Preparing for a cyber attack
An incident response (IR) plan is a vital component of cybersecurity strategy.
What was once an afterthought for oil and gas organizations, cybersecurity is now center stage. Cybersecurity impacts every facet of oil and gas operations, which are now more digital and connected than ever. As such, chief information security officers (CISO) understand that attacks are inevitable, and what counts today is how organizations respond to threats and their overall level of cyber-readiness.
Cybersecurity has similar traits to physical security. Many people have an alarm system in their house, not to prevent a break-in from occurring, but to immediately alert the house’s occupants, and authorities, when one happens. Further, while everything in a home may have value, the most valuable items are frequently stored in a safe for added protection.
Implementing a cyber attack response plan
Organizations are beginning to think about cybersecurity in the same way. As threats become more sophisticated, companies must acknowledge that attacks can’t necessarily be prevented, but fast response time and a secure environment for the most critical data and assets are key to building a strong cybersecurity position.
According to the SANS Institute’s assessment of ICS security in 2016, 17% more organizations placed blame on hackers, and attributions to organized crime were up 11% compared to 2015. Cybersecurity attacks on energy organizations are more targeted than other industries, causing costly damage to operational technology (OT) environments. With an increasing number of connected devices and two very unique operating environments—IT and OT—the oil and gas sector’s greatest challenge is to establish clear and informative guidelines for people and processes during a cyber attack.
Despite having an incident response (IR) plan in place, very few oil and gas organizations run through full simulation exercises of this plan. Simulated exercises can reveal incorrect assumptions made during the IR process and also alert security leaders to gaping holes where there might be missing contacts or protocols that are critical for the IR plan to be successful. Oil and gas organizations must demonstrate that their IR plans are truly effective in the event of a cyber attack.
Running through real-life scenarios as part of an exercise can help companies determine what type of operational flexibility and resiliency are in place and what steps need to be taken to improve them. These steps include:
- Define roles and responsibilities: Following a cyber attack on critical infrastructure, a seemingly well-structured IR plan on paper can turn into chaotic confusion over ownership and actions that need to be taken. One of the biggest differentiators between a successful IR plan and a response plan that fails is the identification of specific roles and responsibilities. As easy as it sounds, in the oil and gas industry, the organizational complexity in upstream operations is massive particularly when an incident impacts IT, field teams, multiple business units, global regions, and suppliers. As a result, it’s critical for these organizations to break down any assumptions about IR and assign and confirm ownership to secure a successful IR plan.
- Communicate with management: Additionally, keeping executives involved and managing expectations are an important part of an IR plan. With cyber incidents, there is an expectation of communicating within a certain number of hours and notifying stakeholders. The team leader of the IR plan should quickly alert the necessary parties and inform them of immediate next steps. Time is of the essence, and a simulated exercise ensures the communication plan is clear and accurate, and the necessary contact information is in place to bring awareness to all stakeholders.
- Cybersecurity policies and industry standards: There are different standards and requirements within each industry. For example, the aviation industry is one of the most highly regulated industries and has been influential in shaping ideas about what the security standards and processes governing computers and networks can and should look like. Many companies still struggle to define best practices when it comes to security that protects assets such as gas turbine and compressor controls. These assets often have a life span of a decade or longer, require continuous operation, and are more vulnerable than other machines that receive regular updates and patches during frequent maintenance shutdowns. While federal laws are being passed that require organizations to implement reasonable security safeguards that take into account IR plans and response time after incidents, the oil and gas industry could still benefit from looking to other industries, like aviation, that have strict safety guidelines in place.
- Operational flexibility and resiliency: Cyber attacks are part of today’s connected environment, so IR is not as much about the attack but rather cyber resiliency. Running through exercises in preparation for cyber incidents will help companies determine what type of operational flexibility and resiliency they have and what steps need to be taken to improve. In addition, service level agreements (SLA) can help with the IR process as they often include a procedure for reporting problems, including who can be contacted, how problems will be reported, procedure for escalation, and what other steps are taken to resolve the problem efficiently. IR times vary according to the priority and severity level assigned to the incident within the SLA and can help communicate a clear picture of what is required and how this plan will be executed efficiently.
Oil and gas leaders and investors understand that the cost of capital and the ability to complete critical projects are conditional on their ability to withstand a cyber attack and minimize the impact of a breach. Developing a clear, detailed IR plan and simulating an exercise will help organizations raise awareness about cybersecurity threats, best practices, and create a resilient business culture.
Amolak Gosal is chief information security officer (CISO) at GE Oil & Gas.