The war in Ukraine has highlighted the role that cyber plays in modern warfare. Some of these tactics are poised to impact the oil and gas industry. Get ready.
A Panel Discussion
On May 3, I will be chairing a panel discussion on cyber issues with a focus on the oil and gas industry. It’s helpful to keep cyber topics front and center in normal times because the threat of cyber is real and present. The most recent high profile attack on oil and gas was on Colonial Pipelines, however the operating landscape for oil and gas has worsened considerably. Not from a price standpoint—good news there—but from a business resilience and integrity point of view.
Here’s a précis of the discussion, which I hope you can take in.
War and Cyber
Years ago, I worked with a former Canadian soldier who served with a United Nations peacekeeping force as a maintenance officer in the former Yugoslavia. His military training had infused in him lots of interesting habits and perspectives. One of his sayings has always stayed with me: ‘never be late. You might get hit by your own artillery’. In war, soldiers need to synchronise their watches and align their maps so that when the 10 am bombardment kicks off, you are out of harms’ way.
Those of us outside the broad military complex know intuitively that a key goal in any military action is maintain your ability to communicate your bombardment plans to your people, and at the same time disrupt the ability of the opponent from intercepting your plans and communicating effectively with their side. With telecoms now digital, and with much military kit also besuited with sensors and analytics, warfare is quickly becoming a virtual cage match of cyber skills.
A few cyber stories from the war have been confronting:
- Anonymous, that infamous group of hackers, have trained their sights on Russia, hacked into the military systems, and skimmed off the personal details (names, addresses) of all the soldiers fighting for Russia. Imagine being on this list for your lifetime—questioned at airports about your role in the war and possible war crimes.
- Russian soldiers who have stolen phones as war prizes have been tracked using features like ‘find my phone’ back to their bases, giving Ukraine valuable information about troop movements.
- Ukraine forces have hacked into cell phone calls by the Russians and captured details about troop movements, campaigns, and tellingly, voice evidence of possible war crimes.
- StarLink has sent hundreds of satellite transponders to help Ukraine maintain its communications network in the event that the invaders bomb the cell phone network.
- Ukraine has hundreds of volunteer IT professionals who are turning their talents to waging cyber war against the aggressor.
This is what’s been reported. You can bet that much else is going on that is simply too sensitive to release.
The Long Term Implications
Russia’s control of their media blocks any news of the impacts that cyber attackers are having on their country, but certainly a key target of the hacker world is Russia’s oil and gas infrastructure. Oil exports are financing the Russian war machine, to the tune of $10b per month, and to help economic sanctions achieve their ends, hackers will be trying hard to break into control rooms, take over SCADA equipment, inject false machine readings into network data feeds, and shut down any automated equipment.
Western hackers, who have access to the latest digital tools like machine learning, robotic process automation, and artificial intelligence platforms, are honing their skills in devising and carrying out new attacks. These new tools and techniques are highly likely to migrate to the dark web where they will be used by criminal groups and state actors to carry out cyber attacks against any oil and gas company.
In other words, the bar has just been raised.
Four Discussion Topics
The panel is going to sort through four themes.
Appropriately, the first theme is Board Engagement. Boards play an important oversight role in cyber, and it’s important that Boards be abreast of relevant cyber developments.
WHAT IS THE CURRENT LEVEL OF BOARD AWARENESS OF CYBER ISSUES? ARE BOARDS ADEQUATELY ABREAST OF CYBER RISKS?
Boards are regularly briefed on cyber attacks, and many a company has had to deal with successful ransomware events, as with Colonial. However, the threat landscape has changed permanently and the techniques that will prove out in Europe will eventually be used against western companies. I’m certain Boards are discussing topics like trade flows, pricing, and expansion opportunities, but what about cyber?
HOW ARE BOARDS ENSURING THAT THEY HAVE ADEQUATE CYBER KNOWLEDGE REPRESENTED ON THE BOARD?
It is good governance practice that Boards have depth in their ranks on the most critical aspects of the business—finance, legal, capital markets, ESG—but cyber is typically an IT topic buried under the CIO who in many instances reports to the CFO. Board chairs must put in motion additional actions to keep the Board abreast of how the landscape is changing.
WHAT ARE THE BEST PRACTICES IN ENGAGING THE BOARD?
Board agendas are crowded, and boards meet infrequently (perhaps quarterly). A 15 minute ‘here’s the news’ briefing is inadequate, in my view. To bring boards up to speed requires innovative solutions like a simulated ransomware attack, a site visit to a cyber lab, a lecture from a former military cyber professional, or a joint board session with another industry’s board, such as fintech, or technology.
The second theme is cyber hygiene. With the cyber world able to leverage the same clever technologies as industry (cloud, robots, big data), and with the growth in attack capabilities, cyber hygiene is a moving target.
WHAT EXACTLY IS CYBER HYGIENE? HOW IS HYGIENE DIFFERENT BETWEEN IT, OPERATIONS TECHNOLOGY, AND DIGITAL?
Hygiene refers to the kinds of practices that companies employ to keep cyber defences at the ready—situational awareness, detection, combat, mitigation, recovery. Employees are trained to be suspicious of attachments on email, and many IT shops ban access to Google products like Drive and YouTube. But as emphasis shifts to digital tools (apps on phones) and operational systems (sensors on pumps), hygiene takes on new meaning.
HOW HAS THE MINIMUM HYGIENE BASELINE SHIFTED OVER TIME?
Two factor authentication (your password entry is followed by a code delivered to your email, mobile phone or Authenticator app) is now widespread, as is biometric access (fingerprints, voice print, facial identification), but these are impractical in a field setting, or not available in operations. New techniques are coming.
WITH QUANTUM COMPUTING ON THE HORIZON, WHAT WILL BE THE NEW MINIMUM HYGIENIC PRACTICE FOR STANDARD TECHNIQUES LIKE DATA ENCRYPTION?
Quantum computing will be sufficient to crack all but the most modern encryption techniques including all that encrypted data that has already been stolen. Industry will have to reset its hygiene baseline to respond.
The third theme is the risks from convergence. Convergence refers to integrated IT and OT, which introduces new cyber risks to be managed.
HOW COMMON IS IT/OT CONVERGENCE IN ENERGY? WHAT ABOUT OTHER INDUSTRIES?
Many energy businesses have come to the conclusion that they need to combine their IT organizations with their operations technology teams. Digital innovations are providing impetus to this move since some business analytic needs work optimally when IT and OT are combined. Not to mention the convergence in underlying technologies, such as cloud computing, telecoms and mobile devices.
HOW HAS CYBER RISK MANAGEMENT DIFFERED BETWEEN IT AND OT, AND WHAT NEW RISKS COME ABOUT WHEN THESE FUNCTIONS ARE MERGED?
The IT world is far more open source and open access that closed OT shops. Consider how open the internet is, compared to a SCADA system toiling away in some remote doghouse. Legacy SCADA systems, and there are lots of them, were never meant to be patched, lack intrusion detection, and may not even have passwords. Think security by obscurity.
The final theme is risk management. Managing cyber risks is an evolving field as the cyber world evolves, globalises and automates.
HOW DO YOU DEFINE RISK MANAGEMENT FOR CYBER?
It is simplistic to treat cyber risk management like other risk management problems. In oil and gas, the business identifies its risks, assesses impacts, assigns probabilities, and develops mitigations for the most concerning. Cyber requires a broader model that includes workforce awareness and training, cyber-resilient IT and OT architecture, mechanisms for monitoring cyber activity, detecting intrusions, and recovery planning, communications and public relations, insurance, Board and related governance, and risk scouting.
WHICH INDUSTRIES ARE LEADERS IN ASSESSING AND MANAGING CYBER RISKS?
You would think that banks would be pretty good at cyber. As Bonny and Clyde used to say, you rob banks because that’s where the money is. The entertainment industry, who hold a lot of private consumer data, was under chronic attack a few years ago and seem to have dropped off the radar. The panel will consider the nature of leadership in cyber and which industries find themselves in the unenviable pole position.
The cyber world is evolving very quickly and the baseline of what constitutes good practice has shifted permanently. Energy companies need to up their game to maintain pace. Be sure and attend the panel discussion so that you can be up to date on the latest in cyber considerations.
Check out my latest book, ‘Carbon, Capital, and the Cloud: A Playbook for Digital Oil and Gas’, available on Amazon and other on-line bookshops.
You might also like my first book, Bits, Bytes, and Barrels: The Digital Transformation of Oil and Gas’, also available on Amazon.
Take Digital Oil and Gas, the one-day on-line digital oil and gas awareness course on Udemy.
email: [email protected]