Operators, vendors, academics, and government officials offered new insights into meeting the growing incidence of cyber-threats across the industry during the 12th Annual American Petroleum Institute Cybersecurity Conference on 7–8 November in The Woodlands, Texas.
In opening the proceedings, keynote speaker Zach Tudor, associate laboratory director of national and homeland security at the US Department of Energy’s Idaho National Laboratory, said, “We have to kind of redefine the way we approach cybersecurity for critical infrastructure, and … really everything. You understand that there’s no such thing as perfect security. We’re not going to keep everybody out [of our networks].
“How do we operate while being attacked?” he continued. “How do we understand when we’ve been attacked? How do we recover? All of those things are about [system] resilience. … Understanding the cyber effect, combatting and mitigating it, preparing for the response have to be part of our engineering classes.”
In a session on cyberattacks and emerging threats, Michael Leigh, the global head of incident response at consultant NCC Group, said his company sees a lot of ransomware attacks on companies that seek his firm’s help in response.
A lot of times there is nothing that can be done. “They don’t have backups, or if they do have backups, those backups have been overwritten with the ransomware, so it’s reinfection and so on,” Leigh said.
Ransomware attacks occur at businesses of all sizes and types, he said, and “one of the things I started to understand is that this growth is phenomenal.” His firm has looked at all different types of ransomware and how long certain ransomware attack models have been around.
The effort has led him to realize that “it’s not changing, and what I mean by that is they are continuing to use the same tactics, the same methods,” Leigh said. “The only thing that differs is the vulnerability. It’s kind of all the same. And why is it all the same? It’s because we as security people are not forcing adaptation.”
‘Red Queen’ Effect
Leigh explained the situation in terms of evolutionary game theory, citing the “Red Queen” effect in which someone running as fast as possible only remains in place. What is needed is constant adaptation at the cybersecurity level to disrupt the ransomware business model and raise the “bar of entry” into ransomware activity, he said. Raising the bar will force attackers toward more lucrative targets, which typically have many more protective controls.
However, creating that higher bar is very costly “and it requires your executive buy-in,” Leigh said. “We have to start getting these security issues at a board and an executive level because they have a fiduciary responsibility to maintain that level of security, and that’s investment.”
In another session, which dealt with incident response, Justin Harvey, managing director and lead for the FusionX global incident response practice at Accenture Security, noted that a recent survey of companies showed that 43% of the participants believed that their greatest security threat comes from malicious insiders. Additionally, 70% of the companies lack confidence in their internal monitoring process.
Resources companies, including those in oil and gas, may be the most exposed to such threats, Harvey said. Past perceptions that there is no connection between information technology (IT) systems and operational technology systems are no longer valid.
More Than an IT Problem
“It’s no longer an IT problem,” Harvey said. “Our team was talking to, I think it was the COO of a mega-major oil company, and he said that cyber defense is no longer a digital or an IT problem, it is a health, safety, and environment problem.”
Energy companies are spending an average 8% of their IT budgets on cybersecurity, which he said was “woefully low.” With the money that companies, governments, and militaries are spending on cybersecurity defense, triage, and response, “they’re doing this without thinking through how are we going to really test the mettle or test our systems and technology and our people?” Harvey said.
For this purpose, his company has established a body called a purple team to provide clients with a testing regimen that combines offensive (red) and defensive (blue) operations in a hyper-realistic format that simulates a zero-notice engagement with a cyber-adversary, for which the attacked company starts without a specific base of prepared knowledge. It has proven “very successful,” he said.
In a session on cybersecurity enterprise reference architecture, John Kindervag, field chief technology officer at Palo Alto Networks, likened the fight for cybersecurity to the levels of warfare in military theory. The four elements of that approach are grand strategy, strategy, tactics, and operations.
Adopt ‘Zero Trust’
The grand strategy is to stop data breaches, and the strategy for directly accomplishing it is to adopt a “zero trust” practice toward those seeking to use any part of an organization’s system. The tactics supporting the strategy are the tools and technologies that the organization has set up for use, and operations consist of the platforms and policies surrounding the use of those tools and technologies. In kinetic warfare, if they don’t all harmonize successfully, you lose the war,” Kindervag said.
A grand strategic commitment to stopping data breaches could require new thinking within some organizational areas. For example, he said, many operations people may care more about uptime.
“Hackers don’t have change management; they are always quicker than you are.” Kindervag said. But with a successful system implemented at all levels of cyberwarfare, he concluded, “If they can’t get to the data, they can’t steal it.”