assumed impact of the breach, explain what is being done to resolve the issue through immediate actions and plan, reiterate your commitment to support customers and stay on the forefront to prevent future breaches, and be prepared to answer customers’ questions in a consistent, unambiguous way, through predefined channels.
Gillespie: It is absolutely vital there is an effective communications plan. You have to advise your supply chain and partners as soon as possible, as they are potential victims. The timelier the communication, the better the chance there is of controlling or limiting reputational harm. The longer you take to talk about your breach, the greater the reputational harm you suffer. The quicker people are informed, the quicker remedial action can be taken and the minimisation of harm can be assured. We have a responsibility to each other now, as we are all connected and an attack on one is a potential attack on all. This effective and timely communication should form part of an incident response plan. Have a team member assigned to ensure this is performed in the manner prescribed in the strategy.
de Goede: In the event of a data breach the communications department should directly declare to all relevant stakeholders what has happened, who is impacted and by how much, and what remediating actions the company is taking to get back to business as usual.
FW: What final piece of advice would you give to energy & natural resources companies in terms of mitigating the cyber security risks they face?
de Goede: Most companies only use barrier enhancement strategies to address cyber security. That is expensive and will become more and more difficult in a world that is more and more intertwined. It is more efficient to also consider other risk strategies such as transfer through insurance and mitigating the level of impact or the probability of occurrence. Ignoring the problem is not a valid option here.
Minicucci: Think of security not only as a risk but also as an opportunity. By having the right programmes and processes in place, cyber security can be approached in a structured manner through the following steps. Firstly, ensure the cyber risk is treated as an enterprise risk. Secondly, it is important to establish a cyber security culture, which approaches security holistically through attention to people, processes and technology. Attention should be provided to cyber security policy, system secure development lifecycles, incident response plans, training, tools and more. Finally, ensure these procedures are ingrained into a complex engineering framework. They must show up just as tasks to be completed, whether it is about supply chain cyber security checks, configuration, integration, FAT, commissioning or any other phase as appropriate.
Gillespie: Boardrooms need to understand the threat and the resulting risk and they need to be building a culture of security awareness. Cyber security needs to be resourced as an investment and not a grudge purchase. Employees need to be well trained and regularly updated in a manner to reflect their role, and attention needs to be paid to non-corporate networks and legacy systems that need adequate protection from attackers too. Warning Advice Reporting Points (WARPs) are an excellent way of communicating the threat and any incidents to neighbours or supply chain partners.
Lowrie: Don’t forget the human element. While it is essential that energy and natural resources companies invest in their network infrastructure, improving the awareness of employees and suppliers is crucial to protecting against cyber attacks. The majority of successful cyber attacks still start from phishing emails, or even the well-known trick of a branded USB stick left in the company’s car park.
Mike Gillespie is the managing director of Advent IM Ltd. He is also director of Cyber Strategy and Research for The Security Institute and a member of the CSCSS Global Cyber Strategy Select Committee. Mr Gillespie is a security professional and CLAS (the CESG Listed Advisor Scheme – CESG is the technical arm of GCHQ) consultant of many years’ standing. He can be contacted on +44 (0)121 559 6699 or by email: firstname.lastname@example.org.
Michel de Goede is the strategy consultant at Alliander where he advises general and IT management about the consequences of market developments, investments, divestments and innovation. Mr de Goede also focuses on international start-ups, M&A plans and due diligence – creating sound models for financial planning and valuation. He can be contacted on +31 (0)615 159 459 or by email: email@example.com.
Paul Lowrie is a legal director in the energy team of Clyde & Co LLP, based in London. His practice centres on insurance coverage issues and commercial disputes relating to upstream and downstream energy, power, wind farms (offshore and onshore), engineering, marine and construction. He can be contacted on +44 (0)20 7876 5000 or by email: firstname.lastname@example.org.
Roberto Minicucci is the principal cyber security engineer at GE Oil & Gas and works on a variety of topics including remote monitoring & diagnostics, secure development lifecycle, regulatory and standards compliance for industrial automation, supply chain risk management, security assessments, and training. He can be contacted on +39 055 4263 4000 or by email: email@example.com.
© Financier Worldwide